So You Want To Be A Hacker? - Sam Macdonald

Hi everyone. So I might start I might shake. I'm h up on caffeine adrenaline. So bear with me on that one. Uh as you can tell by the way I'm dressed. I'm from South London. So check for your wallets and your phone. Um and then there is the other stereotype of yes, I hear my mom. Well, she lives with me officially and it's my basement, so I can do what I want in there. So, today's talk is probably one of the most boring talks you've ever gone to, but it's all informational. What kind of kind of discuss is when people say hacker, cyber security, pen tester, you get these amazing like things that are filmed. I believe one of my friends is

doing a talk on later. you know, you're sitting in a basement, you've got your good up, you've got loads of caffeine. I generally of alcohol. Um, and the reality is that that's not true. So, we're going to walk through what the expectations are, what the reality is, and then if you're still kind of interested in the field, if you're not in it already, some steps to kind of progress that other people don't exactly say, they go through the usual do XY Z, I've got a little bit a different spin on it. So, already bought through myself. So, I see at KPMG. Fortunately, there are a few of us around getting which is scary cuz Monday morning be interesting.

Okay, so demystifying hacking. So when we got the expectations, we think they do the cool stuff. We're going to be popping shells. We're going to be dumping the databases. All the things that we read in the newspaper, we think that is what hackers do. um you know finding cross rights scripting going to take over your account and start buying roadblocks. Um I hope that's right to the young people in the room. Um you know we're going to become a domain admin in 15 minutes and take down your entire business. Uh we're going to find zero days people haven't heard of get paid lots of money. Um scary thing is my mother does do that. It's you get

a bit of imposter syndrome when you're listening to your favorite cast and you hear your brother's name dropped and you're like I can't even get an excss and of course just domination if you've watched any film sort of is my favorite by the way but the reality is we spend a lot of time meetings my colleagues will agree with that one we do a hell of a lot of documentation No taking if you're not taking notes just not worth your sit. The engagement part is that very small of what we do. Then we got to do the actual report writing. My favorite thing in the world to do this is where I procrastinate terribly and I'm up at 10:00 and I need

to get this report out cuz I should have done it 5 hours ago. Then it's the continuous training. It just never stops. You know, today's t news tomorrow's um fish paper. It's exactly like that. And then of course there's the stress, the anxiety, and the imposter syndrome. If you're interested in imposter syndrome, I' have a talk on that that's up on YouTube. So let me know after I'll share that with you. So scoping. So in my first job I just popped up and someone would go this is where that crack on you got 5 days and two days to do a report on a black call. Then as you get further in the trails and you get

more involved in the entire process more the first bit is the scoping. So this is like the what the when and the how basically. Uh so at this point you've got to define the clear objectives from the client. You know why what you what you doing this test for? Is it a compliancy reason? So you're concerned about a particular aspect of of this. You know the same thing as you caught the the talk before. You know we're looking at data privacy. We want to make sure that you know an attacker can't get everybody's personal data and go oh I know where this person lives. I've got photos of them. that might be a clear objective of of their thing.

Then we've got the scope and the boundaries. So sometimes you are just in this little pigeon hole. If any of you have ever looked at bug bounty programs, it's where you got frugal to go test the company's um web applications or hardware. You'll see a basic script there. You have seen some like you can only test these functions. You can't test this. you can't do a DOS um attack cuz we don't want to see how we're going to stand up. It's kind of the rules of engagement. And if we come outside of this, well then we're we're in big trouble. Um other scoping and the documents are like they're legal documentations. It gives us the legal

right to test the product. So a lot of the time when I'm doing an engagement, Ive I've not got I've got no authorization yet. They go just crack on. You can take the email No, because people wouldn't be that mean, but if you took down their website and they turn around and go, well, where's the sign document on the email? Well, that's not, you know, that's not a legal, you know, authorization or, you know, then technically you are hacking, could you get the computer misuse act involved because I wasn't authorized to test it. You put that on the email. you can get some legal writings and this is how in depth it becomes of documentation

