As a professional penetration tester, there’s one thing that rarely if ever gets discussed. Is it that the common image of a hacker, the lone wolf pounding away on a keyboard in a dark room only taking breaks for caffeine and cold pizza and, of course, doing nefarious things all while wearing a hoody, is not true? Not really. Those of us doing (or looking to do this) as a living know better. Is it that a penetration tester is often asked to wear many hats and perform all different types of assessments? Is it that we are asked to be technically minded but also to be proficient in the soft-skills such as interacting with clients and delivering well-written reports? Or that we make great salaries and can perform all of this work remotely from the comforts of our homes? Nope. With as many courses as I’ve taken (and written), all of the certifications I’ve earned, and all of the research I’ve done on the occupation of ethical hacking, there’s still one thing that they rarely cover. As professional penetration testers, we almost always work in a team pentesting environment.
Because of this group aspect, it is important to think about the ways that we can effectively, and efficiently, be a team player. In this article, we’ll cover a range of topics from what a typical day as a penetration tester might look like to the pros and cons of working remotely and finally to advice on being a team pentesting player once you’re working in the field. So, congratulations on getting that job you’ve always wanted. If you want to stay there and progress, keep reading!
A Day in the Life of a Penetration Tester
While working as a penetration tester, you can wear so many different hats. We’re often thought of as ethical hackers, which is true, but we are also consultants that perform a variety of tasks, write lengthy reports, and interact with clients through phone calls, e-mails, and debriefs. In order to best describe a typical day, I must cover each possible task I might be asked to perform at work. Let’s dive right in.
I work remotely (one of the great perks of this job) and thus, roll out of bed about 10 minutes prior to starting my day. I’ll turn on the coffee pot, pour my cup of joe, and be ready to go at 8 AM.
8:00 AM – 5:00 PM
Here is where the diversity in my day really begins. Depending on the client and the tasks needed to be performed that day, I can end up doing a wide variety of tasks. I’d like to briefly cover each assessment that I have been asked to do at work:
Vulnerability Scanning – With vulnerability scanning, we utilize tools like Nessus to scan against a client. We then review the results of the scan and provide a report to the client in order of patch importance. The big thing to note is that vulnerability scanning does not come with exploitation attempts, and, a lot of times, it does not come with verification either. Clients often choose vulnerability scans when they are in-between penetration tests and/or are fulfilling compliance requirements.
External Network Penetration Testing – An external penetration test is where an ethical hacker attempts to break into a network from the outside. This testing is to emulate an attack that can happen at any time and from anywhere. On top of vulnerability scanning the external facing network, we will also attempt to verify and exploit potential vulnerabilities found. We will also leverage items found during information gathering, such as account credentials that have shown up in past security breaches, to attempt to gain access to networks through credential stuffing and password spraying attacks.
Internal Network Penetration Testing – An internal penetration test is where an ethical hacker tests from within a network. In this scenario, we can assume that we have breached the perimeter as a bad guy and are now inside the network, attempting to identify valuable information while also attempting to compromise the entire network if possible. These tests are heavily focused (>95%) on Active Directory penetration testing and require a much different toolkit than external testing.
Web Application Penetration Testing – A web application penetration test is most commonly the testing of a website, though it can also be custom and internal applications as well. Here, an attacker attempts to identify any vulnerabilities that may exist within the application to improve overall security. Most commonly, we focus on utilizing the Open Web Application Security Project (OWASP) framework and methodology to test client applications. Common attacks include SQL injection (SQLi), Cross-Site Scripting (XXS), XML External Entities (XXE), and much, much more.
Wireless Penetration Testing – A wireless penetration test is an assessment of a client’s wireless networks. Most commonly, we are tasked with assessing if we can gain access to a WPA2 personal or enterprise network. We are also tasked with assessing guest networks to see if we can identify any sensitive files or servers as a guest and/or access locations in the network that we should not be able to.
Physical Penetration Testing – A physical penetration test is an assessment of a client’s physical location. You can think of this as legal breaking and entering. We are typically asked to assess security measures and see where we can gain access. For example, can we get past security and make our way into a network closet without being stopped? In this type of testing, we utilize social engineering, lock picks, cans of air, shims, and all sorts of other fun tools and techniques to deliver a successful engagement.
Social Engineering – Another task that we are asked to perform is social engineering. This may be in the form of phishing, vishing, and other techniques identified by the client. For example, we might call the help desk pretending to be an end user and asking for a password reset. We might also perform a phishing campaign against the entire organization to see how many people click on a particular link and how many people submit sensitive information to us.
Malware Assessments – In malware assessments, a penetration tester will generate many different forms of malware in order to test against client protections that are in place. This malware often starts off incredibly basic and becomes more obfuscated and complex. The goal is to identify what types of malware are detected by the client and what types of malware are not detected. This helps fine tune client systems and improve the overall security posture of an organization.
Purple Teaming – A purple team assessment, also sometimes known as a SOC assessment, is where the red team (offense) sits down with the blue team (defense) and runs a variety of simulated attacks. The goal of these attacks is to determine if the blue team is able to detect the attacks and if not, improve security baselines so that the attacks are detected in the future.
Red Teaming – A red team assessment simulates an advanced attack against a client. These assessments are meant to be stealthy in nature and can take months to complete. Often, a red team assessment includes little to no scanning activity and a high amount of social engineering. The goal is to simulate groups such as Advanced Persistent Threats (APTs) and exfiltrate sensitive information out of the organization. It’s incredibly different from the typical scan and exploit type assessments that most penetration testers perform.
