What does a penetration tester do?

[00:00:05] Chris Sienko: Welcome to the InfoSec Career Video Series. These set of short videos will provide a brief look inside cybersecurity careers and the experience needed to enter them. Today, I’ll be speaking with InfoSec’s skills author and principal security researcher, Keatron Evans about the role of penetration tester. So let’s get into it. Welcome, Keatron.

[00:00:25] Keatron Evans: Thanks, Chris. I appreciate it.

[00:00:25] CS: Keatron, let’s start with the basics. What does a penetration tester do? What are the day-to-day tasks of a pen tester?

[00:00:34] KE: Yeah. A penetration tester primarily checks the security of hardware, software, infrastructure, networking, procedures, policies and people. Pretty much everything that makes up how we deal with information and move that information from place to place. We’re testing the security of that. We do that by emulating threat actors, threat agents, malicious actors or bad hackers as most people know them as when we’re doing these engagements. We’re trying to break in, trying to get to things that we shouldn’t be able to get to. And then we write reports on how we got in. And in that report, we also give them recommendations on the things that they should fix.

[00:01:10] CS: Are their levels of penetration testers as job roles? And if so, do these tasks change in these different roles?

[00:01:17] KE: There are definitely levels. For example, as an entry level pen tester, you may be just running scans and things like that, handing those scan results over to a more senior pen tester to take those scans and quantitate those into things that are actually actionable things that we might be able to exploit. But as you progress, you will be doing some of the exploitation yourself. And eventually, as a more advanced pen tester, you might be writing exploits that we’ll be using in engagements going forward. There’s definitely different levels to it and you might be doing different things as you progress to different levels.

[00:01:50] CS: How does one become a penetration tester? Is this an entry level position or do I need to get some other experience in computer first?

[00:01:58] KE: Well, generally a practicing pen tester who goes out and conducts test, solo or leads a team or senior, they can do this in a lot of different ways. However, we do have entry level pen tester roles, like a junior pen tester, where that person might start with doing some of the basic things that we talked about just running port scans, collecting information and handing it off to senior. There are entry level roles, you don’t have to start off being a great pen tester. You can come in as an entry level person.

Now, typically, you work your way into other roles as you start doing that. You could start off being a SOC analyst or something like that. Those are great feeder roles that feed into something like pen testing. I would say about half the people out here to do pen testing didn’t start off doing pen testing. Definitely start off in any role that more so fits what it is you’re looking for and what you have the most accessibility to. And then you can easily move into a pen testing role. If I were given someone a recommendation, I would definitely say, start off doing basic scanning and things like that, and then work your way up eventually to other things.”

[00:03:08] CS: What type of education or experience is required? And are there any certifications that will help you break into the role?

[00:03:16] KE: Yeah. For most pen test roles, the grid is not required. You see that becoming more and more the case. What certifications? I would say SEH, GPN, CPT, OSCP, PenTest+ and some others are good certifications that can prepare you and help you to be a good pen tester. But also, there are supporting certifications like Security+ and CySA+ that are entry level certifications to cybersecurity, that touches on a lot of pen test concepts that gets you prepared for that role.

[00:03:49] CS: Okay. What skills do a penetration tester need to do their job, whether hard skills, like tech skills or soft skills like problem solving?

[00:03:59] KE: Yeah. Definitely problem-solving skills is at the top of my list of things that they need because we can teach you anything else. Ability to pay attention to detail, mastery of the required tools and things like that, that we use, and be able to keep up with technology is a really, really big one as well, because things change constantly. And in that vein, I would say. understanding cloud technologies and how cloud technologies work is an important one.

[00:04:24] CS: Okay. Can you talk about some of the common tools that penetration testers use?

[00:04:30] KE: Sure. I’ll just go through a few that we use in our engagements, every single engagement for example. [Inaudible 00:04:36] would be one, the Social Engineers Toolkit, Metasploit, John the Ripper, DNS Recon, Dig, Who Is Responder, InSpy, which is a tool that we use to scrape information off of LinkedIn. Maltego, which is an intelligence gathering tool that goes out and makes all kinds of associations with different information. And then of course on the paid for side, there are professional tools like Core and Pack Pro, and Metasploit Pro that we use in every engagement as well.