you know like it's just not oh I'm going to go this website and have a lot of fun talk about the risk management that's kind like you know rules of engagement you know make sure that we're using rad using a tool just not hammering the door going let me in let me in go well we're going to do it slow because if you go too fast the surf could fall through and And if it's reduction website, and I'm not saying I've done this, you take down the travel wages before Christmas, things can get a bit, you know, difficult. Uh, I said for it's a legal contractual retirement is to cut ourselves and and the business that we

work for. And then we tail our methodology. Some companies, some clients will go, we want to test you in this sort of manner um or you know what is our own methodology and they'll go can we not do that? Can we more focus on this? Um and then how they want to measure success. Um for us success is different for the client. Success for us is you know world domination coar for them they might deem success as we got rid of that. Yeah. Then we get to the engagement which I've not put anything for because it's not the whole point of the talk. Um but just a quick one. You're not going to always find it. It's

the worst thing in the world. In my first 3 months I was hardly finding anything. Then I started paning and I reached out to my manager like dude I don't think I can do this job. And he's like why? And I walk through. I've not found an XSS. I've not taken over the web server. what do I do? He was laughed and went that's going to be most of your job here. Don't worry, that just happens. You'll get somebody and they'll dump a database off a website on their first day. I just might not get that for 2 days. It's just the way it goes. Unfortunately, this is the thumb bit. So, now we've hit

the engagement and one of the most important things we got to do note taking. Because if we're not taking notes when it comes to the report or amount of times like I've not taken appropriate note takingaking I've now lost access to the web application because they go this is your testing window. I'm like ah I ain't got screenshot of that issue how do I then I have to go tell client and then I don't look very professional. So note taking one of the key aspects of the engagement. Um, and the important thing is we take evidence whether it worked or it didn't cuz then we can prove to the client like this is what we

tested. It wasn't what's just here in report. I actually done the work. It's especially important and you get your report and go I had two findings. You'll get some clients that will go that's cool. We weren't expecting you to find much. all that like well we spent 10 grand oh what a 10page report and you have to go well here's all my notes these are all the things that I run here's proof that I spent 5 days actually doing my job um the other bit is for you know reducibility they say verification so we found an issue got to document how we've done that so when we write to report and hand over to the client

they can reproduce that themselves and go okay yes this is a problem efficiency and time management it kind of helps cuz you look and go I haven't really run much this is what I've done so far 2 days in I better pick up a bit um evidence collection said at the beginning this is prove that we did run certain tools and we attempted certain attack vectors we need the evidence that we at least tried Okay. Uh knowledge transfer and learning. Now this is this is great and very important. Um in this industry we're always sharing with each other and when we're doing something on the test and we find something interesting. We get a possibility to internally share

with the team. Um we're always continuously learning. We need to share that with those around us and it's a natural thing of they share with us and we all become better. There's no competition. Um and then of course it's it's all come down to the reporting accuracy. We got good notes. We can you know write a report more accurate instead of as I said I don't know that screenshot can I get away with not putting that in. And this is my favorite part the report writer. Like I said I can be up 10:00 going I really should have got this out at 5. But you're sitting there going, I've got to write something off the top of my

head. If you not got a a vulnerability database where you just go click insert this into my template, I just change a couple of screenshots. You can sit there and go, I've got to write five paragraphs on a thing that I know is an issue. I can't communicate that on writing to to the client. How do I do this? And I don't know about you at that point. I just get brain fog and I just sit there twisting my thumbs and then go for the walk and I come back go just change that font size instead of sitting there writing that day. Um but the report when I first started um my first manager said to me this is

the most expensive PDF someone purchased and if you see the billion at times you can understand why that is but this is the end product the you know the client's not interested in engagement this is what they're purchasing they're purchasing this document um so it's where we can communicate the findings that we we found um help and prioritize the vulnerabilities because sometimes something might be this is really bad if this this happens but for someone to go with that attack vector they have to have like a high skill set. So the likelihood of that actually happening is very small. So should the client focus on that bit or should they focus on like a medium sort

