I entered into school with the hope and dream of someday entering into the information security industry. I obtained a Bachelors of Science in Information Assurance with a focus on Network Security from Eastern Michigan University in December 2010. During my time there I walked into every class absorbing every bit of information I could, then I went home and set up my own environments to play with. My career goal was penetration testing. It didn’t start that way, but listening to all the podcasts from industry leaders like Space Rogue, Chris Nickerson, and Paul Asadoorian helped inspire me to seriously examine this role as a career. With every NotACon, HOPE, DEFCON, and BSides that I attended I became more certain that this was in fact the life for me. So I went to my advisors and asked them how to get to point B and began a somewhat accurate path towards that end.
Knowledge I gained from classes is very important. Sometimes you might hear “Oh I’ll never use this <insert archaic method from an older book> in the real world”, but lo and behold someone decided that it was a fantastic idea to use that method in their production environment and the only reason I know what it is without having to research it is because some old guy in a polo decided to write about it. Not that it’s wrong to use older methods; they were ‘secure’ and valid at one point in someone’s career. What is a bad and insecure configuration now was either the only way to accomplish a certain goal or the best practice at the time. This is the evolution of technology; things change, and we have to change our methods with them.
If it weren’t for my professors teaching me how NetBIOS worked, the difference between routing and routed protocols, active directory management, linux configuration, or how to understand subnetting, I seriously doubt I’d be posting here right now. While there are a significant number of self-taught geniuses out there, I am not one of them. Everyone learns in his or her own way and when just starting out in this field of study, I wanted and needed guidance. Learning firewall and network configuration gives you insight as to why you can’t connect to port 445 to another machine on a different subnet. Configuring AD properly tells you what decisions an administrator might have made that could let you do enumeration or privilege escalation. These are all critical skills and knowledge that a penetration tester has to have in order to get in while causing the least amount of harm along the way. Academia taught me these things.
The issue with academia is well known; most of the time it’s the former professional or academic looking from the outside in on an industry making inferences on how to get in or drawing from experience on how they broke in. Most of the time these great minds lack current knowledge on what’s needed to perform a job role. This is not to say that academia is useless for getting a job, but it is to say that professors are only one part of the equation in getting in. Community involvement is extremely important, and academia might be what teaches you how to speak that langue that the community uses. Schools can’t and won’t force you go to your local 2600/DCXXX meeting, drive out to DEFCON with a guy you just met, or hang out in IRC channels.
Academia teaches you all these skills, gives you the opportunities to meet people interested in the same things, and gives you a place to play with techie toys, so what doesn’t it give you? Real world expectations, and yes that’s somewhat obvious, but being able to understand what the differences between your test network when you’re running ms08-067 against your unpatched version of win2k3 and what a client is expecting from you on their network is a very difficult leap to make.
A few things I was told within the first week that I’ve found very valuable over the past few months are:
- Don’t run wild with exploit frameworks against a clients network as there are safe and unsafe exploits that could seriously damage infrastructure availability
- Stay in touch with the client constantly, be available at all times and make sure you’re receptive to their needs
- Build a trusting relationship, you are on their side and you want them to know that you feel their pain right along with them as though this network was your own, after all you’ve probably been there
- Be methodical and check everything you possibly can in the amount of time you have
- Set expectations with every client every time
- Passion is an expectation, not an exception
A few things I’ve learned on my own since my start with Trustwave SpiderLabs:
- Being in the office is the exception, and not the norm. We work at interesting times of the day and night, usually when users are active or database copies are going on
- Tools are very fallible, just because it works with one environment doesn’t mean it will work with a similar environment
- Tools are about 25% of what’s necessary to do your job, the other 75% is between knowing what to look for, knowing how to work with people, continually growing as a consultant, and being accurate
The creative thought process and passion are what’s key to being successful. These are the foundations of the hacker spirit. A hacker is not a title one receives when one obtains a diploma; a hacker is born and drawn into this lifestyle no matter the path.
While you can build a process by doing things over and over and making mistakes, and then fixing those mistakes, are you thinking about what you’re doing or what that tool you just launched against the clients AD server is doing? Always think about the impact, try to come up with a better way of doing things, and always be learning. I can learn how to config a router from my into to networking class, but researching different methods, thinking about the path the packets are taking, and determining a better method will always be what I should do. Academia teaches you how to do, not necessarily how to think. Academia cannot give you passion, you have to be able to summon that from within. You have to accept that there will be weeks where you can’t go out with friends, or can’t see your kids the way you’d like. You’re going to fall flat on your face, you’re going to be an intermittent hermit, you’re going to learn to code, schmooze, and eat all while troubleshooting a clients network because your connection is getting dropped. Conferences are your vacation, manuals are your bedtime stories, and if their not, you’re probably not a pen tester.
With all that being said, always schedule time for yourself.
Feel free to contact me with feedback on this post.
This is by no means a primer on how to get hired at Trustwave SpiderLabs. To quote our Director:”You can teach a hacker how to be a consultant but you can’t teach a consultant how to be a hacker."