[00:05:07] CS: Since a lot of these tools are open source, are these things that people will be able to sort of practice on their own so they can get a feel before they actually use them in job situations?

[00:05:15] KE: Yeah, absolutely. They can go and download these tools and play with them and get comfortable with them. And most of them, we have in our Cyber Range environment, too, in the InfoSec skills platform. But you know, you can go download, for example, Kali Linux. Kali Linux has a collection of all these tools already installed, all with exception, maybe like two of them. If you go get a download of Kali Linux, it’s already got most of these tools built into it.

[00:05:42] CS: That’s awesome. Where do penetration testers work? What are some job options that are available for a role for pen tester?

[00:05:49] KE: Well, most organizations that have security requirements will engage a penetration tester at one point or another. Larger organizations will have pen testers on staff sometimes. Medium-sized and smaller organizations will usually engage pen testers on a contract basis per engagement. Now, this means as a pen tester, you can operate as a lone wolf contractor and seek work on your own. Or you could go out and work as a pen tester for a consulting firm like mine, or you could get a job as a full-time pen tester for a specific organization when it’s an organization big enough to have an internal pen tester. There’s lots of different options as far as jobs and where you land. We have our government and organizations that have their own internal pen test roles as well.

[00:06:36] CS: Are there different expectations around work duties, depending on what type of work you do with pen testing?

[00:06:42] KE: For sure, absolutely. Some of the pen testing that you’d be doing, let’s just say, for example, let’s take a government organization that has an internal pen tester that works in a classified environment. Well, nine times out of 10, you will be testing applications that don’t really exist anywhere outside that government organization. It wouldn’t be a matter of downloading stuff from the internet and scanning these things. You might have to create things from scratch. You have to be more cook booking and making things versus just using things that are already there if it’s a situation like that. So obviously, that would require a higher degree of skill and expertise in different areas to be able to do that. Whereas if you look at your run of the mill pen test for most public facing organizations, you’re primarily using tools and techniques that are out there in the general public.

So yes, the expectations can change from organization to organization, even from engagement to engagement. Doing a BlackBox application security test requires more skill than your run of the mill open network-based pen test for example.

[00:07:45] CS: If I decide that I don’t want to do penetration testing anymore, is it a role that you can move into other roles from very easily?

[00:07:54] KE: Absolutely. As a matter of fact, I think pen testing is one of those worlds that prepares you for many other roles indirectly. To give you some anecdotal context here, I started my pen test career and shortly after launch of my pen test firm. After about three years of doing exclusively pen testing for my customers, they naturally started to consult us on things like incident response, when they would have a data breach or an ongoing hack, they would ask me to come in and assist the incident response team based on our expertise in how these tools and techniques work. Well, that led to me eventually spinning up an entire other service offering in my organization, in my company that that does incident response. That incident response activity led to us getting these questions from our customers. Well, now that we’ve contained this incident, how do we proactively look for these threats, try to find these people in our environment before it gets as bad as it got this time. That eventually led to us opening up and spinning off a cyber threat hunting servers as well. So yes, pen testing absolutely is a role that you can move into other roles from easily. The skills that you gain, and you master or you learn becoming a pen tester are transferable to so many other roles in cybersecurity.

[00:09:09] CS: Fantastic. So Keatron, one last question for our listeners who are ready to get started now. What’s something they can do right this moment, right after the video is done that will move them toward the goal of becoming a professional penetration tester?

[00:09:19] KE: I think the most powerful thing and the most impactful thing you can do now is jump into a cyber range, or something like that and start doing exercises and CTFs right away. As a matter of fact, I have some good courses on the InfoSec skills platform that allows you to do exactly that. And you can jump right into our Cyber Range and start playing around. You can look at all the pen test career paths that you can go in and get the training for. Or you can jump into just the Cyber Range and start just messing around with the tools and techniques. Definitely, I would say, that would be one of the most advantageous things you could do right this second.

[00:09:53] CS: Fantastic. Keatron Evans, thank you for your time and insights today.

[00:09:58] KE: Thank you, Chris.

[00:09:58] CS: And everyone watching, thank you for checking this out. If you’d like to know more about other cybersecurity job roles, please check out the rest of InfoSec’s Career video Series. We’ll talk to you soon.