of vulnerability but every manly stock could do that or scripted. So you kind of go well that's a bigger priority for you to focus on. So this where we come in with severities and likelihood and all the boring stuff. Um, if you want to see the an outline of an actual go on Google, you can find and see what an official one actually looks like cuz I even saw one until I had to write my first my first one and then you can see how complex they are. Um, then we've got to provide remediation guidance. Uh, it's no good. Okay. Well, how do I fix it? Oh, I don't know. Sure. We have to provide some sort

of guidance. Not always step by step, you know, if it's like a some programming they've got to do, change a Java file that's beyond us. But we can guide them in the right direction, provide some links to some resources. Um, because it's their product, you know, so in depth, they only need their personal knowledge to kind of fix it. But we need to push them in the right direction to get it fixed. Um, of course, some some of the engagement systems help clients. Um, some companies need to get tested once a year if it's to do with their insurance policy. So, they'll take this document and go to the insurance company. We've been tested what what's out. Uh, which

makes it very important on this note is sometimes you'll get pushed back from a client and then that's another thing you've got to deal with, I don't believe this. This should be immediate. like no that's the risk rating because if it's a high then they're going to end up issues with their insurance or you know their management and directors and like no that's us because say that company got hacked on that high but we moved to medium insurance companies come to us why did you put that as a high everyone why did you put that as medium everyone knows it's a high we're going to make you responsible for this so it's very important that we recall accur

accurately and all this sort of stuff helps to you know facilitate decision making within within their business. Um quite often is it helps to esta establish a baseline cuz if I tested one web app and I found all these things I'm like this is what you should fix and then you'll get the baseline they probably got other web applications got all the same issues cuz it was same developers that made it so made all the same um mistakes and ladies and you know helps them continuously improve their own products. Let me come on some nice flight. Sometimes I get I get lucky. I just send off a report on a Friday getting I don't hear until next year. Go, hi,

I'm cool. How's it going? >> Up those clients. I'm older. I don't want to talk to people. Um, so the whole bit of business is to run through the um the report cuz you get the other end and looks at the report yet like no that's what this meeting is for and you're like it's 92 pages. Okay. Um so you'll walk through and you're clarifying the findings. um sometimes have uh questions on certain findings or you know do we need to fix this and how do we fix that and can you can you fix it for us? Can you uh apply the products that will help us be better secure? Um then you get to discuss

remediation strategies um on what I just touched on. One of the most important thing is building trust and relationship with the bank. um you know been on the test for 5 days if I'm not doing the day call with them they've got one email from me at the beginning of the test going I've just started and then one other on the front go I just finished here's your and that's there's no building a relationship and quite often you know the clients are looking it's a test if it's the first one they've ever done with you it's the test simple test to do if they do well and we like them all the work's coming their

way so this is an important part building a relationship with these individuals. Um they go a bit faster cuz they didn't realize time review did they find it success or not have a feedback from them going how did we perform next time? Do they want to be a call with us? Want some more emails? Um then plan your next steps you know like I do a retest and go from there. Then there's the continuous learning, right? So we've got the job we just have to learn every single day. So you know you can do many things YouTube find some documentation online or sometimes people in a course. So it's kind of a cycle of pick course study exam and you're done

and then I got to do it again. Um, what I will say on this is sometimes you just hit a wall. Sometimes like I would do three courses in a row and then I don't do anything for 12 months and I'm way behind. You just you can only fill in so so much time of learning. Um, but if you are interested there is a page that's been set up Jeremy Google him. It's got an interactive um dot regardless of what sector of um site security you'll go in. It's got a list of most um recognized um certification. You put the mouse on it. It gives you a rough cost and I'll let you know. Um and then a link. So it's

