What’s new in Ethical Hacking: Latest careers, skills and certifications
Put on your white hat and learn how to hack for the good guys! Ethical hackers use the same techniques used by cybercriminals to assess an organization’s vulnerabilities and help keep them safe. Join Keatron Evans, Infosec instructor and Managing Partner at KM Cyber Security, in this audio rebroadcast of a popular webinar. You'll learn about getting started in ethical hacking, in-demand ethical hacking skills, popular ethical hacking training and certifications, common ethical hacking jobs and career paths, and more.
Keatron Evans is regularly engaged in training, consulting, penetration testing and incident response for government, Fortune 50 and small business. In addition to being the lead author of the best selling book, Chained Exploits: Advanced Hacking Attacks from Start to Finish, you will see Keatron on major news outlets such as CNN, Fox News and others on a regular basis as a featured analyst concerning cybersecurity events and issues. For years, Keatron has worked regularly as both an employee and consultant for several intelligence community organizations on breaches and offensive cybersecurity and attack development. Keatron also provides world class training for the top training organizations in the industry, including Infosec Flex live boot camps and the Infosec Skills on-demand skill development platform.
[00:00] Chris Sienko: We recently hit yet another huge milestone here at the Cyber Work Podcast, 25,000 YouTube subscribers. Thanks to all of you who watch and listen each week, to those of you who watch the YouTube videos go live and chat with other and comments and everyone who is helping us to grow this great community.
To give back, we’re now giving you 30 days of team training for teams of 10 or more. Your Infosec Skills account will help your entire team develop their skills and earn CPEs through hundreds of IT and security courses, cloud hosted cyber ranges, hands-on projects, skills assessments and certification practice exams. Plus, you can easily monitor, assign and track training progress with team admin and reporting features.
If you have 10 or more people who need skills training, head over to infosecinstitute.com/cyberwork or click the link in the description to take advantage of the special offer for Cyber Work listeners. Thank you once again for listening to and watching our podcast. We appreciate each and every one of you coming back each week. On that note, I’ve got someone I’d like you to meet. So let’s begin the episode.
[01:02] CS: Welcome to another episode of the Cyber Work with Infosec podcast, the weekly podcast in which we speak with a variety of industry thought leaders to discuss the latest cyber security trends. How those trends are affecting the work of Infosec professionals? As well as offering tips for those trying to break-in or move up the ladder in the cyber security industry.
Today’s podcast episode is the audio from a webinar we released on March 25 entitled; What’s New In Ethical Hacking? That’s right. We’re putting on our white hats and learning the ins and outs of hacking for the good guys. Techniques that white hat hackers use are the same as those used by cyber criminals, but instead of just finding and hacking organization’s vulnerabilities, they report those vulnerabilities to the company that hires them so that they can be fixed.
Our guest today is info sec instructor and managing partner of KM Cyber Security and one of our most requested guests, Keatron Evans. Keatron will be talking about these topics. Getting started in ethical hacking. In-demand ethical hacking skills. Best ethical hacking training and certifications, and popular ethical hacking jobs and career paths. Plus, we featured a live hacking demo and took questions from live viewers.
Now, let’s zip over to the webinar with Keatron Evans and moderator Camille Raymond entitled; What’s New in Ethical Hacking.
[02:17] Camille Raymond: Keatron has fortunately come back for another webinar with us. He’s done several with us before and always provides us great valuable insights and real contemporary thoughts on the world of cybersecurity. So, happy to have you with us, Keatron.
[02:33] Keatron Evans: Absolutely. Thanks. Glad to be back.
[02:36] CR: Very good. Wanted to talk a little bit about your background quickly. Keatron is regularly engaged in training, consulting, penetration testing and incident response for government, Fortune 50 and small businesses. In addition to being the lead author of the best-selling book: Chained Exploits: Advance Hacking Attacks From Start to Finish, will see Keatron on major news outlets such as CNN, Fox Fox News and others on a regular basis as a featured analyst concerning cybersecurity events, issues and other topics.
For years, Keatron, has worked regularly as both an employee and consultant for several intelligence community organizations on breaches and offensive cybersecurity as well as attack development. Keatron also provides world-class training for the top training organizations in the industry and we’re fortunate to have him as an instructor for our Infosec Flex Live Boot Camps as well as an instructor on our Infosec skills on-demand skill development platform. Really a valuable person to have with us and we thank you for joining us, Keatron.
[03:44] KE: Yeah. Thanks. Glad to be back again.
[03:47] CR: Good. I guess let’s kind of start out and talk about, overall, what’s new in ethical hacking? How has this involved? You’ve been in this industry for a long time. So, curious on your thoughts.
[04:01] KE: Yeah. Obviously, what’s happened, one of the things that we’ve seen happen over time is the whole concept of web applications, and web app security kind of continue to gain importance. What’s happened over the last five years or so is that’s even become more the case, and that’s mostly driven by the mass adaption of cloud technologies, where everybody’s migrating to cloud services. So now think about that, if you take all of the data and your applications and you move them into a cloud service provider, how do to access those data in those applications? It’s mostly through some type of web application. That’s put it even more to the forefront.
