The appeal of pentesting

As of late, I've seen quite a few threads about folks who "want to get into security" and the area in question generally turns out to be penetration testing. While I'm not a pentester myself, I can see some of the allure in doing that kind of work. It's very cutting edge, you're given authorization to actually use tools that might otherwise be forbidden in a normal operations environment, and perhaps there's a certain thrill-of-the-hunt when trying to find a way in.

However, I get the impression that some don't realize that in order to attack networks effectively, a strong foundation in the design and implementation of said networks and systems are paramount in order to frame the reporting in proper context. If I receive a report from an external auditor and it's just a bullet point list describing what Nessus found, let's just say I wouldn't be too happy. I'd expect something that shows the what, where, how, and why it's a concern for me in relation to my company's business (compliance, current threats elsewhere against corporate entities with similar business models, etc.).

Personally, while I love learning about the offsec, I see my professional role on the defense side (which I guess you could also call the "losing side" or "the team with the harder job"). Being able to do investigative work, digging deep into packet structure and correlating events, etc., helps me learn more about the technology world we swim in and broaden my appreciation / sense of grasp of the subject matter and add value. Not that I'm good at it, mind you, but that's part of the motivation for what guides me on where I'm currently at.

So my question to those who are interested in getting into pentesting / are already doing that line of work - what's the underlying appeal and source motivation in pursuing this area? Is it the uniqueness of being on the offensive side of things? The creative freedom / opportunities to improvise and devise new solutions? The idea of being a "good-guy with blackhat skillz?" Playing with tools that normal IT network / systems admins generally won't get to touch?

Find more posts tagged with

Comments

Bl8ckr0uter

I would like to be a security analyst and would like to have pen testing skills so I guess I can sort of respond.

For me I think that for most people, they look at various movies or hear about network breaches and think "Man that is f'n sexy and cool." I think that it is sort of like how everyone wants to be a quarterback or point guard but most people don't see the worth of a good center (or defensive skills period) or a lineman. People get caught up in the idea of breaking into networks and forget about all of the reports and clerical work included with that job. I also think certs like the CEH don't help with their "make you a l33t hacker" mantra.

I know that being a pentester is about bring value to the company or target and ultimately it is about protecting the organization through an infosec branded tough love. By showing them that x exploit isn't just applicable in theory, it is applicable in practice or showing them just how exposed their network is, it ultimately brings about change that helps move the business forward. I think most of these wannabe pentesters just want to hack and feel 1337

nicklauscombs

Bl8ckr0uter wrote: »

People get caught up in the idea of breaking into networks and forget about all of the reports and clerical work included with that job.

bingo, i think this hits the nail on the head here.

NightShade03

I agree with a lot of what has been said. I think that 50% of the people that really want to be pen testers are those that saw someone in a movie hack something and thought that was awesome and wanted to do that for a living. They don't realize the hard work, vast skill set, and massive amounts of time you have to commit to learning about networks and infrastructure.

I think that the other 50% don't really fully understand what "pen testing" is. There is a lot of cool tools and leading edge stuff that you can use but if you can't write an effective report, analyze your findings, or present things on a non-technical level then you aren't going to do well.

Hacking appeals to many and I think the ones that truly are able to write, communicate, and are technically savvy aren't going to identify themselves as "hackers", but would probably make the best pen testers. There is also a significant amount of travel involved if you are a pen tester for a auditing firm or consultant which can be really taxing on people.

Seriously though...read some of the killer things that people like H D Moore do or accomplish and how could you not want to get involved with pen testing?!

YuckTheFankees

I'm just getting started in the field of IT but with the goal of ending up in pentesting..and I would say yes the job looks sexy as hell but I feel its going to have a good job outlook. Every other week there is some big name company getting hacked or something like that going on and I also think a lot more cyber-terrorism will occur. So yes its appealing to me because it cools but I would say the job outlook to me is a bigger deal.

JDMurray

As I said in my review, this book has a pretty good detailed layout of what all a pen tester needs to know and do: Review: BackTrack 4: Assuring Security by Penetration Testing | TechExams.net Blogs

And for the most part, pen testing is a lot like software quality assurance testing: boring, tedious, and lots and lots of planning and paperwork. I wouldn't mind pen testing as just one of the things that I did for a job, but I wouldn't want it to be the only thing.

ipchain

While my professional role is on the defensive side of the house, I do see why certain people might find pentesting very appealing.

I agree that a good pentester must have a strong foundation in the design and implementation of networks, and he/she must also be able to think outside of the box. A job as a pentestrer involves breaking stuff in ways that system administrators and designers had not thought of.

As some of you may already know, I am taking GPEN as my last SANS course this year. While I have not made any real progress so far, I really like what the course is about. In a nutshell, the course is for (3) types of audience:

- Professional penetration testers who perform pentesting against their own organization.
- Professional penetration testers who work for pentesting companies.
- People who procure pentesting.