great to find you know recognized uh courses. That's a wrong one. And one last thing that no one tells you, uh, I can see some G, so I know there's a pentest. Um, there's something called check pen testing. Um, this is often off the website, so I'm going to read it cuz I can't describe it. is the NCSC's check scheme sets standards for penetration testing, government department, public sector bodies, UK's critical national infrastructure organizing nations and trust. So basically that's you know government bodies, the NHS, um department for transport, uh your local council. So what happens is we we meet a certain standard to provide to do these test for them. uh no pentester off street can

walk in and go yeah we're going to do the pen test on NHS list is to make sure that the testers you know meet a certain standard you can deliver the reports and you keep it all secure and don't walk into a room like this and go so I was at NHS leads last week and you wouldn't believe it's time to do that so what the requirements for check certified you do one of their professional titles and You have to hold a minimum of two clearance. So you'll go through some background checks which bring this up because I've never heard anyone about it and fun engagements. So I'm going to go a bit quick now cuz

I'm bad with time. So you're still interested. If I've not lost you, um you're still interested, you got friends and family that are interested. This is a different take um on how I think you should kind of tack it. So on the initial training um there's always two great CTF sort of um star systems hack the box um and try hackme um these are great resources uh free I think for just standard um sort of access um great things with these are if you do get start there are a lot of uh write ups and walk through um anyone can jump in and tell cuz I hope you got the name of the guy. He does hack the box. He

does the YouTube. >> Thank you. Thank you very much. He does it on a video. So, if you're not great with uh reading, I get bored reading. You can watch walk through the video, but he'll also give guidance of why why it's like that. I will watch you fix it and also the different tools that you can kind of use and learn with. Um, and if you got become good at those, you can always say look at global CTF events. They're kind of the same. Uh, you know, go work in the team, work on your own, make it a bit more uh fun. They're great to kind of get started. But unfortunately, those are kind of you get

started out not spending um money or a little bit if you upgrade your access. Unfortunately, there's the KQ people uh within the industry, mainly the HR level, then some at the management level. Um you put those in between them, but without professional search, they just won't look at you. Some will it depends on I found how they up themselves. If they don't believe ins, they don't have it. If you got someone that's like, "No, you must have this cuz I got it." then you know you're going to have that day if they're going to check jobs you get clear you know idea if they're going to have it or not um sex OCP generally that's go to one I see on all

job adverts forunately um there's TC security PG um that one's trying to tackle sex I think maybe not seen many in the UK they're mainly coming out be accepted um only in the uh networking big thing for me. Uh LinkedIn, so I'm not using LinkedIn to hook up with other hackers, pentesters, CESOs, recruiters. You go into the the job section of LinkedIn or any job site, those are all the jobs that are live. Fact, very few of them actually lead to an actual job. It's to be harvested. You need to hook up with and start following the recruiters because they'll actually post cuz it's free to advertise for jobs. Especially if it's a uh you know getting

in the ground graduate entry level, no experience. You're only going to see them because they're hosting it. It doesn't cost any money. You put it in jobs, they're paying money. uh B size conferences. Awesome. Um my first I now work at KPMG and the guy that I know within KPG songs. So I probably wouldn't be at KPMG if it wasn't for him. And seeing their meeting I done a walk and then meeting each other along the way. And they're great to meet new people, make new friends. It's great when I turn up like oh I've met you before. I've not seen you. It's just I'm starting to feel like years now when I turn and local meetup

groups very far few between some places have them I think more up this way I know what's the one in Glasow or Edinburgh maybe Thursdays um >> Glasgow >> Pack Glasgow there we go they're very hard to find um groups on this one cuz my first job in inside street was a recruiter hunting people down in a discord. Uh so if you've seen things like offensive security, go find their discord cuz that's where he found me. Um you don't have to be taking the any of their courses to access it. Um or look for any of the big cyber security um companies all around the UK. UK, the world a lot will have their own Facebook groups,