What another interesting thing that’s happened, and I did a presentation on this back in 2012 when people were really seriously starting to consider cloud, and that is now the bad guys are using cloud services as an attack vehicle, and that’s kind of scary because they have unlimited resources that they’re able to utilize to do things that they weren’t able to necessarily do in the past. That’s some of the stuff that’s changed. We cover that stuff in a new content that we provide, and that’s kind of where we’ll see I think things going more, is cloud services and web apps. These are kind of become more of the important things to try to lockdown and try to pen test.
[05:26] CR: Sure. Now, overall, what does an ethical hacker actually do? I think that’s kind of where people outside of the industry or even within the industry is like, “Hey, you’re a hacker,” right? What do they actually do?
[05:41] KE: Yeah. Basically, the most important thing is when we do kind of penetration test or ethical hacks, the first thing that happens is we generally go out and we assess what the customer needs. We exchange with them these questionnaires to kind of get idea of the environment and what they’re looking to get out of a pen test. The most important thing is we sign a contract, a written contract that’s giving us permission to do what we’re doing and also explaining that the customer knows what’s going on. That’s probably the most important part of the pen test, because that keeps you legally out of trouble. Going out and doing that as a hobby is fine, but you still need to treat it as if it’s a professional engagement because you want to have written permission to be doing what it is you’re doing.
We start out that way an then we go into the organization or we go after their resources and we find where vulnerabilities exists in their resources. First is identifying where all their stuff is. If it’s an internal engagement or a gray box, we would just have the scan, like IP blocks or ranges of IP addresses to see what’s there. Look for vulnerabilities on these things and then attempt to exploit those vulnerabilities. Whatever we’re able to exploit, we write a report on it. Explain how we got in. Give details of what we’re able to do once we got in and then give recommendations and report on how to mitigate and fix those vulnerabilities. That’s generally in a nutshell what it is. That’s what the process looks like generally from a standpoint of doing ethical hacking.
[07:21] CR: Now, would you say that skills and concepts are the same to those that you’ve seen in the past or skills that you learned for ethical hacking several years ago? Do you still do those same skills?
[07:33] KE: Yeah, we do. I would say most of the skills are the same. As far as – Because at the end of the day, you’re primarily looking for things. You’re identifying what those things are. You’re finding vulnerabilities in those things and then you’re exporting those. From that standpoint, the skillset to just be able to go through that path, that process, and know what tools to use when, that really hasn’t changed much at all.
Even if we’re testing cloud applications are web applications or web application, we’re still using in-app. We’re using Metasploit Pro and all the other tools that we use. As a matter of fact, most of the tool of vendors in the cybersecurity space, they’ve migrated to cloud as well. So they have cloud versions of their software.
[08:21] CR: Okay. Very cool. Now, I guess one of the main questions, and probably why a lot of people are watching this webinar, is how do you build a successful ethical hacking career and is this something you can get into with little to no experience in that space?
[08:43] KE: Yeah, I think you can give into it with little to no experience, but you also have to have realistic expectations. Nobody is going to hire you as a senior pen tester if you have no experience, right? No matter how many certifications you get, like the certifications are not going to magically give you the job, but the certifications will give you like a foundational understanding. They will also open up to networking opportunities to where you meet people that perhaps have the ability to hire pen testers and people like that. Definitely, do it, but just be realistic and understand that you’re not going to jump right into it with no experience and in a year be a senior pen tester.
Now, that could happen, but it’s not the norm. That’s just like saying that everybody’s going to be a Kobe Bryant or a Lebron James. 99% of the players in the NBA will never excel to that level. For the rest of us, the most of us, there is certain things you can do. First of all, actually sitting down and taking your time and mastering the technical hands-on stuff. Our skills platform is actually perfect for that, because you can kind of do it in sections. I think that’s one of the big challenges with traditional learning, is we take people and we put them in a room for five days and we fire hose them with all of these stuff and maybe 10% of it sticks. They might pass and get the certification that maybe 10% of the information sticks, and then they’re expected to go pass that and master that skill. Whereas, really, how we learn I think best for the most part is if we can absorb that information in small chunks in our pace.
I think one of the most important things is make sure as you’re learning, you go at your pace. Go at a pace that’s conducive for you to learn, and that’s going to be different for some people. It’s not going to be the same for everyone. Someone asked me, “How long does it take to go from nothing to being a pen tester?” I’m very hesitant to answer that, because I think it vary so much on the individual how much time you have to put into it. How technical level of background you have? If you’re already done network engineering or application development and you’re coming in to pen testing, well surely, your arc is going to be faster that someone that has no technical hands-on experience whatsoever.
What I always tell people is like, “Look, shoot me an email. Send your resume, and I’ll give you a custom response to that question because I don’t like to do the generic ones.” Because people get set out for thinking they’re going to come in and do what you did. You having maybe a development background and they don’t have that and they see a different result.
The main thing is take as many online courses and things like that as you can to see what it’s all about. You might even jump into it and figure out, “You know what? I don’t really think this is for me anymore. Maybe I want to do incidence response or policy or something like that,” and we want that. Most of us in the industry, we want you to find like what you like. If you don’t like pen testing, I don’t want to hire you as a pen tester no matter how technical you are.
