What if you could spend your time trying to access other people's networks and computer systems without getting into trouble? Of course, this is the dream of any spy and cybercriminal, but only ethical hackers, also known as" white hat hackers " or penetration testers (pentesters), can be sure that their cyber hacks can get away with it. These security professionals are hired to check systems for vulnerabilities so that their end goals can figure out where their security needs to be strengthened, writes the CSO publication.
Once upon a time there were some doubts in the industry about the ethics of hacking, but today it is a common practice. Industry certifications are available for those who want to prove their talents, and companies create so-called "red teams" of pentesters to constantly maintain their position in the field of security. This is a job that requires a special set of skills, both technical and social. The authors of this article spoke with a number of ethical hackers and those who work with them to find out what it takes to do this complex and useful work.
Administration of systems and databases. A pentester needs to know everything about the systems they are trying to hack, and many ethical hackers come from the world of sysadmins. Jim O'Gorman, president of Offensive Security, says testers should be familiar with common Unix, Linux, and Windows administration, as well as SQL and database interaction.
Executing scripts. "Being able to automate parts of your workflow or attack infrastructure is critical," says Jordan LaRose, director of F - Secure. "Many attack methods rely on request streams or very repetitive writing to a file, so automation can save you a lot of time and sanity." Scripting skills are "particularly useful in the Windows world," says Andrew Usekas, CTO of ThreatX. "PowerShell scripts are a good way to bypass endpoint security tools," he notes.
Coding and software development. Understanding how to write application code and the processes by which that code is written can be key to discovering its weaknesses. "Many of the best white hackers are well - versed in the world of software development, and this makes a lot of sense," says Elad Luz, head of research at CyberMDX. - Participation in development provides insight into product creation and opens up many different tools and software to the developer. Perhaps most importantly, he or she can get into the developer's mind and understand what problems they are facing."
Net. If you plan to hack the target network, you need to know how networks work and what are some clever ways to bypass them. "Have a basic understanding of the different types of protocols, network layers, and operating systems," says Colin Gillingham, Director of Professional Services at the NCC Group. Yaroslav Babin, head of Web application security at the Positive Technologies SWARM Team, says that in particular, you should focus on " internal networks, Active Directory service principles and functions, since most enterprise infrastructures are built on Microsoft Windows."
Web application design and vulnerabilities. Web applications provide a common means of logging into the target infrastructure, and Babin says that pentesters should "have a solid track record of finding web vulnerabilities. This includes not only knowledge of the most popular vulnerabilities, but also experience in exploiting them and understanding what each of the exploitation methods can allow - for example, SQL injection can provide not only access to the database, but also allow you to remotely execute commands on the node from time to time."
Hacking tools. There is a huge set of tools and utilities for use by pentesters, many of which are free and open source. They may be deceptively simple, but an experienced pentester will understand their nuances. "New people in the industry often get lost and start automatic analysis without setting up the proper configuration and reporting false positives," says Daniel Kirchenberg, an independent cybersecurity expert. Understanding how your tools work can ultimately save you hours and even days of work."
Passion. Perhaps the most frequent response we've received from all the experts we've talked to is that an ethical hacker should be very curious about how systems work and love hacking for its own sake. "People in these roles need to have the DNA to want to break things down and learn everything they can do," says Tammy Kahn, CEO and co-founder of BTblock, a consulting company. "More importantly, they should do it because they love hacking for its own sake, not for monetary gain."
This passion can be tested on particularly challenging tasks, so the ability to stand up in the face of failure is essential. "Penetration testing is definitely not an exact science, and it often takes many attempts and iterations before you can crack something," says F-Secure's LaRose. "You need to be persistent and not be afraid to try crazy ideas."
However, pentesters should also be able, according to Kenny Rogers, to know when to abandon such ideas. "Hackers need to maintain self-confidence to move forward with seemingly futile efforts, but they also need to periodically ask themselves if they are going in the right direction and not let their egos get in the way," says CyberMDX's Luz. "Not being intimidated by failure is a good thing, but you should also be prepared to give up research that you've already spent a significant amount of time on if you don't see progress in some scenarios."