friends, connections, jobs, um ask for help when you're stuck on stuff. People sharing their new tools, um sharing documentation, wealth knowledge, meeting new people and Reddit is questionable, but but when I first started, I was doing OCP. there is an OSP thread and people will go on there like I'm starting my OSP here based in India I'm based in the US everyone's starting in 2 weeks I'm a buddy up so if you're kind of like looking for accountability buddy then that's that's the place be uh and then raising your profile um blogging blogging is a great one um so what I'd say is hack the box everyone if you've ever done hack the box everyone's got a

um a walk through all the copy paste it the same. Do it differently. Write it in a report format. So go find a report uh template on Google and write it like you was doing a reply. You know, I got a local file inclusion. Write it as a thing. You know, put references to go how to fix it and do it like that because then when you're applying for job, go here's my blog. Here's all my reports. I really like my hatbox walk through that I I copied and pasted from yours and you copied it from me and now he's cop differently stand out or review a technique or a new tool. You just think

there's there's hundreds of out there. It's just to show a potential employer that you do study and you're interested in this build. GitHub um scripts even basic just a little bash script you know it just shows that you're interested and you want to kind of progress um one of these I feel this is my sequel 71 I get up here and I'm nervous as hell I do love it um so a lot of them do tracks um a lot of them if it's your first they'll go we'll mentor you send us your idea we'll let you know if it's good there is a lot of help and you meet people. I didn't uh I met someone that

offered me a job at a different company through bones besides so you do you do you know there's opportunities there local meet up groups together very thing if you can't get a talk accepted somewhere and it doesn't have to be long you do 10 minutes do a YouTube video make private if you want but you can share it with you know who you're interviewing with but even if it's 10 minutes go I want to do this and just go through and you know show them what you And it just shows that you're interested and you all want to progress because they want to see, you know, enthusiasm. Can I do that again? Uh I think it's my last one. Yeah. 2

minutes. Um for a CV, I believe this is what got me my first my first role. So I spent 20 years in IT support. Okay. Well, CV for wanting to go in cyber security isn't really going to look great. So the cover letter let letter lets me tell my story. Um it shows that you're expressing interested in the actual job. You get to highlight the key skills and relevant qualification. It demonstrates your personality. Um explains unique circumstances. 20 years in IT I've explained why I want to go into some security with no experience. And it motivates the employers to read busy. So, like, well, they got timing for this. Let's Let's just have a look. Hold on a minute. Hard

to keep doing that. Um, so this actually is my my cover. So, let's I recently passed my OC uh SCP exam. I'm looking to break in for info and this is why you should kind of look at me. Um 16 years experience in various IT positions working with different industries. So that's great. You're going to do that in cyber. Um so this is where you get to put skill sets that you can't put in your actual CV. um imple personal skills, the ability to communicate verbally with individuals on business support functions at C level including CEO and board members. This is when you're doing a scoping course or a debrief now knows that I can do that.

You can be the best in the world, but you don't got communication skills. I'm not going to hide you because you can't talk to a client. um clear concise writing skills derived from delivering reports for management to technical documentation for support teams using friendly guys and customer base. I can write reports major part of the thing and I just explained that they don't have to look at the CV um ability to work in mixed experienced teams sharing knowledge learning from each around me as well as leading management team sometimes on a job I'm leading sometimes it's my colleague we're all mixed different experiences I can on with everybody you're working it's is part of sharing the knowledge

understanding and make tech stacks with power research where I need to implement or resolve business justifications. If I had to implement a new piece of software elsewhere, I'd learn it. which means if I'm testing someone's um application or tech, I can go out and research how to break it and then just you know I'm constantly developing and I talk about my next courses that I'm taking so they can see my my training progression and I think you just put something like this and it'll make people take notes. They'll go on your CV or even cyber very experienced but you can do reporting, you can learn, you can manage teams. You're pretty much the personality that

we need. We can you can teach it. You can't teach someone how to person. And that is wrapped up with a minute over.