I think one thing is finding out if you really want to do it, and then once you know that, get the hands-on with the labs and things like that. Look for trainings that are lab-focused, because you can sit and watch me do something all day and think you understand it, but you really don’t understand it until you can sit down and do it and be able to explain it to someone else. Look for training that’s heavy lab-focused. Start with that. Start with basic things like learning the Windows command line, learning Linux command line ,understanding networking, all the foundational stuff, because if you jump too fast, what ends up happening, and I’ve seen this happen over and over and over again, and I was talking to some other people for Infosec last week, we kind of calculated out that I’ve certified and had upwards of like 12,000 people go through courses over the years we’ve taught. That gives us like a pretty good view of like how people progress.
Some of those people have went on to become CICO, some CEOs of big companies. I hear their stories and hear like what they wish they would have done differently and stuff like that. I think one of the things that I keep hearing over and over again is don’t move from step one to step two until you’ve truly mastered step one. We’re in such a hurry to go fast and get that cert and get that title and getting that job role that you get it in and you’re kind of struggling why you’re in that job role because you know you don’t necessarily have the skillset that you were supposed to get a long way.
Start of the foundational stuff. Understand how networks work. By the way, that’s changing. When I say how networks work, when we talk about software-defined networking in the cloud, that’s going to be a completely different picture in your traditional Cisco, Juniper, understanding how that equipment works.
I think starting with those things. Start off jumping to cloud services right away, like don’t wait, like don’t wait until like, “Well, I’m going to go through my security process, then I’m going to start learning cloud.” Start learning cloud stuff right now, and the reason I say that is because you can go right this second. You can go to aws.amazon.com or azure.microsoft.com or cloud.google.com and you can set up an account and start practicing that stuff right away, like right the second.
With that accessibility and with the great opportunities that’s able to give you, I think people should and definitely start that right away and just kind of do it in parallel with like learning how to work on operating systems and learning how to scans and networking and stuff like that. Don’t be afraid of the challenge. Jump into it and just take your time and be comfortable with the fact that this might take you more time than other people.
I mean, I will tell you, I’m a slow learner. When I learn things, it takes me a long time. I would go through things 10 times in a row. But the advantages is once it’s fixed, then I never lose it. Like it’s there forever. My sister is the opposite. She picks up things like instantaneously, but she forgets things a lot faster. Don’t be afraid to understand and embrace who you are and how you learn, then take advantage of that. Take that and run with that in your quest to learn this stuff.
[15:23] CR: Yeah. Keatron, I think that some great advice, and I think one other thing that people have to remember is nobody’s passes is the same regardless of what you do, and there are some great resources for recommended paths or more common, steppingstones and things. But I think overall, you have to find what works for you, and there’s a lot of different ways that you can transition into this is what I’m taking away from kind of what you shared there.
[15:50] KE: Absolutely, and my best pen tester, her background was nothing technical, like she was a liberal arts major. She taught drama at a Community College, but she tinkered. She was a technology tinkerer. She experimented with technology on the side as a hobby and she came in for the interview and looking at her resume, her backgrounds, she was the least qualified for sure.
Over time, over like the next year, the reason I hired her is because when I bring people in for an interview, there is kind of like a little technical test that I give you where I give you a machine, some IP addresses and some other things and you have to figure out how to find these things, scan them, find vulnerabilities and exploit the vulnerabilities. While she was pretty behind on doing that, her approach and her problem solving skills were kind of off the roof. I could see that she – The way she was approaching it, she would have eventually got it. I only give like two hours to do it. But if she would have had eight hours, she for sure would have done it and probably done a better job than all the other candidates that have like many years of experience.
I saw that and I took a chance and hired her, and now she’s like the top, the best pen tester. She got to that position like in a very short amount of time. She had the least amount of experience. Came in knowing nothing, but had a good approach to learning in problem solving. Shadowed me for like six months, and now she’s – Within a year, she had passed people that have been doing pen testing for 10, 15 years just in her innovation and the way she approached things.
Absolutely, don’t listen to any of this stuff about, “Whoa! You got to do this for 12 years and then you got to move into that.” There is some truth to that and there are some value to that, but understand that there are many different ways you get there. The main thing is that you dig into it and you actually start practicing. Get your hands on. Watching people do things is not the same as you actually do it.
[17:51] CR: Sure. Well, that’s a good transition I think into a lot of people know that certification is a great pathway to get into the industry, and that is going to be a requirement in the majority of cases for that job in ethical hacking or that sort of thing. These are great opportunities to prove your skills as well. Can you talk a little bit about the difference – Or not the difference, excuse me, about like the different types of certifications and like the CompTIA Pentest+ cert or other pen testing certs and things you recommend?
[18:27] KE: Yeah, absolutely. The Pentest+ is good addition to the pen testing certification kind of bowl of certifications, because it adds – I think that they focus a little bit more on things on the frontend of the engagement, like the documentation, the stuff that you should request from a customer. How you should do your contracts and things like that? I think they focus on that more than other certifications. I also think that on the technical side, they focus a lot more on scripting and stuff like that than some of the others do.
In addition, aside from that, things like Nmap and all of your exploitation stuff, I think they’re right in line with everyone else, but that’s some of the areas are different. I think it’s definitely a good addition. We actually offer it, like our pen testing courses now or our CEH courses, actually a CEH Pentest+. It’s a dual certification where you leave with getting both the certs essentially. It’s a great addition to that.
