Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

The First Few Months of Penetration Testing: What they don't teach you in School

I entered into school with the hope and dream of someday entering into the information security industry. I obtained a Bachelors of Science in Information Assurance with a focus on Network Security from Eastern Michigan University in December 2010. During my time there I walked into every class absorbing every bit of information I could, then I went home and set up my own environments to play with. My career goal was penetration testing. It didn't start that way, but listening to all the podcasts from industry leaders like Space Rogue, Chris Nickerson, and Paul Asadoorian helped inspire me to seriously examine this role as a career. With every Not A Con, HOPE, DEFCON, and BSides that I attended I became more certain that this was in fact the life for me. SoI went to my advisors and asked them how to get to point B and began a somewhat accurate path towards that end.

Knowledge I gained from classes is very important. Sometimes you might hear "Oh I'll never use this <insert archaic method from an older book> in the real world", but lo and behold someone decided that it was a fantastic idea to use that method in their production environment and the only reason I know what it is without having to research it is because some old guy in a polo decided to write about it. Not that it's wrong to use older methods; they were 'secure' and valid at one point in someone's career. What is a bad and insecure configuration now was either the only way to accomplish a certain goal or the best practice at the time. This is the evolution of technology; things change, and we have to change our methods with them.

If it weren't for my professors teaching me how NetBIOS worked, the difference between routing and routed protocols, active directory management, Linux configuration, or how to understand subnetting, I seriously doubt I'd be posting here right now. While there are a significant number of self-taught geniuses out there, I am not one of them. Everyone learns in his or her own way and when just starting out in this field of study, I wanted and needed guidance. Learning firewall and network configuration gives you insight as to why you can't connect to port 445 to another machine on a different subnet. Configuring AD properly tells you what decisions an administrator might have made that could let you do enumeration or privilege escalation. These are all critical skills and knowledge that a penetration tester has to have in order to get in while causing the least amount of harm along the way. Academia taught me these things.

The issue with academia is well known; most of the time it's the former professional or academic looking from the outside in on an industry making inferences on how to get in or drawing from experience on how they broke in. Most of the time these great minds lack current knowledge on what's needed to perform a job role. This is not to say that academia is useless for getting a job, but it is to say that professors are only one part of the equation in getting in. Community involvement is extremely important, and academia might be what teaches you how to speak that langue that the community uses. Schools can't and won't force you go to your local 2600/DCXXX meeting, drive out to DEFCON with a guy you just met, or hang out in IRC channels.

Academia teaches you all these skills, gives you the opportunities to meet people interested in the same things, and gives you a place to play with techie toys, so what doesn't it give you? Real world expectations, and yes that's somewhat obvious, but being able to understand what the differences between your test network when you're running ms08-067against your unpatched version of win2k3 and what a client is expecting from you on their network is a very difficult leap to make.

A few things I was told within the first week that I've found very valuable over the past few months are:

  • Don't run wild with exploit frameworks against a clients network as there are safe and unsafe exploits that could seriously damage infrastructure availability
  • Stay in touch with the client constantly, be available at all times and make sure you're receptive to their needs
  • Build a trusting relationship, you are on their  side and you want them to know that you feel their pain right along with them as though this network was your own, after all you've probably been there
  • Be methodical and check everything you possibly can in the amount of time you have
  • Set expectations with every client every time
  • Passion is an expectation, not an exception

A few things I've learned on my own since my start with Trustwave SpiderLabs:

  • Being in the office is the exception, and not the norm. We work at interesting times of the day and night, usually when users are active or database copies are going on
  • Tools are very fallible, just because it works with one environment doesn't mean it will work with a similar environment
  • Tools are about 25% of what's necessary to do your job, the other 75% is between knowing what to look for, knowing how to work with people, continually growing as a consultant, and being accurate

The creative thought process and passion are what's key to being successful. These are the foundations of the hacker spirit. A hacker is not a title one receives when one obtains a diploma; a hacker is born and drawn into this lifestyle no matter the path.

While you can build a process by doing things over and over and making mistakes, and then fixing those mistakes, are you thinking about what you're doing or what that tool you just launched against the clients AD server is doing? Always think about the impact, try to come up with a better way of doing things, and always be learning. I can learn how to config a router from my into to networking class, but researching different methods, thinking about the path the packets are taking, and determining a better method will always be what I should do. Academia teaches you how to do, not necessarily how to think. Academia cannot give you passion, you have to be able to summon that from within. You have to accept that there will be weeks where you can't go out with friends, or can't see your kids the way you'd like. You're going to fall flat on your face, you're going to be an intermittent hermit, you're going to learn to code, schmooze, and eat all while troubleshooting a clients network because your connection is getting dropped. Conferences are your vacation, manuals are your bedtime stories, and if their not, you're probably not a pentester.

With all that being said, always schedule time for yourself.

Feel free to contact me with feedback on this post.

This is by no means a primer on how to get hired at Trustwave SpiderLabs. To quote our Director:" You can teach a hacker how to be a consultant but you can't teach a consultant how to be a hacker."

Latest SpiderLabs Blogs

Why We Should Probably Stop Visually Verifying Checksums

Hello there! Thanks for stopping by. Let me get straight into it and start things off with what a checksum is to be inclusive of all audiences here, from Wikipedia [1]:

Read More

Agent Tesla's New Ride: The Rise of a Novel Loader

Malware loaders, critical for deploying malware, enable threat actors to deliver and execute malicious payloads, facilitating criminal activities like data theft and ransomware. Utilizing advanced...

Read More

Evaluating Your Security Posture: Security Assessment Basics

This is Part 4 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More