Operationally Struggling Corporate Pentesters: Building Good Processes As A jr Tester

all right hello everyone welcome to my talk which is titled oper operationally struggling corporate pentesters or ocp this is a lot more people than I was expecting to attend but okay we'll we'll go with it um just so I can get a sense of the audience how many of us are aspiring or current pentesters all right cool how many of them are less than 3 years experience fantastic all right so I'm just going to get into it um this talk is going to be a little bit about sort of like setting the expectations versus reality of um the sales pitch of pentesting versus what it actually ends up being and as a junior pentester myself I think I'm in a decent

position to talk about it because it's very recent in memory right so just a short introduction who am I I'm Nigel I'm a junior pentester at KPMG I have a computer science background I worked uh one year doing API backend development stuff I am a retired esport player you never truly retire from Esports and I did uh coaching and commentary this is not relevant at all I just wanted to brag right um I'm sure well the the pentesters in here will remember um being a junior or if you are a junior you'll remember last week um walking to your job baby Yoda here and you know when you're a junior or when you're learn uh what tends to happen in a lot of

these um firms especially the bigger ones is that uh we have a lot of these tools licenses um and we do like to uh promote these guys and usually you will get a GO train and they'll throw some licenses at you and these are fantastic tools to learn how to pentest and you will learn the technical skills and the abilities to um hack and but I think one of the problems in the industry is that um commonly used methods can also become the core or the sole method which I think is part of the problem so what happens when you only use these kind of training methods right um maybe from a lack of um business

context or um understanding risk you know house is on fire you've dsed the client client's really angry and you're just like oh my God what did I do allegedly this has never happened to me or or the or the other one where um you can't find a thing and you either scream for help or you just sit on your hands client's doing a great job guys they no vulnerabilities whatsoever and I'm sure quite a few of us can relate to those feelings so why do I think this happens I think as I mentioned earlier the focus on lab and CTF Based training is a factor in this and socially I believe um this this is a thing that

will just happen because every one will always want to talk about the more interesting findings you're always going to hear about a really Niche injection attack that leads to an RC you're not going to hear about the time I scanned 1,000 um Ser uh servers and found nothing because everything was filtered or encrypted and there's no way in so you're not going to hear about the boring bits and I feel like in this industry there is a little bit of a lack of emphasis on building skills outside of the hacking site and there is definitely a disconnected the SS pitch of pentesting and the reality I think what we sell to Juniors and what we sell to um young

impressionable Minds in university is hacking and pentesting can be a little bit different I'll get into that in a bit and there is a healthy healthy dollop of anxiety and imposter syndrome and if you couldn't tell that I was terminally online during Co that will give it away right so getting into that so this is the pentest iceberg or yeah this is how I like to dub it I think everything on top oh yeah that was a redcon um my management said I couldn't say what that was originally on that so I had to blank that out but everything on top is the um what we sell uh what I think is hacking and um the reality is so much more I'm

sure we can sometimes relate to some of the stuff in here um the cred stuff is especially egregious and um like any good Iceberg my sanity is the Titanic right so I've been talking quite a bit about hacking and Pen testing and uh I I don't mean to use this interchangeably in my mind these are quite distinct things and it's not just the Bears on this um slide so I'm a terrible analogies guy I love a good analogy so let's use the most well-known analogy in all of cyber security they're breaking into the house analogy so what just kidding I wouldn't do that to you guys this is overused I'll use another analogy so this one full disclosure I

stole this off LinkedIn uh I would credit the guy but I forgot but uh I'll pull it out at some point but um he said improv is to acting what hacking is to pen testing and I think it is really apt because if you look at how I I like to describe acting and improv I think you will draw a lot of the parallels that I think hacking is to pentesting because as you see in acting you sort of have to memorize your lines you have to take Direction understand the characters in the scene and if it's like theater or um even in commercial you do a lot of rehearsals dry runs to sort of like nail

down what you're going to be actually doing whereas in improv you've got no context whatsoever you usually get up there you take cues from the audience or something you get a word and then you just got to run with it you got to be creative you got to be quick on your feet you got to adapt always and that's kind of what hacking is where it's a little bit more run and Gun there's a lot more space for you to maneuver and be adaptable whereas in penetration testing you usually have your set of rules you've got your scope you've got don't please don't dos us please don't take down any of our critical systems and you've got to remember what's in

scope what not in scope because if you attack the payment Gateway that's third party they're not going to be really happy and then you're getting into stuff that wasn't covered in the scope so the um while I call them different here it is very important to acknowledge that I definitely agree and we think that being a better improviser will make a better actor I think everyone understands this concept and I think in the same way being a better um being sorry being a better hacker will make you a better pentester because the skills in hacking will definitely help you become a better pentester but it's not the end all be all because what what we do in those um