With that said, I believe the course provides a very solid foundation into penetrating testing. You must have a solid understanding of TCP/IP, Windows and Unix prior taking it, so it is not for the fainthearted.

I will provide additional insight as I really get into it, but we shall see when that happens as I have been extremely busy with school and work. My daughter just turned (1) a little over a month ago, so she is now demanding a lot more attention from me.

Back to the original topic - pentesting is NOT for everyone. You must have a certain mindset to be able to explore and try different things no one ever thought could work. I have also seen people's desire to get into 'pentesting' without having a solid foundation on networking and general security concepts. Folks, I hate to break it to you but you simply cannot get into 'pentesting' this way. Do you know the difference between a script-kiddie and a professional pentester? Knowledge...

While I have no intention of getting into 'pentesting' in the near future, I believe having the skills and the mindset that is required for 'pentesting' will greatly enhance my defense-in-depth skills. Since I am preparing for a GSE attempt next year, GPEN will compliment GCIA and GCFW from an offensive point of view. I have looked into OSCP as well, but I don't see myself taking the course anytime soon as I have a lot on my plate for at least the next two years. I do find it very appealing to know you're given 24 hours to break into a lot of stuff. It actually reminds me of NetWars, but I guess SANS is now charging for it as well.

Just my two cents.

afcyung

I think there is a romance about hacking that appeals to people. Its like being a rebel but its legal.

Turgon

docrice wrote: »

As of late, I've seen quite a few threads about folks who "want to get into security" and the area in question generally turns out to be penetration testing. While I'm not a pentester myself, I can see some of the allure in doing that kind of work. It's very cutting edge, you're given authorization to actually use tools that might otherwise be forbidden in a normal operations environment, and perhaps there's a certain thrill-of-the-hunt when trying to find a way in.

However, I get the impression that some don't realize that in order to attack networks effectively, a strong foundation in the design and implementation of said networks and systems are paramount in order to frame the reporting in proper context. If I receive a report from an external auditor and it's just a bullet point list describing what Nessus found, let's just say I wouldn't be too happy. I'd expect something that shows the what, where, how, and why it's a concern for me in relation to my company's business (compliance, current threats elsewhere against corporate entities with similar business models, etc.).

Personally, while I love learning about the offsec, I see my professional role on the defense side (which I guess you could also call the "losing side" or "the team with the harder job"). Being able to do investigative work, digging deep into packet structure and correlating events, etc., helps me learn more about the technology world we swim in and broaden my appreciation / sense of grasp of the subject matter and add value. Not that I'm good at it, mind you, but that's part of the motivation for what guides me on where I'm currently at.

So my question to those who are interested in getting into pentesting / are already doing that line of work - what's the underlying appeal and source motivation in pursuing this area? Is it the uniqueness of being on the offensive side of things? The creative freedom / opportunities to improvise and devise new solutions? The idea of being a "good-guy with blackhat skillz?" Playing with tools that normal IT network / systems admins generally won't get to touch?

Pentesting has it's allure but as a career option is overrated. A lot of semi skilled people run pentesting scripts without deep understanding of the protocols. It is simply one tool in the security genre although still an important one.

NightShade03

Turgon wrote: »

Pentesting has it's allure but as a career option is overrated. A lot of semi skilled people run pentesting scripts without deep understanding of the protocols. It is simply one tool in the security genre although still an important one.

I think this is a great point and when people realize this they tend to back out from being a pen tester or will not see good results in their career.

Early on in school I wanted to do something with security and I thought pen testing would be awesome...but the more I explored it and looked into it I realized it wasn't for me. I can't debug binaries or malware, or examine things at a deep layer in a packet sniffer...my mind just doesn't work that way.

On the flip side though I found that I am very good at web application security

I think it's just a matter of knowing your strengths and weaknesses.

ibcritn

Pen testing can be quite boring.

Dealing with exploits offensively doesn't have to be boring....some intelligence jobs that deal with exploits offensively to "bad guys" yea I think that's what people expect when they think pen testing.

I know I didn't realize how dry pen testing can be until I was exposed to it.

sexion8

docrice wrote: »

Personally, while I love learning about the offsec, I see my professional role on the defense side (which I guess you could also call the "losing side" or "the team with the harder job"). Being able to do investigative work, digging deep into packet structure and correlating events, etc., helps me learn more about the technology world we swim in and broaden my appreciation / sense of grasp of the subject matter and add value. Not that I'm good at it, mind you, but that's part of the motivation for what guides me on where I'm currently at.

So my question to those who are interested in getting into pentesting / are already doing that line of work - what's the underlying appeal and source motivation in pursuing this area? Is it the uniqueness of being on the offensive side of things? The creative freedom / opportunities to improvise and devise new solutions? The idea of being a "good-guy with blackhat skillz?" Playing with tools that normal IT network / systems admins generally won't get to touch?

