“How do I get started in ethical hacking, penetration testing, or red teaming?” I get this question all the time. Whether you are getting into vulnerability management, wanting to find 0day vulnerabilities and cash in on bug bounty, or want to join a red team to emulate adversaries against your organization, this FAQ is for you. A quick shout out and acknowledgement to Katie Nickels that posted a similar post on Getting Started in Cyber Threat Intelligence. Katie is a leader in our industry and you should follow her on Twitter.
How did you get started in Ethical Hacking?
This is a great question that will receive a different answer from each person you ask (because we are all unique). However, the root of that answer is similar: you must understand how something works to be able to manipulate it outside of how it was designed, i.e. hacking! Apart from the technical side, it is important to always provide business value. Going “full cyber warz!” and pwning everything with no business context nor a desire to help organizations get better, is not the way to get ahead in this field.
My path as an example: System Administrator -> Security Operations Center Analyst -> Vulnerability Assessment Analyst -> Penetration Tester -> Red Teamer
I started my professional career as a system administrator at a small and medium business (SMB) consulting company. I was in charge of understanding SMB requirements for their technology stack and supporting their end users with technical support. From there I took a gig at Florida International University (FIU) performing the Active Directory migration from Windows NT. This was my first experience at a large scale (about 5000 systems had to be migrated). Then I attended the FIU job fair and interviewed for an intern job at Terremark. Given my experience, I was offered the role of a Junior System Administrator where I supported 700 users and 60 servers. Terremark had an amazing information security team doing everything from Security Operations Center (SOC) to forensics and penetration testing.
I asked the security team the right questions and they offered me a job as a SOC analyst. I had the opportunity to defend private and public organizations including but not limited to whitehouse.gov, VA.gov, DOT.gov, and GSA.gov. It was a constant battle against adversaries. The biggest, and most public one was the 2009 Independence Day Distributed Denial of Service attack.
Networking is very important so check out your local organizations and attend/socialize. Due to networking with the South Florida ISSA, I was referred to a job as a vulnerability assessment analyst at Citi. I was fortunate enough to be hired to a relatively new, internal ethical hacking team. Having been a Management Information Systems major/master, I focused on providing business value in all my assessments. Within a couple of years and due to the reputation of the team and results we delivered, we proposed Penetration Testing (exploitation in production). Five years ago, we noticed that attackers were not just going after technology, but also people. This led me to propose the Red Team function. Within a couple of years, we noticed that we had to collaborate with the Blue Team to provide the most value from a Red Team perspective and that is when I found myself collaborating to create the Purple Team process.
How do I get into the offensive security field?
There are many ways into the offensive security field. At the core, the understanding of how technology and people function is important. Then it depends what your background is and what assessment type you would like to perform the most of. Often you will be asked to do other types of ethical hacking you may not love, but an understanding of all of them will help significantly.
Vulnerability Scanning/Assessment/Management: you will be in charge of safely running vulnerability scans against company assets such as networked devices and web applications. Experience can be learned at home using the free Nessus Essentials. For vulnerability assessment, you will need to validate the vulnerabilities and calculate the risk. Leverage the Common Vulnerability Scoring System as the industry standard and be sure to learn how to calculate the temporal and environmental scores. Vulnerability Management is much harder at scale. Experience with system and network administration will help you get to this role which is often an excellent starting point.
Penetration Testing: Penetration Testing generally comes after vulnerability scanning and vulnerability assessment. The main differentiator is the exploitation of vulnerabilities (not just verification). Learning exploit frameworks like Metasploit is a great way to get your feet wet in this area; I highly recommend the free Metasploit Unleashed. Penetration Testing also requires knowledge of the underlying technology you will be up against as you test the defenses.
Bug Bounty: You may also be interested in finding vulnerabilities in an organization’s infrastructure, applications, or products. Bug Bounties that fall in between penetration testing and vulnerability research space. The later portion of Metasploit Unleashed goes into fuzzing and discovering unknown vulnerabilities. There are many resources in the bug bounty space such as The Bug Hunter's Methodology by @jhaddix
Vulnerability Research/Exploit Development: This area is in the more advanced space and probably not where you will start off unless you have experience developing. If you want to find vulnerabilities that are not known, then understanding the technology is very important. For writing proof of concept code and developing reliable exploits, knowledge in assembly, coding, and how CPU and memory functions is important. This is an area where a class/formal training may help; at least it did for me when I took SEC660 and SEC760.
