A Career in Offensive Security (Penetration testing/Red teaming)
Author Swetha Kannan
A Penetration Tester is a security professional hired by a company to assess their information security defenses and find vulnerabilities. That can mean network, application, or even physical security (i.e. - gaining access to buildings). Pentesters may also try to gain access to a system through social engineering measures like phishing, impersonation, or elicitation.
Basically, a penetration tester is a hacker hired by a company to help defend against other hackers. It’s a lucrative, challenging line of work that’s currently in high demand.
For anyone with dreams of becoming a Pentester, just note that it’s a journey. It takes years to build the necessary experience and knowledge to become a penetration tester.
Steps to Becoming a Penetration Tester
Like most security jobs, penetration testers end up in their position after years of experience in other technical roles like network engineer, sysadmin, or software engineer. To become a penetration tester its necessary to have a good technical foundation.
Step 1: Strengthen computer networking basics
Begin by reading about the subject. Use articles, textbooks and guides, and find videos on the subject — not just on pentesting but on general cybersecurity practices, roles and researches.
As a beginner you must be familiar with basics of:
Cybersecurity: Techniques, tricks, vectors, threat profiles and the anatomy of cyberattacks.
Hardware and networks
Operating systems, databases
Applications, including web apps and APIs
Job experience in roles such as sysadmin or network technician will help you build a good foundation for a future pentesting position. In a technical role, you’ll gain a thorough practical understanding of how networks, applications, and systems work. Once you know how they work and interact with each other, it’s easier to defend and secure them. Programming and/or scripting knowledge is a huge plus, but is not mandatory for entry level roles. If you want to differentiate yourself from the crowd, start learning scripting.
Those initial years will also allow you to assume security roles and build your security resume. It may not be penetration testing right away. Instead, it might be running vulnerability scans, log analysis, maintaining risk register, implementing security in SDLC, etc. Use your current job to get security experience and add those skills to your resume.
Step 2: Learn the Tools of the Trade: Kali Linux
The journey to becoming a penetration tester inevitably runs through Kali Linux. Kali Linux is a free Linux distro designed for and by penetration testers. Kali Linux has hundreds of penetration testing tools and is constantly updated by the Offensive Security Community.
When first encountering Kali, it can be overwhelming. Set up a home lab and get your hands dirty. You will learn a lot more than by simply listening to videos/trainings.
Alternatively, you can use Parrot OS platform which also has a vast array of hacking tools.
Some of the most commonly used tools are:
Nmap is the most used pentesting tool in a white hat hacker’s toolbox. Nmap is a network mapper that scans a network looking for open ports. You can do a lot with open ports as a penetration tester.
Web applications are constantly sending and receiving requests to services on the internet. Sometimes these requests have valuable information like credentials. Burp Suite intercepts and collects these requests so you can modify and issue them, or even evaluate the payloads for the information you can use elsewhere.
SQLmap is a tool that detects, and exploits SQL inject flaws automatically.
The Metasploit Framework is an open-source penetration testing and development platform that provides exploits for a variety of applications, operating systems and platforms.
Metasploit is one of the most commonly used penetration testing tools and comes built-in to Kali Linux. The main components of the Metasploit Framework are called modules. Modules are standalone pieces of code or software that provide functionality to Metasploit.
There are six total modules: exploits, payloads, auxiliary, nops, posts, and encoders.
Remember that these aren’t fire-and-forget tools. You have to understand how they work, where to deploy them, and often how to interpret the output they produce.
Now that you know which tools to use. Go find a place to (legally) use them.
Step 3: Get Pen Testing Experience
Now you have a couple of years of technical experience. You should have already started taking on security tasks at work. Now, you’ve got a Kali box, hacking tools, and an itchy trigger finger.
Here’s the disclaimer: Attempting to gain unauthorized access to a system is illegal.
But hands-on experience is essential when learning any new skills and that’s particularly true while learning penetration testing. Here are a few platforms where you can practice the tools in a lab environment.
There’s no better way to both learn penetration testing skills and use them than under the watchful eye of an instructor. Cybersecurity bootcamps like the one offered by QuickStart, build their penetration testing curriculum around lab environments. Penetration testing is difficult. Qualified instructors can teach you the basics of penetration testing in as few as five days.