There are others out there. There is the OSCP, the eLearnSecurity, all these ones. Some of them are a lot more hands-on. For example, the OSCP is just a lab, like you have to go in and do these things. I think that’s great for proving that you can do something, but a lot of times, the certifications or the trainings where you’re you actually validating and improving yourself aren’t necessarily the best ones that teach you, right?
Some people are coming into the industry saying, “Oh! I’m going for OSCP because my guy that’s been in the industry for 10 years just got OSCP and he said it’s way better than CEH and Pentest+.” Well, yeah, but that person started with CEH and Pentest+. If they didn’t have that background, they didn’t have those basic skills first, their opinion of OSCP and some of the others might be different, right?
I think that part of it is just business understanding that when you’re coming in as a new person, your learning path and the things you need to learn you going to be different than someone that’s been in it 10 years already. You can’t necessarily listen to that advice, because while those people may be great at what they are doing, they’re not necessarily good at… They’re non-career advisors. They’re not trainers. They’re not good at taking you and bringing you along the path.
If you look at some of the best jazz musicians, like if you listen to them and talk to them and listen to people who have interviewed them and done a study on them, they’ll tell you like, “Yeah, Dizzy Gillespie has the fastest figures ever on piano,” but this person tried to study on him for five years and he says the worst instructor he’s ever had.”
Just because you can perform, doesn’t mean you can train and bring other people in. I think that different certifications have a different place. I think they all kind of are starting to fit together nicely as different ones kind of find what their niche is. But for sure, today, still, entry-level pen testing, CEH is still kind of like the go-to one. A lot of that has got to do with not – I don’t like to try to compare or slam people’s certifications, but what’s happened is it’s been around for a long time. It’s kind of baked into the fabric of if you’re going to come into this organization doing any time of offset defensive security, you got to have CEH as an entry-level. Meaning, there’s 8570 for VOD and all these others that just require it.
Because of those things, as well as it is still a good cert if you get the good right training, you’re under the right instructor and you’re exposed to the right stuff, it’s still a really good certification for people entering into the industry. Again, don’t listen to those people that’s been in the industry for 20 years and they started with CEH and they kind of cut their teeth with it and got their opportunity with CEH. Now 20 years later like, “Oh! That’s garbage. Don’t do that.”
Well it’s maybe for you because you have that 20 years’ experience, but remember, we’re trying to bring people in as well and that’s what we need an industry. We have such a huge shortage that we’re trying to make it easier to transition people in, and I think Pentest+, CEH are still like the best certifications for that.
[22:36] CR: Perfect. Now forget we get to the next question here, Keatron, I’ll bring in a question from Sumeda. Are these entry-level certifications or are there prerequisites that you would recommend before these?
[22:51] KE: I definitely recommend some – Even if you don’t get prerequisites certifications, I definitely recommend prerequisite knowledge, right? The knowledge that comes along with having a security+, a network+, you definitely need that baseline of knowledge, because when you’re coming to the something like a CEH, it’s entry-level to pen testing, but it’s not entry-level into IT or entry-level into security.
There are certain cybersecurity terminologies, certain cybersecurity understandings that you’re expected to already have when you come into something like a CEH. Definitely, you need foundational understandings of how these things work. You need some basic Linux hands-on, some basic Windows commandline hands-on. Just very basic. You don’t need to be an expert with Linux or expert – You just need to have – Watching videos, learn how to run some commands, learn how to find stuff on that operating system.
Like I said, a lot of the free stuff that I offer on LinkedIn and other places is really just trying to give people that foundation so that when you come to us at Infosec to take security+ or whatever training we’re offering, you already have like enough foundations that you’ll be more successful in those classes.
[24:09] CR: Sure. Perfect. Well, I thank you. I think that will answer Sumeda’s questions. Appreciate that. Moving on to the future of this, so if someone’s looking to get into the industry or looking to get into this career path, what can they expect to see in your opinion in the future?
[24:31] KE: I think, again, cloud is going to be the big thing. I think you definitely have to start. I think you have to marry yourself to the cloud technologies now. Get a head start on that. I mean, even when I show people how to build a practice environment, right? If you want to learn pay testing, if you want to learn technical security, what type of labs should I build? What I tell them is build a lab in one of the cloud services, because in addition to you building a lab to practice your hacking and your pen testing and your forensics in, you’re also learning cloud services in the process of building that lab and that environment, and that is going to be an absolutely critical skill.
Now, I’ve got some pretty – Some of my bigger customers, and I was just at one of them about three weeks ago, and what they told me was, “Look, we’re a big bank. We’ve migrated almost all of our stuff to cloud services. Almost 100% of it, and a lot of our general IT people, they’re either going to have to become cybersecurity technical engineers or they’re not going to have a job, because what’s ended up happening is, again, the traditional low-level stuff like setting up networks and things like that. This is a point-and-click stuff in AWS or Azure now to where I can build a VPC, put a router there, drop it in, give that network Internet access in a matter of literally like five seconds. I don’t need to know a bunch of Cisco command or anything like that.
What’s happening is a skillset requirement is going to transition to where you’re understanding of how applications work your understanding of web applications, your understanding of cloud technologies in general are going to be the things that are considered foundational to you cybersecurity skillset. Now you’re going to have to learn cloud and all these things as your foundation and then move on to cybersecurity, stacking it on top of that basic foundational understanding.