Red Team: an adversary mindset and the thought process of testing assumptions is the biggest learning curve for being a red teamer. Learn how attackers function and always asking “how” and “why” will get you into this mind set. An understanding of MITRE ATT&CK is important as the industry standard for Adversary Tactics and Techniques. In addition, a red teamer will generally find methods of performing actions that may not be known to the industry. An underlying knowledge of things like Command and Control frameworks will go a long way. Check out the C2 Matrix and the How-To resources which are free and can help you setup a lab environment with multiple virtual machines and attack tools.
Adversary Emulation: a type of ethical hacking engagement where a Red Team imitates how an attacker operates. Rather than focusing on attacks less likely to occur, these engagements draw upon Cyber Threat Intelligence to identify adversaries with the intent, opportunity, and capability to attack. Getting into Adversary Emulation from the ethical hacking side is similar as getting into Red Teaming. SCYTHE offers free hands-on workshops to perform adversary emulations against an isolated environment.
Purple Team: a virtual team made up of Cyber Threat Intelligence, Red Team, and the Blue Team. A Purple Team Exercise is an open engagement where the attack activity is exposed and explained to the Blue Team as it occurs. Again, this is a type of ethical hacking engagement that is similar to break into as red teaming. SCYTHE offers free hands-on workshops for those wanting to do purple teaming.
What degrees, training, or certifications do I need?
When I am looking to hire, I generally look for a balance between experience, degrees/training, and certifications. Each employer is different and some have various requirements:
Degrees: Some organizations, like financial institutions, require bachelor’s degrees for certain pay levels. Given that information security is relatively well paid, these positions often require bachelor’s degrees. While I am not a fan of such requirements, one must understand that they still exist. Investing in a college education is expensive and may not be worth the debt. If you are considering a degree, any one should be able to help with the “bachelor requirement” but since you want to learn then consider Computer Science, Computing Engineering, or Management Information Systems. If you already have a bachelor’s degree and are considering post-graduate, check out graduate certificates. I took the Stanford Advanced Computer Security Certificate and heard very good things about the SANS STI.
Training: Training does not mean you have to pay; there are a number of free offerings to get training. I already mentioned the free Metasploit Unleashed and SCYTHE also offers a Free 2 hour hands-on Purple Team workshop. Attending conferences are great ways to learn and also get CPE for certain certifications. Formal training is a great addition to your resume but may require an investment. There are multiple trainings that do not have a certification that can be considered at a lower cost such as SANS SEC564: Red Team Exercises and Adversary Emulation.There are also many conference you can attend that host great talks and workshops such as GRIMMCon, WWHF, Bsides, UniCon, and the Purple Team Summit.
Certifications: Certifications may require a training course or you can take the exam (generally for a higher price). This will depend on your experience and what you want to learn. Don’t feel you need to get a certificate for “street cred”. Instead, consider taking a training and certificate for something you truly want to learn about. I personally began with the Security+ when I was learning about information security, then I took the GCIH when I was in the Security Operations Center role, and then took the GPEN when I got into ethical hacking. The OSCP is also a great cost-effective training and certification but requires significant time management discipline.
What types of organizations hire Ethical Hackers?
Corporations: Companies are building internal ethical hacking functions that include vulnerability assessment, management, penetration testing, and red teaming. Depending on the size and security investment, anywhere from medium to large enterprise may have these roles available. Look on job sites for the words vulnerability, penetration testing, red team, and ethical hacking. Some organizations call these roles security assessment so be on the lookout for those as well. As you can imagine, these roles are focused on attacking your own organization. This allows one to learn more about how a company works, the goals, and provide the most business value.
Consulting: There are many consulting companies that perform offensive security services. Our sister company, GRIMM, has an extensive Red Team. Consulting companies provide ethical hacking assessments to other organizations. The benefit here is that you get to test new people, process, and technology on a per-assessment basis. As usual, always try to understand the client so you can provide the most value.
What if I am an Underrepresented Minority?
We are here to help. SCYTHE walks the walk and hires a diverse group of people that come from all parts of the world. We have gone through these struggles and this is why it is in our DNA to give back to the community and engage with you, yes, YOU! I am an immigrant from Venezuela and have experienced some challenges to find my way in the industry. As a hiring manager, I pushed to build a diverse team and be inclusive to EVERYONE. If you feel stuck, please reach out to me or anyone on the SCYTHE team or a number of great resources in the community. We can help make a connection, offer advice, or help you any way we can.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email firstname.lastname@example.org, visit https://scythe.io, or follow on Twitter @scythe_io.