And the passion and curiosity of an ethical hacker should mean that they are always learning about new developments in the industry and improving their skills. "You'll often run into a brick wall and need to learn a new technique, or you'll need to carefully study the person or company you're targeting to determine the best way to attack them," LaRose notes. "Most of the time in pentests is actually spent developing these new skills or gathering intelligence about your target."
"Code practices are changing, new languages are coming out, new frameworks are being released, some are being updated, applications are also being updated, and that only means one thing: you have to keep learning to keep doing your job," adds Kirchenberg.
Quick wit. Another thing that most experts agreed on: pentesters need to "think differently", go beyond bookish skills about computers and instead use out-of-the-box thinking to solve the problems they face when hacking target networks. "Soft skills are based on the ability to think outside the box," says Doug Britton, CEO of Haystack Solutions. "You need to be agile, bold and creative."
Ethical hackers "need the ability to think outside the box in order to be able to find edge cases in the system - loopholes in specifications or just unexpected exploits," adds Diego Sor, director of consulting services at Core Security company HelpSystems.
F-Secure's LaRose emphasizes two qualities that characterize the thought process of a good pentester. The first is the ability to deduce, often based on limited information. "Often the consequences of what you do as a pentester happen behind the scenes, and you need to be able to guess whether what you're doing has worked or not," he says. The second is the ability to think of hacking as a human problem, not just a technical problem. "During any type of test with a social engineering component, such as phishing, it is very important to be able to put yourself in the shoes of your target audience in order to come up with a more plausible excuse," he explains.
Ethical hackers don't just need to get into the minds of their targets: they also need to understand the real attackers whose methods they're trying to emulate, to help the good guys understand what they're struggling with. "In the past, the red team just needed to break through to show its value," says Ron Gula, president of Gula Tech Adventures. "Now external testers must actively simulate intruders, which means knowing how to work with specific threats. This is evident in certain types of Miter ATT&CK tools and in simulating long-term malware command and control campaigns."
Communication and collaboration. The stereotypical image of a hacker, ethical or otherwise, is of a lone wolf sitting at a keyboard in a darkened room, looking for weaknesses in the program. In fact, the ability to work in a team and communicate with colleagues and clients is one of the most important qualities that a penetration tester can have, says Gabby DeMercurio, director of the red group for social engineering and physical penetration testing at Coalfire. "You may be the greatest hacker in the world, but if you can't turn this into a readable, consistent report of what you did and how you did it, so that the client can trace, copy your attack, and then fix it, in the end, it doesn't matter," she says.
As Daniel Wood, head of product security at Unqork, says, "It's incredibly important that you can transform technical security risk into business risk. This means understanding organizations, their business use cases, and the impact that a technical vulnerability can have on their ability to operate, the privacy of their data, and ultimately the security of their customers."
These communication skills are especially important because of the sensitive nature of the business of ethical hackers: remember, if you manage to hack the target system, you will potentially embarrass some employees of the client company.
"Unlike hackers trying to exploit a vulnerability, white hat hackers work with a third party with the intention of improving the cybersecurity of a given product," says CyberMDX's Luz. "While you are ultimately on their side and trying to help, the challenge here is to communicate bad news - to communicate vulnerability - while maintaining a positive atmosphere in the discussion that leads to a collaborative working relationship."
This good working relationship is also important in your own team. "Being able to work with colleagues is very important because you don't know everything," says Coalfire's DeMercurio. "The opportunity to learn and help each other grow - that's what we mean by 'it takes a whole village'. Lone Rangers quickly fall behind those who work well together."
And your allies should go beyond just the people who work for your company. "One of the most important parts of penetration testing that you need to understand is the community that surrounds it," says F - Secure's LaRose. "The offensive security community is one of the most cohesive in the world, and almost everything we do is based on the work of countless other members of our community. Being able to interact with the community, learn from it, and contribute to it is all the skills every pentester needs to succeed."
Ethics. This may seem obvious, since the word "ethical" is directly contained in the description of the profession. But the truth is that the pentester has a lot of responsibility and power, and it's important to make sure that they don't abuse it.