Just like if I were teaching you how the hack networks, right? You have to first understand how networks work. This is why we do recommended paths, we say, “Hey, learn basic networking. Learn operating systems and learn how to hack those things.” Well, if you’re going to learn how to hack things in cloud services, you need a basic understanding of how cloud services works. If you’re going to be engineering security around cloud services, you need to understand how cloud services work.
I think that’s something that we’re going to see shaping in the very near future to where that’s going to become bigger and bigger things to where cloud is kind of like entry-level foundation. You got to have this basic understanding and then you can do cyber on top of that.
[27:09] CR: Sure. Now, how are you seeing, if any, a shift in people training for this? I now at Infosec, hands-on online learning has been a big hit. Cybersecurity pros are so busy because there’s not all that many of them that they don’t all the time have the ability to sit down for 5, 6 days. What is your opinion on the online learning versus the classroom-style learning?
[27:35] KE: Yeah. I think the skills platform that we’ve rolled out at Infosec is kind of where it’s going to be in the future, because again you get to absorb the stuff at your own pace. The way that we were in this field is especially from learn, right? We don’t necessarily have time during the day to learn, because putting we’re putting out fires and doing all these other things.
[27:59] CR: Left and right. Yeah.
[28:00] KE: Yeah. But most of us, if the company gives us like an account to A Cloud Guro or Infosec skill or something like that, if we have that skills account, we spend our own time in the evenings or at night or 2 AM when we can’t sleep just sitting and going through tutorials, going through labs. I think that that’s going to become more and more the norm. Our people going to want to do it more online because they have full access to it at kind of on-demand when they need access to the training.
Even with our folks learning, one of the main selling points of it and one of the thing is that’s a big if with the students is the fact that when you take – If you took CEH and Pentest+ from me, one of the things you get with Flex online is you get me live like we are now, but you also get all of that recorded. All 12 hours of that day is recorded and you have access to it for as long as you need access to it.
Much after the class, you can go back and watch the videos of our interactions, the questions you might have asked and that type of thing and just kind of refresh that. I think that’s the future of learning, is the ability to sit down, go through small chunks of data versus like a big 40 hours of it. That’s just kind of what we become more conditioned to as well with the short media, the news cycles and social media. We kind of just learn. We’re used to taking small amounts of information at a time and then using that to make decisions and move forward with it. We don’t have the attention span to do 40 hours properly anymore.
I mean, we can do it, we can discipline ourselves to sit down and do it, but if you look at the amount of that we’re absorbing and we’re able to take and translate, what Keatron is saying, what Keatron is showing me. Now let me sit down and the keyboard and integrate that into my job. The rate of that happens I think at a much higher rate when we do it kind of like in short chops versus a big blob of it.
[30:03] CR: Sure. Yeah, I think it’s also – Again, as you mentioned earlier, what works best for that person too? Some people need that real structured sit down boot camp style class and some people are great at learning on their own. Figuring out what works for you is really important.
[30:22] KE: Yup. Absolutely. One day we’ll have it like the matrix , where I can sit in a chair, stick a thing in my head and suck out everything and then somebody else would sit in that chair and get all that information in their head and immediately go apply it. But until we get to that, I think this is the closest thing we’re going to have to it.
[30:40] CR: Right, and you get working on that invention and let us know when you’re done with that.
[30:43] KE: Yeah.
[30:46] CR: Well, now we’re kind at the point in the presentation where we are hoping that you could show us on a demo of what you might do as an ethical hacker, or pen tester, that sort of thing. I’m going to go ahead and change the presenter over to you.
[31:04] KE: Sure.
[31:05] CR: If you want to tell us a little bit about what you’re going to show us today.
[31:10] KE: Yes. I’m going to kind of show what it looks like to do, we’re going to kind of combine cross-site scripting, watering hole attacks and actually mix that with meta-support and some other things. Part of that, part of the reason I do this in classes now is because this is what we do with customers. When we go out and we do contest and we show them things, like for example, we find cross-site scripting on their website, just having Burp Suite run. Do that cross-site scripting finding and then tell them, “You have cross-site scripting. Go fix it.”
A lot of times customers don’t get the urgency, because they don’t understand what that actually is. No matter how much you talk to them about it, they don’t get it. I’ve kind of designed a little world here where Camille’s website here, Camille sales trinkets or whatever the case may be, and you have Camille’s customers that visit that site, and we’re going to use this to show what cross-site scripting is.
This is just a little overview before I get into the actual demo. What happens is Camille’s customers will visit her site and absorb content. Now, let’s say Camille’s site happens to have a cross-site scripting vulnerability in there. Because of the way that her developers design their sites, she’s got some cross-section that involves in it.
What happens is Keatron finds those, and what that essentially allows Keatron to do is to put comments, like I can post a comment that basically points to Keatron’s website, my bad website. I’m able to post a script tag or just even like – Actually, I’ll do it with an iframe. We’re able to post some iframe or a comment that says, “Go visit Keatron’s website.”
So now when one of Camille’s customers visits Camille’s website, they’re now also loading a copy of Keatron’s website, because what happens is when you visit a website, you’re actually taking that entire HTML and you’re pulling it down to your machine and you’re loading it into memory on your machine. That what your browser is actually doing, is it’s pulling it down into memory so you can see it here.