CTF based Labs is a lot of um linear learning you know I'll talk about that a little bit but when we do this kind of learning it is not covering the whole scope of what uh penetration testing is there's so much more there's the scoping there's the um there's the client communication there is reporting and all this is an important part of being a penetration tester that's not quite always covered in in Labs so these are some hopefully relatively well-known improvised scenes in movies where being a good impr improvisor has elevated these scenes um the one on the left is Zend MJ throwing bread at um Andrew Garfield's Spider-Man to sort of test if he has the tingly

spider tingly thing and um this was all improvised but it's very meable it got laughs and it took a scene that would have probably made sense in the context of um the movie to something that's meable it sells it's great everyone talks about it it's cool it's funny and the one on the right is Rachel McAdams um when the guy get sucked into the Aeroplane and dies and she has to remember not to be too happy right so so back to hacking what what is my problem with CTF and lab Based training so when we go into CTS and lab based um trainings the difficulty of the box or the difficulty of the lab is often

stated for you and you know going into it that there is always a solution and that I think definitely changes your mentality of how you look at it and going into it and it instills a getroot mentality and what I mean by this is you're always looking for the deepest way in you're not you're not necessarily looking at getting the best coverage you're just looking at all right what will definitely get me roote and these will often result in bad practices because I know when I do when I do a lab I'm not I'm not documenting really my process or reconning I'm not naming my BB tabs I'm just slamming my head against the wall until it pops

which is not necessarily the best thing to do when you're pent testing and you have to hand off your work to somebody to review or you need the proof um when it comes back to you because you need to show them what you've done and I think um the con of uh these lab Bas or or using it as their sole training purposes for junior pentesters that they can create all this kind of mentality which is not necessarily healthy in penetration testing so let's talk goals this is supposed to be a lightning talk I know I'm going a little bit quick but um I don't really have time to go through all the solutions I have in my

head but I'm sort of trying to change perspective and create discussions around um training Junior pentesters and if you are a junior pentester hopefully um it sort of like changes your perspective on how to look at hacking or and pentesting you're not just looking at it from I need to upskill in a in a hacking sense by doing all this technical stuff but also all the um the other bits of pentesting the whole Iceberg getting better at client communication getting better at um doing the scoping and um understanding context business risk and if you are somebody who is a training manager hopefully getting the perspective of someone Junior going through the program will help you form

more rounded training programs within your firms and not um not resort to you're very expensive and lovely lovely there's a time and place for it CTF and lap Based training because while I say this and it could be divisive I believe that there is a time in place for CTF and lap Based training because um does anyone here play valerent or Counter Strike yeah yeah exactly if I if you came to me as a as like I'm going to coach you valerant and I told you to play 12 hours of aim Labs a day you'd probably hate me it's not learning the game and it's the same thing when you throw Labs at people you don't truly get

the full context and while they are excellent too and they will teach you how to aim better it will it will not teach you everything about coolon usage and don't we'll get into that pen testing is hard you will struggle sometimes and it's okay and finally it's a healthy healthy dup of self y for me cuz sometimes well I needed to hear this maybe like 6 months ago but here I am now giving this talk right I know it's a little bit quick but thank you very much for listening to my talk and um I will open the floor to questions but only the easy ones if you have a hard question kill it

now oh there um ples vulnerability assessment methodologies out there available online are there any ones you would recommend to so pentesting methodologies right so uh that would be one of my Solutions actually if you caught me outside I would I would say that as a junior pentester everyone has their own way of getting things done I think it's best to go through real life scenarios and sort of build your own way of testing where because some people like to start with certain things and test certain things but some people like to start with other things because it leads to um it leads to their own progression right so there's no one true one true one size fits all solution I think

everyone has their own method so it really is just about building what works best for you would be my answer to I know it's very consulty makes sense if different exactly indal system my Pap yeah a on wrong I have stuff yeah but yeah generally you have your list of ideas but then uh everyone will will formulate it differently so yeah that would be my any other question oh um so like while doing a cpf or like a hacker box uh would creating would simultaneously making a walk through uh help with the practice of documentations would that be a good C so on a CTF yes wholly so because when you when you do get into a CTF the problem

unless they give it away in the title of the CTF which sometimes they do it's not immediately obvious so if you do have to conduct some reconnaissance I think it would be very very helpful to practice good uh processes in sort of like documenting your process what you tried uh making sure that you've got a good trail going into that and then um documenting how you found the problem and that will definitely help you uh if you're talking about individual labs where it's like you know if it's a SQL injection lab you know it's going to be SQL injection you don't have to do any Recon you just got to find the right field I think um it may not be as

helpful in that context but for ctfs where it's not immediately obvious what the problem is I think definitely it will help what oh getting no just uh yeah I was going to say getting yelled at but um no I think um I think it's just dealing with the uh different expectations because every client wants something different so it's not it you can't well unless you're working with the same team the same client week in week out usually um because pentest can usually be such a quick changing you're on a different client every week uh it's such a changing environment and every client wants something different so I think keeping that open communication and making sure that everyone's happy

with the progress what you're doing making sure uh the coverage is what they expect uh I think that's one of the the more challenging bits of being a pentester is just sort of making sure that at the end of the day um they are getting what they expected when they paid for your service

yes am I allowed to say uh I've work with well okay um in pen testing I feel like there's always going to be low hanging fruit and uh lot lots of places will just have those low hanging fruit you know like headers and whatnot so sometimes there are tests where it just comes down to really tiny things that you're not really proud of reporting um and sometimes you wonder if it's a skill issue but when you see your uh your CTL manager come on and not be able to find anything either then it sort of validates you and is it fine I you help us fantastic question right um I think making sure that the scope is as clear

as possible knowing what we're allowed to test what we shouldn't test and making sure that if there's certain features that you know you want test it like cross tenant um you know privilege escalation horizontal or vertical and you and this needs to be tested it's called out quite clearly making sure all prerequisites are in place before start the test I know this is also on engagement Management on um the pentester site um but I think uh both sides making coming to make sure that everything is there and I don't have to wait three days to get a password to a to a web app would be great I think we actually out of time for question so you guys want to ask

questions afterwards feel free to go just to add to yours as well if you can give a demain admin account at the beginning that' be great yeah that's no thank you very much thank you