Heather Neumeister is Director of Human Resources at NetSPI, which specializes in penetration testing and attack management. "The candidate's ethics assessment is based on both experience and personal assessment," she explains. - When ethics and morals are part of the criteria being considered for a new hire,there will always be an element of intuition. But it's also important to ask questions about why someone decided to go to the pentesters, as it's common to quickly determine a person's intentions during the initial conversation. To find people with strong ethical and moral principles, it may be helpful to look at the candidate's activities in the broader community. Elective studies and non-profit work, public research, and open source participation can be useful indicators of a higher ethical standard, as it often happens that those who choose to benefit the security industry without personal gain are truly committed to ethical behavior."
Of course, ethics and the law are not exactly the same thing, and no matter how strictly you adhere to ethical standards, you need to make sure that you stay on the right side of the law. This is especially true in the world of penetration testing, where legitimacy can be blurred and customer egos can be hurt, says Michael Jeffcoat, founder of the Jeffcoat Firm. Jeffcoat is an insurance attorney who has worked closely with several ethical hackers over the years. "The lack of a generally accepted legal framework makes such hackers prone to legal action," he explains. - Although ethical hackers may have a contract stating that their employers specifically asked them to break into their systems, the employer can still file a lawsuit if they believe that the hacker carried out the attacks on their own.
To avoid such problems, he advises pentesters to have a good knowledge of the relevant law, a good lawyer, or both. "Ethical hackers should read their project contracts carefully," he says. - All agreements must clearly specify the scope and limitations of the penetration testing services ordered. Remember: explicit details do not allow you to interpret subject contracts."
"A decent hacker who likes people, trusts them, and likes to talk to them is the most dangerous and sought - after of them all," explains DeMercurio. - why? Because this is a person who sneaks into a building, forces someone to hand them the keys to the data cabinet, and then leaves them alone because they are trustworthy. This is what you should strive to be, and this is what you need. companies should be afraid of people. Luckily for them, we are white hackers."
Written by Josh Fruhlinger
Once upon a time there were some doubts in the industry about the ethics of hacking, but today it is a common practice. Industry certifications are available for those who want to prove their talents, and companies create so-called "red teams" of pentesters to constantly maintain their position in the field of security. This is a job that requires a special set of skills, both technical and social. The authors of this article spoke with a number of ethical hackers and those who work with them to find out what it takes to do this complex and useful work.
Technical skills
While some pentesters specialize in certain areas of technology, most are all-purpose specialists: after all, it's impossible to tell which aspect of the target system or network will provide the means to break in. So, anyone planning to enter this field requires a wide range of technology knowledge, although don't worry if you don't have a master's degree or theoretical background: the practical knowledge gained through testing and experimentation will be your biggest valuable resource. Nevertheless, experts have provided a good list of technologies that many people should be comfortable with at the beginning of the path of an ethical hacker.Administration of systems and databases. A pentester needs to know everything about the systems they are trying to hack, and many ethical hackers come from the world of sysadmins. Jim O'Gorman, president of Offensive Security, says testers should be familiar with common Unix, Linux, and Windows administration, as well as SQL and database interaction.
Executing scripts. "Being able to automate parts of your workflow or attack infrastructure is critical," says Jordan LaRose, director of F - Secure. "Many attack methods rely on request streams or very repetitive writing to a file, so automation can save you a lot of time and sanity." Scripting skills are "particularly useful in the Windows world," says Andrew Usekas, CTO of ThreatX. "PowerShell scripts are a good way to bypass endpoint security tools," he notes.
Coding and software development. Understanding how to write application code and the processes by which that code is written can be key to discovering its weaknesses. "Many of the best white hackers are well - versed in the world of software development, and this makes a lot of sense," says Elad Luz, head of research at CyberMDX. - Participation in development provides insight into product creation and opens up many different tools and software to the developer. Perhaps most importantly, he or she can get into the developer's mind and understand what problems they are facing."
Net. If you plan to hack the target network, you need to know how networks work and what are some clever ways to bypass them. "Have a basic understanding of the different types of protocols, network layers, and operating systems," says Colin Gillingham, Director of Professional Services at the NCC Group. Yaroslav Babin, head of Web application security at the Positive Technologies SWARM Team, says that in particular, you should focus on " internal networks, Active Directory service principles and functions, since most enterprise infrastructures are built on Microsoft Windows."