Just curious to know how far you think you can "defend" without knowing how to "offend." There has never been a conflict or game decided solely on defense. Favorite tech/pentest quote: "Knowledge is power, and those who can subvert a system can also defend it - Bill Blunden"

In learning offensive tactics (compromising machines), it becomes easier to understand how to defend against them however, relying solely on defense does little. You will rarely get to understand more covert tactics used by the more experienced pentester or outright attacker. All you are learning or relying on is "word of mouth," what has been seen and documented. Too much can slip under the radar as you're relying on such a narrow focus.

Pentesting to me is sort of a video game if you will. My goal is to win the game. The game is to compromise data - not a machine. This can be achieved by many different means and tools are only a partial means to an end. For anyone whose known me or read any of my ramblings, I try not to overly rely on tools, in fact, I try to use available systems tools already on a machine. This keeps me under any HIDS radar, something that if relied on from the defensive perspective, will cost YOU (the person relying on defense) to lose the game. In using what is already available, I have a lesser risk of triggering any alarms or raising suspicions. What do YOU think you will see? Anomalies will be little. This approach I often take throughout my whole process of work. As little noise and detection as possible.

My motivation is to be conscise with my testing and keep it as stealth, accurate and deadly (for lack of better terms) as possible. I enjoy being able to play my game using my own rules and trying to outsmart better opponents and technologies. Now, note I said "data" not a machine. Data is the key factor here after all, data is where the money is. A machine is a machine is a machine. You never hear someone say: "I'm going to break into a bank" for the sake of getting into the bank. The goal there is to get the money, the goal in my case is data. This approach differs from most pentesters I have come across in fact, there is only ONE pentester in recent mind that I have seen with a similar objective (NEOHAPSIS - Peace of Mind Through Integrity and Insight)

"I got root!" ... So what? I don't necessarily need administrative access to get your data. This is where I see many fail from the offensive side. I also see people on the defensive side fail because you're almost always going to rely on what is known. I custom prep precision attacks as to avoid wasting time. I don't fire off random tools at random servers, that is too noisy. I definitely prefer custom made tactics to fool those relying on some interpretation of "defense" (not a personal attack against anyone who prefers defense to offense, just a bit of reality).

Understanding offensive security helps across all realms, forensics, incident response, defending (for those thinking of GCED style course). Without that understanding, my opinion is, you're cheating yourself.

docrice

sexion8 wrote: »

Just curious to know how far you think you can "defend" without knowing how to "offend." There has never been a conflict or game decided solely on defense.

I think you might be misunderstanding what I'm looking for. I'm definitely in favor of learning the offensive side, but not necessarily doing that exclusively for a living. My question was more for people who want to get into pentesting and seem to have the impression that's what infosec is about. In many threads that I've read, it sounds like they just want to hack, which is fine, but also seem to not realize that there's a whole lot more involved than what appears at face value.

I'm with you on the rest of what you said.

NightShade03

There is a Defcon talk being given about this very topic:

DEF CON® 19 Hacking Conference - Speakers

JDMurray

I'd love to see the same talk for computer forensics examiners.

RabRay

[FONT=&quot]There is an element of fun along the way, there is also a massive realisation that you still have so much you could strive to learn. But this is so, for anyone who actually takes certification paths and their IT jobs seriously, more than just a door opener for HR departments.[/FONT]

[FONT=&quot]From the point of view of the paperwork and follow ups. I think that it really is vital the information is made meaningful to those contracting anyone’s services. I also think its essential from the point of view of just improving everyone’s experiences on the Internet. [/FONT]

[FONT=&quot]You eventually get sick of constant drive by malware attempts from sites that really should be plugged. And think well if I can convince some web developers to start considering more than just how to put the sites together on the basis of functionality and graphic design im doing something positive. Do a few demos and so on just to say "hey wake up!, in a lot of cases your just letting them in, do some security tests and research!"[/FONT]

[FONT=&quot]I dare say their are people who want in to try out the "glamour" but if they don’t have the patience for the study and trial and error type situations just to gain basic skills, I don’t imagine they will be too keen as a job or enjoy the curve to advance.[/FONT]

[FONT=&quot]But you know, you do have to stick your toe in the water to see if you like the temperature.[/FONT]

[FONT=&quot]I have no doubt the industry needs good offensive and defensive security professionals and more knowledgeable users if security is to improve. [/FONT]

L0gicB0mb508

phoeneous wrote: »

How many pentest job openings do you know of? You're better off on the defensive side. In my opinion, firewalls and web application security is a safe bet.

There are lots of pentesting roles out there, but they usually have some weird title associated with them. It is however definitely easier to get into a defensive role.

I did pentesting/auditing for a large government entity. As has been stated most people get caught up in the whole breaking into networks thing. I spent much more time writing the test plans and test reports than I ever did breaking into anything. It's a very tedious and detail oriented job. You have to write very detailed notes, make sure everything you do is within the scope defined, and at the end produce something tangible for the customer to see. Being a team player is a must. While you might do some vulnerability assessments and audits on your own, when it comes to pentesting it's usually done as a team. I liked doing the work, and it was definitely interesting. If you can handle the paperwork, the job is very cool.