Well, guess what? That red that represents the bad thing that points to Keatron’s website, you’ve now ingested that into memory on your machine because of this cross-site scripting.
[33:52] CR: That’s gone back within.
[33:54] KE: Yup. Now what happens is that code says go pull Keatron’s site, will execute. Suddenly now your customer, Camille, is loading a copy of guess who’s site and memory? Because I’ve got my site hidden in your site in the form of an iframe. Now that customer of yours has my malicious website in-memory and that malicious website simply runs code says that says, “Send Keatron command-and-control,” and at that point, that machine is mine. It belongs to Keatron, because now Keatron keeps it right on his machine here and just runs commands that will translate over to this machine.
He’s taking control of – The point that we have to show customers is like, “Look, the fact that you have a cross-site scripting vulnerability and it says that it’s a minimal or a medium vulnerability, that may be true,” but you need understand that for your customers, it’s probably critical because you’re not going to get exploited. I’m not going to be able to exploit Camille because of Camille’s cross-site vulnerability. I’m going to be exploiting Camille’s customers or anyone else that visits her site. Once we explain that to customers, then they get it. It’s like a light bulb comes on. It’s like, “Oh! Okay, now we see why it’s a bad thing.”
If you took a 30-minute introduction to HTML class, you will learn how to do iframes. It’s basically saying this, and I’m just saying point to Keatron’s website, which for this demo is at this IP address and it’s listing on that port and it’s going to that URL, right? That’s all I’m saying there. I’m going to sign a guestbook. I put my comment on your website there.
[36:27] CR: This would be something that would commonly kind and beyond a smaller company’s website is send us a message or leave us a note or that sort of thing.
[36:36] KE: Yeah. Yeah, anywhere where you’re allowing a customer to put feedback or anything like that. Another place of this is commonly done or where you commonly see it happen is on company’s Facebook pages, right? I’ll post something on the Infosec or Camille’s Facebook page that will be like, “Hey, look at this video of someone taking a class at Camille’s training,” and it won’t actually be a video of that. It will be a video of that, but also on that same website there is an iframe like this that points to Keatron’s bad site, because you can’t really post bad code on Facebook, but what you can post is links to other pages, right?
That’s another common way that you see this actually play out. As you can see the iframe posted. Now this is your website, Camille, that I just posted this comment on, right? On the surface it looks harmless. Now one of your customers is going to go and visit that same site. They log into Camille’s trinket website. They go and visit the same page that I posted on and just from visiting that page, just from visiting that page, they’ve loaded my iframe. Just from loading that iframe, they’ve pulled malicious code from Keatron’s malicious site into their browser session. Because of that, what’s happening on the attacker’s side is the following. Now, on Keatron’s machine, I’ve actually got control of your site, of your customer’s computer here as I visited.
Now as this thing is loading that you see here, sending stage, which means it’s sending some malicious payload. Now I’ve got what we call an interpreter session, which means I own that machine now, because at this point I can connect to that session. I can now do things like take a screenshot of your customer’s machine, right? I can see what’s on their screen.
[38:34] CR: That might be if they were entering payment to pay for one of my trinkets or something, you’d take a screenshot of that and have their credit card info.
[38:42] KE: Absolutely, or I just might do this. I might say one key logger, because I’m essentially in their machine now. If I ran that, what that customer might do – So not only entering payment on your site, but let’s say they go to your Chase Account or your bank of America account or whatever, lets us go play. That’s a good question. Let’s just go play customer one more time.
We’re going to visit another site. I’m going to open up Chrome here and we’re going to go to our Chase bank account and I’m going to sign in, put in my username.
[39:16] CR: Password is 12345, right?
[39:18] KE: Yeah, exactly. I log in.
[39:20] CR: Yeah, it’s a good one.
[39:20] KE: I know all those attending are like, “Is he going to really give us his password?” Absolutely not. We just logged in our Chase account here. I put in the wrong information, but pretend we did put in the right information. We’ve just logged in. Guess what the attacker gets to see? Back on the attacker’s screen, since he’s having these keystrokes logged to his computer, he can actually just going and open this file here. I’m just going to open another terminal here and go read that actual file, and there are all those keystrokes. We can see wording with the chase.com. We can say they logged in with the username of Keatron and then we can see the password is not a chance, and there’s not a chance I’m going to give it to you.
[40:07] CR: That’s a good password.
[40:08] KE: Yeah. Yeah. Absolutely. Now, everything that that person types, everything that they do, I can record it right here and have that information. Not only that I can literally drop into that machine then run commands like I could go – Just give me the name of like one participant in the webinar? Like just a first name.
[40:29] CR: Let’s see. Jacob. I see a question from him that we’ll get to in a minute here, but let’s use Jacob.
[40:38] KE: All right. I’m just going to make a directory of the desktop named Jacob. I’m going to create a text file, says Hello Jake, and put that right on the desktop as well. Now just to prove that we have control of the machine if we go back and play customer again and look at the desktop, you’d see there’s a folder named Jacob there.
[41:09] CR: Oh, yeah.
[41:12] KE: We did do that, and there should be a text file too. I might have fat-finger command on that, which is something that happens commonly with me. Yeah, anyway, we did all those things. We got the screenshot. We got your login into your bank account. Pretty much we own your computer at this point. If you look at it from the standpoint of how we started, remember, the point was this is not happening to you, Camille. This is happening to your customers.