Web application design and vulnerabilities. Web applications provide a common means of logging into the target infrastructure, and Babin says that pentesters should "have a solid track record of finding web vulnerabilities. This includes not only knowledge of the most popular vulnerabilities, but also experience in exploiting them and understanding what each of the exploitation methods can allow - for example, SQL injection can provide not only access to the database, but also allow you to remotely execute commands on the node from time to time."
Hacking tools. There is a huge set of tools and utilities for use by pentesters, many of which are free and open source. They may be deceptively simple, but an experienced pentester will understand their nuances. "New people in the industry often get lost and start automatic analysis without setting up the proper configuration and reporting false positives," says Daniel Kirchenberg, an independent cybersecurity expert. Understanding how your tools work can ultimately save you hours and even days of work."
Communication skills
You may have guessed that an ethical hacker needs a wide range of technical skills to properly conduct penetration tests on target systems. But the pentesting professionals we spoke to emphasized a wide range of soft skills and personality traits that they felt were important to the life of an ethical hacker. Most technical skills can be taught, but many of these traits depend more on how you think than what you know.Passion. Perhaps the most frequent response we've received from all the experts we've talked to is that an ethical hacker should be very curious about how systems work and love hacking for its own sake. "People in these roles need to have the DNA to want to break things down and learn everything they can do," says Tammy Kahn, CEO and co-founder of BTblock, a consulting company. "More importantly, they should do it because they love hacking for its own sake, not for monetary gain."
This passion can be tested on particularly challenging tasks, so the ability to stand up in the face of failure is essential. "Penetration testing is definitely not an exact science, and it often takes many attempts and iterations before you can crack something," says F-Secure's LaRose. "You need to be persistent and not be afraid to try crazy ideas."
However, pentesters should also be able, according to Kenny Rogers, to know when to abandon such ideas. "Hackers need to maintain self-confidence to move forward with seemingly futile efforts, but they also need to periodically ask themselves if they are going in the right direction and not let their egos get in the way," says CyberMDX's Luz. "Not being intimidated by failure is a good thing, but you should also be prepared to give up research that you've already spent a significant amount of time on if you don't see progress in some scenarios."
And the passion and curiosity of an ethical hacker should mean that they are always learning about new developments in the industry and improving their skills. "You'll often run into a brick wall and need to learn a new technique, or you'll need to carefully study the person or company you're targeting to determine the best way to attack them," LaRose notes. "Most of the time in pentests is actually spent developing these new skills or gathering intelligence about your target."
"Code practices are changing, new languages are coming out, new frameworks are being released, some are being updated, applications are also being updated, and that only means one thing: you have to keep learning to keep doing your job," adds Kirchenberg.
Quick wit. Another thing that most experts agreed on: pentesters need to "think differently", go beyond bookish skills about computers and instead use out-of-the-box thinking to solve the problems they face when hacking target networks. "Soft skills are based on the ability to think outside the box," says Doug Britton, CEO of Haystack Solutions. "You need to be agile, bold and creative."
Ethical hackers "need the ability to think outside the box in order to be able to find edge cases in the system - loopholes in specifications or just unexpected exploits," adds Diego Sor, director of consulting services at Core Security company HelpSystems.
F-Secure's LaRose emphasizes two qualities that characterize the thought process of a good pentester. The first is the ability to deduce, often based on limited information. "Often the consequences of what you do as a pentester happen behind the scenes, and you need to be able to guess whether what you're doing has worked or not," he says. The second is the ability to think of hacking as a human problem, not just a technical problem. "During any type of test with a social engineering component, such as phishing, it is very important to be able to put yourself in the shoes of your target audience in order to come up with a more plausible excuse," he explains.
Ethical hackers don't just need to get into the minds of their targets: they also need to understand the real attackers whose methods they're trying to emulate, to help the good guys understand what they're struggling with. "In the past, the red team just needed to break through to show its value," says Ron Gula, president of Gula Tech Adventures. "Now external testers must actively simulate intruders, which means knowing how to work with specific threats. This is evident in certain types of Miter ATT&CK tools and in simulating long-term malware command and control campaigns."