There are a number of excellent penetration testing lab products out there. Lab environments are designed by training companies to develop challenges that simulate common vulnerabilities you’ll find out in the wild. The most popular lab environments for newbies as well as professionals are TryHackMe and Hack the Box, which have a free and paid tier of pen testing challenges.
The challenges range from beginner to advanced with challenges added regularly. In addition to the challenges, you get access to a community with points, badges, and rewards. There are several web application lab platforms. Check this link to learn more.
Capture the Flag Competitions
Capture the Flag (CTF) competitions are essentially just gamified lab environments. CTF competitors are given a “flag”, which might be a piece of data or credential in a lab environment. In order to “capture” the “flag”, you’ll need to complete a series of increasingly more difficult challenges that fall into five categories:
Set up your home lab
Setup your own network/home lab environment using free tools (Nmap, Burp Suite, and other enumeration tools). With that said, don’t start pointing any of the Kali exploitation tools at anything that you don’t own — and don’t want to break.
Step 4: Earn a Penetration Testing Certification
Certifications are the easiest way to validate your skills and learn a skill. By studying for and earning a certification, there’s no question as to whether you have the skills. And there are a few penetration testing certifications to choose from.
While it may not seem like Network+ is a penetration testing certification, it’s a common entry point into the world of offensive security — particularly if you’re coming from a system or engineering background. It’s very rare that you’re going to have physical access to a physical machine while penetration testing. Instead, you’ll be hunting for vulnerabilities over the internet (just like a hacker). That means you need to have strong fundamental networking skills. So many of the exploits involve networking — and the Network+ validates those fundamental networking skills.
Admittedly, the Security+ doesn’t mean much on your penetration testing resume. After all, it’s an entry-level security exam, but that’s exactly the point. As we discussed earlier, most IT professionals don’t go straight into security. The typical career progression into security stems from a non-security role. You build your security resume, then move laterally into security — and proving your initial commitment to security often starts with an entry-level security certification like Security+.
The PenTest+ is a theoretical exam with a handful of performance-based questions, so it’s not as intimidating as the CEH Practical and OSCP. Yet the PenTest+ is still an excellent option for anyone looking at penetration testing as a career. Just like how Security+ proves your initial commitment to the security field, PenTest+ serves as a waypoint in your career and certification pathway. For those seriously considering a career in pentesting, you’ll likely want the CEH or OSCP.
Certified Ethical Hacker Practical
The CEH Practical exam is the EC-Council’s answer to the OSCP or other hands-on offensive security exams. The CEH Practical exam tests technical offensive security skills in a massive virtual environment. It’s not as long or rigorous as the OSCP, which is notorious both in difficulty and length, but still a well-respected cert in the security community. There are key differences between the CEH and OSCP, which are covered in another blog post: CEH vs OSCP: Which to Choose.
The OSCP is the gold standard among penetration testing certifications. Pentesters who earn this certification must pass a 24-hour practical exam where they attempt to penetrate as many systems as possible in an emulated environment. It’s a grueling, notorious exam, but passing it puts you in the top tier of penetration testers.
Step5: Getting your foot in the door (of penetration testing jobs)
Once you are ready to become a paid penetration tester, you should start applying for jobs. Leverage your professional network, get help from mentors/cyber security communities to get the chance to interview. There are several cyber security nonprofits that extend support to beginners and minorities. Join these communities and benefit from their offerings. Pay-it forward in the future. Apply for internships/apprenticeships, prove your worth and get the much-desired pentester role along the way. Penetration testing is not a career for the fainthearted, as it takes dedication to do it well. If you are inclined towards the challenge of hunting for cyber threats, it can be an exceptional career.
Becoming a Penetration Tester
To become a Penetration Tester means thinking like a hacker. It means using the same tools as a hacker. It’s ostensibly becoming a hacker albeit one that defends against the malicious actors.
It’s a difficult profession because it combines so many different aspects of IT: networking, systems, applications, hardware, and code. Penetration testing truly bridges the gap between technical knowledge and technical ability. It combines considerable knowledge with technical prowess — and creativity.
Penetration Tester roles and responsibilities
Penetration Testers are usually employed internally by an organization and will sit within a security team. Penetration testing is not just about finding flaws in networks and web apps. It is also about communicating your findings, both to team members and management in other departments.
A Pentester’s day-to-day activities involve the following