Whew! In terms of assessments, these are brief descriptions of the ones you will most likely see as a penetration tester/consultant. There are lots of subtle nuances to each one as well as scope considerations, so please don’t flame the comments below if you define them slightly differently. Your mileage may vary in what tasks are assigned to you, however, depending on where you work and what your background is. For example, if you’re a former web developer, you may be asked to perform source code review. If you’re a former network engineer, you may be asked to review network configuration files for security gaps. On the contrary, you may be slotted in a job doing just one of these tasks such as vulnerability scanning or web application penetration testing. Either way you end up being utilized, it all plays into the team pentesting idea.
Once we have completed our assessment work, we then begin the report writing phase. This can be a tedious process depending on where you work. You are expected to take excellent notes as a penetration tester and relay those notes into a report identifying your findings. Depending on the client, your report may be a one-pager or 100 pages. Some clients want very little information and some want a lot. Most reports, in my experience, are a minimum of 20 pages.
On top of all of these assessments and report writing, if you are a consultant, you will most likely be asked to interact with your clients. This will include phone calls, status update e-mails, and debriefs. It should be important to note that you do not have to be an extrovert to be successful in your interactions. However, you do need to be capable of presenting findings in front of a client, speaking clearly and intelligently, and be able to support your findings through technical discussions.
Overall, on the day-to-day minutia, penetration testers must be well-versed in many tasks, have solid written skills, and be able to present themselves intellectually in front of a client. It’s a lot of work and requires being well-rounded to be successful.
As mentioned above, I have the pleasure of working from home. I love having the flexibility of waking up late and working in clothes that would never be presentable in an office. I love being able to cook, workout, nap, or do whatever I want during my lunch break. More importantly, I love the amount of time that I get back not sitting in traffic every day going to and from work. These are all big pros for me.
There are some downsides to working remotely as well. For one, if you’re new to the field, it may be more difficult to learn from those more senior. In an office space, it is easy to shadow someone more experienced than you, and it’s also easy to walk over to their office or cubicle and ask for help on an assessment. This type of interaction is invaluable in all skill levels but is incredibly important to those new to the field. It is not impossible to learn from others remotely, however. My first job in the field was remote, and I was still able to shadow my seniors. It just takes a bit more interaction at times.
Another downside to working remotely is the loss of social interaction at work. Having people to physically talk to, go to lunch with, and just be around can be mentally stimulating for some. Others, such as myself, can see this as a downside, as I have lost many hours with the overly chatty coworker who stops by your office daily. Some people need the interaction and some do not. I’ll admit I miss it sometimes, but I find myself much more productive in my home environment.
Being a Team Pentesting Player
Regardless of working remotely or in an office, there are great ways to be a team pentesting player. Let’s discuss some of those:
Encouraging Collaboration – It’s important to encourage collaboration. If you’re working an assessment and hit a wall, do not be afraid to ask a coworker for help and vice versa. If you find a new tool or learn a new trick that will help you or your team, share it with your team. It’s a great idea to have a team Slack, Teams, or Discord channel for these interactions. It’s also important to have the ability to screen share with your coworkers, if you are working remotely.
Sharing your Findings – One of the best things a team can do is sit down once a week and share their findings of their past assessments. This allows everyone on the team to not only practice their debriefing skills in front of others but also allows the entire team to see tactics used in other engagements. This “learn by committee” style can bring forth new ideas and lead to success on future engagements.
Offering to Help – Often, in any job, we find ourselves overloaded with work. If you see a teammate in this situation, ask him or her how you can help them out. Helping out could be running scans for your teammate, offloading some IPs from your teammate and fully testing them, report writing, and much more. This, in my opinion, is the epitome of being a team player and your teammates will appreciate you for your efforts.
Communication – Lastly, all of the above tips require communication to be effective. If your team is not effectively communicating, it could lead to degradation in performance, subpar results to your clients and missed efficiency opportunities. Talk to your teammates. Ask questions. See if they need help, which sometimes takes asking as we don’t always share with others that we are overloaded. Be a good teammate.
Final Thoughts on Team Pentesting
A penetration tester is not just some guy or girl, flying solo, hacking companies in a hoodie from a basement. We are well-versed in not only a technical skillset but often a written and social skillset as well. While we work remotely a lot of the time, we almost always are on a team pentesting with incredibly talented people. Because of this, it’s important to be the best teammate you can be and to learn from those around you. Not only will your team efficiency and skill improve in doing so, your personal efficiency and skillset will also improve, and overall you’ll be a better penetration tester for it.
For some more on team pentesting and what an ethical hacking career is really like, check out Heath’s video on “A Day in the Life of an Ethical Hacker / Penetration Tester“:
Heath Adams is a penetration tester and founder of TCM Security. He is also the co-founder of the non-profit VetSec, which assists current and former military members in the cybersecurity field. Heath is better known online as “The Cyber Mentor”, where he is an avid YouTuber, Twitch streamer, and blogger. Heath holds multiple ethical hacking certifications, including the OSCP, OSWP, eCPPTX, eWPT, and the CEH. When Heath is not at work, he enjoys spending time with his wife, Amber, and their 5 animal “children.” He loves to run, play video games, fail at trivia, and watch sporting events. You can follow him on Twitter (@thecybermentor) and YouTube (https://youtube.com/c/thecybermentor).
Archive of all Opinion Articles on EH-NetTags: career highlight opinion pentest pentesting remote team