Communication and collaboration. The stereotypical image of a hacker, ethical or otherwise, is of a lone wolf sitting at a keyboard in a darkened room, looking for weaknesses in the program. In fact, the ability to work in a team and communicate with colleagues and clients is one of the most important qualities that a penetration tester can have, says Gabby DeMercurio, director of the red group for social engineering and physical penetration testing at Coalfire. "You may be the greatest hacker in the world, but if you can't turn this into a readable, consistent report of what you did and how you did it, so that the client can trace, copy your attack, and then fix it, in the end, it doesn't matter," she says.
As Daniel Wood, head of product security at Unqork, says, "It's incredibly important that you can transform technical security risk into business risk. This means understanding organizations, their business use cases, and the impact that a technical vulnerability can have on their ability to operate, the privacy of their data, and ultimately the security of their customers."
These communication skills are especially important because of the sensitive nature of the business of ethical hackers: remember, if you manage to hack the target system, you will potentially embarrass some employees of the client company.
"Unlike hackers trying to exploit a vulnerability, white hat hackers work with a third party with the intention of improving the cybersecurity of a given product," says CyberMDX's Luz. "While you are ultimately on their side and trying to help, the challenge here is to communicate bad news - to communicate vulnerability - while maintaining a positive atmosphere in the discussion that leads to a collaborative working relationship."
This good working relationship is also important in your own team. "Being able to work with colleagues is very important because you don't know everything," says Coalfire's DeMercurio. "The opportunity to learn and help each other grow - that's what we mean by 'it takes a whole village'. Lone Rangers quickly fall behind those who work well together."
And your allies should go beyond just the people who work for your company. "One of the most important parts of penetration testing that you need to understand is the community that surrounds it," says F - Secure's LaRose. "The offensive security community is one of the most cohesive in the world, and almost everything we do is based on the work of countless other members of our community. Being able to interact with the community, learn from it, and contribute to it is all the skills every pentester needs to succeed."
Ethics. This may seem obvious, since the word "ethical" is directly contained in the description of the profession. But the truth is that the pentester has a lot of responsibility and power, and it's important to make sure that they don't abuse it.
Heather Neumeister is Director of Human Resources at NetSPI, which specializes in penetration testing and attack management. "The candidate's ethics assessment is based on both experience and personal assessment," she explains. - When ethics and morals are part of the criteria being considered for a new hire,there will always be an element of intuition. But it's also important to ask questions about why someone decided to go to the pentesters, as it's common to quickly determine a person's intentions during the initial conversation. To find people with strong ethical and moral principles, it may be helpful to look at the candidate's activities in the broader community. Elective studies and non-profit work, public research, and open source participation can be useful indicators of a higher ethical standard, as it often happens that those who choose to benefit the security industry without personal gain are truly committed to ethical behavior."
Of course, ethics and the law are not exactly the same thing, and no matter how strictly you adhere to ethical standards, you need to make sure that you stay on the right side of the law. This is especially true in the world of penetration testing, where legitimacy can be blurred and customer egos can be hurt, says Michael Jeffcoat, founder of the Jeffcoat Firm. Jeffcoat is an insurance attorney who has worked closely with several ethical hackers over the years. "The lack of a generally accepted legal framework makes such hackers prone to legal action," he explains. - Although ethical hackers may have a contract stating that their employers specifically asked them to break into their systems, the employer can still file a lawsuit if they believe that the hacker carried out the attacks on their own.
To avoid such problems, he advises pentesters to have a good knowledge of the relevant law, a good lawyer, or both. "Ethical hackers should read their project contracts carefully," he says. - All agreements must clearly specify the scope and limitations of the penetration testing services ordered. Remember: explicit details do not allow you to interpret subject contracts."
A few proud hackers
The qualities described here, which combine technical savvy, out-of-the-box thinking, social skills, and teamwork skills, may seem like a daunting task. But it also explains why ethical hackers seem to be more important than ordinary security employees."A decent hacker who likes people, trusts them, and likes to talk to them is the most dangerous and sought - after of them all," explains DeMercurio. - why? Because this is a person who sneaks into a building, forces someone to hand them the keys to the data cabinet, and then leaves them alone because they are trustworthy. This is what you should strive to be, and this is what you need. companies should be afraid of people. Luckily for them, we are white hackers."
Written by Josh Fruhlinger
