Cyber 201: What is Penetration Testing?
When people think of cybersecurity, the first thing that comes to mind for many of them is penetration testing. Like a Wu Tang rapper, this cybersecurity specialty is known by many names, including ethical hacking, vulnerability assessment, and Red Teaming. The basic premise is that penetration testers (or pentesters) are good guys, who get paid to act like bad guys, without the pesky hassle of potential lawsuits and prison. What do pentesters actually do? The core of their mission is to find exploitable system vulnerabilities, process gaps, and flaws, so organizations can fix them before threat actors find them.
What is a Hacker?
The term hacker is widely used and misused, particularly in the media. A lot of definitions you’ll find imply an inherently nefarious character. They suggest that hacking is by definition synonymous with cybercrime. Technology writer Kamran Sharief provides a more extensive definition. He explains, “The term hacker refers to a computer expert. The concept has two primary meanings since it can refer to a hacker (a person who illegally accesses a system to take control or obtain private data) or an expert who is responsible for protecting and improving computer security.”
In practice you won’t hear the term hacker used very often in cybersecurity. It’s a little one-dimensional. More often you’ll hear cybersecurity professionals refer to penetration testers (good guys) and threat actors (bad guys).
Internal vs External
Internal penetration testing teams are more likely to be found in large organizations. They are an indicator of a well budgeted, mature cybersecurity organization. Smaller organizations will often outsource their penetration testing requirements to external firms.
As with all things in life, there’s a trade off between working in external or internal pentesting roles. Joining a penetration testing firm (external) may offer you a less “buttoned up” work environment. You’ll undoubtedly gain experience against a wide variety of companies in a number of industries. These external firms may give you more room to harness your inner pirate.
Joining a penetration testing team for a large organization (internal) can provide opportunities to test more complex corporate environments. There are opportunities to work with the Blue Team to identify things that need to be fixed (i.e., Purple Team). You might even get nicer toys to play with.
Red Team vs Blue Team
If you spend my time hanging around pentesters, you’ll undoubtedly hear references to Red Team and Blue Team. Cybersecurity borrows liberally from military concepts and terminology. The Red Team/Blue Team concept is a perfect example.
Military symbology has been used in Europe since the Napoleonic Wars. However, it wasn’t until World War I that England and France—former adversaries turned allies—agreed to use blue for allied symbols and red for adversary symbols. The tradition persists today among NATO militaries.
In cybersecurity terms, Red Team refers to penetration testers and Blue Team refers to security operations (SOC). The two are often pitted against each other during penetration tests or adversary emulation exercises. As you can imagine, nobody likes to lose. This can make for a touchy relationship at times.
Training and Certification
I’m generally a proponent of leveraging certifications to help get past the initial screening to get interviews. Studying for certifications can help, but in pentesting you really need to learn by doing. A good place to start getting your hands dirty is Hack the Box or similar lab environment. The platform provides you with a number of virtual machines to practice your hacking skills on.
But where can you learn those skills to begin with? The internet is awash with pentesting training. From Udemy to bootcamps to YouTube. The barrier to entry is low. Start with the more economical training options you can find and work your way up from there.
When it comes to certifications there are plenty to choose from. Here are some notable options:
GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
The OSCP makes for a pretty solid calling card in the penetration testing community. As opposed to many cybersecurity certifications, there’s no multiple choice test to prove your knowledge. It’s 100% hands on. OSCP is a 24-hour exam in which people regularly run out of time. It’s definitely not your starting point, but something to work towards. How hard is it? Their motto is “try harder!”
Is Penetration Testing for You?
Start training and pwning boxes early. As Kamran Sharief wrote, “The term hacker refers to a computer expert.” You don’t become an expert by taking a single course… or even a few courses. You become an expert by becoming a student of your craft.
It’s very important to determine whether you actually like pentesting. A lot of people like the idea of penetration testing. To determine if pentesting is really your calling you need to get hands on keyboard. To be honest it’s perfectly fine if penetration testing isn’t your thing. There are a lot of specialties in cybersecurity. Most people in cyber aren’t pentesters.
However, if you get that dopamine rush from struggling through and finally cracking a box you’re not supposed to be able to access, then you just might be a future pentester.