Started from the Bottom, Now We're Here (My Journey into Penetration Testing)
Nothing like opening up your blog with a line from a sub-par artist… but it is catchy.
I’ve been asked numerous times how I entered the mythical world of ethical hacking / penetration testing. From the outside, it seems like the field requires a vast wealth of knowledge or a red pill provided by Morpheus. In reality, this isn’t the case, or else I would not be doing what I love to do. The primary thing that this field requires, in my personal opinion, is perseverance.
Never have I walked into a room full of tech geeks and been able to proclaim expert level status on any one subject in particular. My knowledge of technology has taken the path breadth versus depth. However, when posed with a challenge, I feel that I am competent and persistent enough to come to a solution given adequate time. Every client engagement requires learning something new, and in this field, it has to be understood that no person is omniscient. The ability to stare at something you don’t know or understand and slowly work out how it functions, why it functions, and question the design of something you aren’t an expert in is, in essence, the foundation of penetration testing.
To (finally) answer the question this post is based off of, below is how I made my way into penetration testing. There is no recipe, everyone has their own path, but all of them require persistence.
Note – if you do not want to read a few paragraphs, continue to the end for a TL;DR/Conclusion overview.
In high school I was presented with the opportunity for dual enrollment into a technology program at the local university. It was there that I met my first professor, mentor, and friend who aided in my understanding of networking and hardware technologies. Prior to that, I had only dabbled with programming via video game SecondLife. My professor introduced me into manipulating network protocols based on understanding how they functioned and then pondering flaws in the design (n00b alert, this is where I learned about arp poisoning and MiTM attacks). This set the motion for me wanting to understand more about, well, everything I didn’t know about technology.
Continuing Education – Computer Science over CIS
Ending high school, I had surface knowledge of how to program in Java, had my CompTIA A+ certification, and had failed to obtain my CompTIA Net+ certification (gah). I knew that I wanted to get into ethical hacking but I had no experience. Searching forums for people to teach me or reading new exploitation techniques seemed futile, as most of it went over my head. So where do I start… well, off to college to pursue a degree in something computer related. A question posed by the head of my university’s I.T. Security was “do you want to understand how to configure a security appliance, or do you want to understand how that security appliance may function underneath the hood?” Well, I wanted to know what was under the hood, and therefore was advised to go into Computer Science instead of Information Systems (CIS). From there, I took a plethora of software development, assembly, computer architectural design, and networking courses. I additionally enrolled in every security related course the university had to offer. Overall, this was enough to get a breadth of how computers and programs functioned. Through coursework alone, ethical hacking techniques were never taught. This is where the extra perseverance came into play. I started a club of like-minded security individuals and attempted to teach what I knew about ethical hacking. During this, I learned the CIS students had a better understanding of different software used in corporate environments and how to better configure network security, while the CS students quickly grasped how a buffer overflow exploit worked. Here, a moment of self realization set in, I had no knowledge of “Enterprise Security”. How could I hack into a company if I lacked knowledge of security implementation and best practices on enterprise networks and systems?
The Internship / First Job
Instead of pursuing a security internship, I chose to learn more about networking, system administration, and get in some DevOp work as a Linux/UNIX Systems Administrator for a large company. By expressing my interest in security to management, I was assigned the project of developing security hardening standards for a mammoth-sized Linux environment. Here I was able to study enterprise network and system configuration while observing flaws in design and company processes. While dropping the latest exploit for system access may seem sexy, many companies can be thwarted due to poor security procedures and system standards in place. This internship opened my eyes to such and increased my Linux-Foo.
Working as a Linux Sysadmin was a good stepping stool, but it was time to move on. I kept my ears and eyes open for an opportunity to shift into an enterprise security role at a new company. I specifically searched for opportunities within other industries and outside of my current employer, as I felt that the additional knowledge gained from a new industry would be beneficial for penetration testing. Sure enough, I landed a security analyst role in the financial industry. Here I learned about different compliance regulations, how to write security policies and procedures, and was also allowed to conduct network, social engineering, and physical penetration testing when time permitted. While penetration testing was not my primary role, I was able to display the need for internal testing, thus being granted authorization to do such on top of my normal work. After months of self-taught exercises and research, both at work and outside of work, I decided I needed further education in penetration testing. Online searching indicated that the Offensive Security Certified Professional (OSCP) certification was superior in terms of hands-on training compared to the GPEN, CEH, etc. Therefore, I took this course, and it was the best decision for my career to date.
Taking the OSCP
Disclaimer: This course will consume all of your free time and requires patience from both your family, friends, and yourself. I bought 3 months of this course and completed it outside of work. To ensure I was not distracted and could get maximum benefit, I worked my 8-hour day at the office and then stayed at the office for another 5-6 hours each night to work on the course. Weekends consisted of 12-hour sessions on Saturday and sometimes Sunday. My wife was very supportive of my efforts, which made this possible, because this course literally consumed all of my free time for three months. I refused to take the exam prior to popping (successfully gaining access to) all 50 hosts the course had to offer. At the end of the course I was presented with a 24-hour exam which took 20 hours of straight effort to achieve a passing grade on the first attempt. Overall, this course was by far the most educational experience in penetration testing/ethical hacking that I have received to date. With this certification in hand, I set off to find a job as an entry-level penetration tester. This process took months of patiently looking for available opportunities. In the meanwhile, I worked on open source projects and continued my own personal research and development.
After months of searching and interviews with different companies, I landed my job at Rapid7 under their new Security Analyst program. This program was designed to bring entry level penetration testers into the field and allow them to train under senior level employees. I had a few other offers to become an intro-level penetration tester for other consulting agencies, but Rapid7 seemed like the most promising opportunity for career growth, so I took it.
TL;DR / Conclusion
At age 23, I was able to make it into the field of penetration testing as a consultant for companies. It simply required dedication and perseverance along with a willingness to learn. My personal path was to simply learn everything I could about different areas of computing through not being afraid to change jobs and seeking out courses/programs which would further my goal. A degree in Computer Science coupled with extra curricular security activities, a job as a Linux Sysadmin for two years, a job as a security analyst for a year in an entirely new industry, finished off with my OSCP allowed me to get my foot in the door. While some people may say that changing jobs on a yearly basis is bad for your resume, I found each job to be a stepping stool for my personal growth. If you present it that way, recruiters may overlook the fact that you have changed jobs frequently (PS. do not constantly change jobs with the sole purpose of monetary gain…).
In the end, study hard. Teach yourself something new. Question the way everything works, and seek to understand it even if you do not have the slightest clue of where to begin (such lessons usually teach the most). Certifications and a few titles on your resume which demonstrate security understanding are required, so position yourself to obtain such. And in the end, if you truly love this field and can demonstrate some proficiency in it, you will find an opportunity to get your foot in the door.