[41:44] CR: Right, and I might not even know this is happening.
[41:47] KE: You might not even know. All of your customers that are visiting your site, this could be potentially happening to them because you have a cross-site scripting vulnerability, and what makes it even worse is instead of having this set to Keatron’s bad site on a little web server that Keatron’s got on his portal, guess where this ends up being?
Now what they’re doing is they are putting their malicious websites in places like live AWS, or Azure, or Google Cloud. In other words, Keatron’s malicious websites lives at aws.amazon.com or something like that, which are you sustaining? I mean, if you ever watch Netflix, you screen stuff from aws.amazon.com. Now they’re hiding kind of in plain site by utilizing cloud services to where this cross- site scripting vulnerability that’s exploited now points to somewhere in AWS or somewhere in Google or somewhere in Microsoft Azure, which makes it harder for you to track it if you are investigating this attack.
That’s kind of somewhat in view of the things that we’re teaching in the ethical hacking and the Pentest+ courses to make it to where not only as a student will you have the ability to go out and do these things, but you also increase your ability to demonstrate and explain to your customer what is actually going on versus just giving them a report, because one of the things that happens in this industry a lot of times is we’re so busy impressing each other that we forget about who we’re supposedly doing the service for?
The pen test report looks like magic to another pen tester, but to that customer that’s absorbing that report, they know head or tails about any of that means. Just taking five minutes for me to do a demonstration like this for a customer versus pages of explaining it is worth the effort, because I get that customer over and over and over again, because they understand now what it is.
[43:55] CR: Right. I think that’s so important, the way you said, understanding and being able to learn and teach. I know you touched on that earlier, but I think the soft skills of cybersecurity is where you are working a lot of times with people who don’t know what’s going on. They’re very frightened of, “Am I being hacked? What is happening?” That sort of thing.
The way that you are able to explain this to myself who is not very technical made sense, and I think that that’s what’s really important is not only can you pass the exam and say,” Yes, this is the right answer,” but then you can say this is the right answer because this is how you do it.
[44:34] KE: Yeah, absolutely. Yeah. That’s it for the demo if you want to take control back here.
[44:40] CR: Yeah, that’ll be great. Thank you. That was really interesting and I think it gave a good a showing of just how easy it is for someone to unfortunately take advantage of someone’s website or someone’s different things that they own. Thank you.
Let’s see. Back on to the next slide then. We’ve got some questions coming through, and please continue to submit those. We are going to go ahead and take some questions, then we’ll announce the winner of the one-year trial of Infosec Skills. Thanks to everyone who’s asked questions so far. Keep them coming. We have a few minutes here to go through these.
Let me start with one of the first questions here on is there any specific cloud tech to cut your teeth on? Amazon, Google, Azure? That question is from Dan.
[45:41] KE: Yes. To remain vendor neutral here as much as possible, I would – For me personally, I have a stronger background in Amazon with AWS, that’s just because when I got introduced to cloud, that’s what it was. That was the major player. But I think that now all three of the major ones, which should be Google, Amazon and Microsoft, I think they’re all three relatively easy to – I have certifications in all of them and I’ve used all of them for various things. I don’t think anyone of them are necessarily easier to utilize than the other, but I would say go to the AWS website, go to the Azure a website, go to Google Cloud and just type in how do I set up an account? Just go ahead and set up that first account. Set up one in all three and then spend 30 minutes on each one and figure out which platform you like better, whichever one that just seems to fit you naturally and you seem to like better. Don’t worry about trying to read on other people’s opinions. Take the one that feels best to you and just go with it. Go deep into that one and then come back and backfill on the other two.
I think we spent so much time trying to analyze, “Of! Which one should I do and which one is better?” Go to with the one that feels right. Like I said, spend 30 minutes on each one in their intro, like, “Okay. Here’s Azure. Let me start with that. Let me see if I can stand up with VM and reach it from the internet.” “Here’s AWS. Let me see if I can stand up a VM here. Here’s Google, let me see if I can stand up one here.”
Go through that process of doing something very basic like that and then rate them on which one you think was easier and better for you to be able to do it and then just go full steam ahead with that one. I believe that’s the best way to approach that.
[47:30] CR: Sure. Perfect. Dan, hopefully that question helped you out there. Now, another question that came through on the chat here is what are the different attack types that are most common with what you just shared? Let’s see. How are the attack types that you shared in the demo, what are they mostly used for? Is it for getting money? Is it for getting personal information? What is the most common thing that can happen to a person?
[48:01] KE: I think they’re used a lot for getting credit card information, getting PII so that they can either sell it or set up fake credit in your name and stuff like that, but also just intellectual property theft.
One of the things we’re seeing happen in the enterprise is these types of attacks that you just saw are happening like on public hotspots and places like that. Like you go to Starbucks or somewhere like that with Wi-Fi. Their cross-script scripting, the little Starbucks welcome page, where you have to agree that you are going to follow their rules or whatever. They’re doing things there now to where they’re getting you this way.
A lot of times it’s just to get at someone that works at a certain company? If I know Camille works at Infosec and I’m finally get into the Infosec, I might go to website that I know Camille visits or frequents and do something like that and set it up and just wait for you to go there and then get into your box so that I can get in the Infosec.
Most of these attacks are either being used to get financial information, credit card information or they’re using them as a pivot point to eventually get into an organization that the target works at.
[49:14] CR: Okay. Now, are these pages, is this different than like a phishing page? In the demo, what you showed us, they don’t actually have to create a look-alike page to 2 Chase Bank or that sort of thing. They’re just taking the info right from the real one.
[49:29] KE: Right from the real one, because the real page is vulnerable to cross-site scripting, because part of what I show there, the fact that I’m able to do cross-site scripting, when I did the whole attack is actually called watering hole attack, right? When you hear that term in the industry, watering hole, that’s essentially what the attack was. But I was able to do a watering hole attack because of the fact that a cross-site scripting vulnerability existed there, right?
Where watering hole comes from is if you can imagine the smart lions in the desert, they don’t chase animals around the desert. They wait at the oasis. They wait at the watering hole for the gazelle to come there and drink and they pounce on them, right? That’s what we just did there.
[50:08] CR: They know they’re going to come there.
[50:09] KE: Yeah. Instead of me chasing your customers, Camille, I just waited at your site for them to come there and then I pounced on them when they hit your site via that cross-site scripting. It was a cross-site scripting vulnerability that we exploited. It was a cross-site scripting attack, but overall it was a watering hole attack.
Again, that’s another interesting thing in the industry is people don’t explain that stuff. When you hear watering hole, you think of something completely different. But what you just saw was actually a watering hole attack made possible by a cross-site scripting vulnerability.
[50:41] CR: Okay. Okay, very cool. Thank you. Looks like we have time for just a couple of more questions, and thank you to everyone who submitted. We might not get to all of them, but we will try our best. Quite a few people are asking questions on demo labs. Keatron, can you talk a little bit about how you recommend people try this out or learn this?
[51:03] KE: Absolutely. The best way, and of course I’m biased on this here, the best way is to sign up for our Infosec Skills, because actually you in some of the core and skills paths and I author, I go through these things. I explain in detail and we provide you a lab environment to practice it. Now if you want to build your own lab environment, I can help you with that as well, but the easiest way to immediately get right into it is sign up for our skills path, go look at the ethical hacking stuff. I actually go through all the stuff. Now, I’m not the one in the ethical hacking path. That’s me and some other instructors, but I definitely go through some of these stuff in that path skills path. If you do sign out, make sure you use my discount code, because you can actually get 50% off of your skills subscription if you use my code.
[51:56] CR: Sure, and we’ll get to that code in just a moment here. Looking the time is getting towards the end. Let’s get one last question in and then we will go ahead to the drawing and share some information about that code that Keatron mentioned. Let’s go ahead to the question of the different backgrounds that you’ve seen go into ethical hacking. A lot of people are kind of asking, telling a little bit about their specific experience. Are there other backgrounds? You mentioned that your best pen tester, for example, was for a totally different background. But is there one that you would say is more common that you see transition into ethical hacking?
[52:43] KE: Yeah. It’s people that have a background in network engineering, or when we say ethical hacking, that includes web app now. People that have a strong development background tend to transitions right into a web app security and app security. We call appsec.
Definitely, network engineering and some type of development role are like the most transitionally roles that we see coming in to ethical hacking. But it doesn’t – That absolutely doesn’t mean that that excludes because you don’t meet that criteria. It’s just that I think that’s more of a natural transition for people, and there are also the ones that would be most likely to have information about it, right? If your job is to – If you’re an accountant, you will probably be less likely to even know what certified ethical hacker is than someone that’s a network engineer.
I think a lot of it is because those people are kind of closer to the field. So they have more information. They have more insight to go into it. But don’t let that shy energy away from it. I have a firm belief that literally anyone no matter what your background or what your skill level is can get into this industry and do this very thing. Like I said, I’ve got a personal effort, a free personal effort to kind of get people that feel like they know to the point to where they can come to someone like Infosec and really take advantage of the amazing course offerings and stuff like that that we have, and specifically that skills platform.
[54:15] CS: I hope you enjoyed today’s webinar episode. Just as a reminder, many of our podcasts also contain video components. In some cases, feature walk-throughs or demonstrations that need to be watched as well as heard. These can all be found on our YouTube page. Just go to youtube.com and type in cyber work with info sec. Check out our collection of tutorials, interviews and other webinars. As ever, search Cyber Work with Infosec in your podcast app of choice for more of these episodes.
For a limited time only, the Cyber Work podcast is offering listeners one free month of our Infosec Skills learning platform. To take advantage of this special offer for Cyber Work listeners, head over to infosecinstitute.com/skills or click the link in the episode description below. Sign up for an individual subscription as you normally would. Then in the coupon box, type the word cyberwork, no spaces, to capital letters, and use it to claim your free month.
Thanks once again to Keatron Evans, and thank you all for listening. We’ll speak to you next week.
Free team skill and certification training
Give your entire time (10 or more) access to hundreds of on-demand courses and hands-on labs — free for 30 days!
About Cyber Work
Knowledge is your best defense against cybercrime. Each week on Cyber Work, host Chris Sienko sits down with a new industry thought leader to discuss the latest cybersecurity trends — and how those trends are affecting the work of infosec professionals. Together we’ll empower everyone with the knowledge to stay one step ahead of the bad guys.