Thane's Cyber Blog

My Year In The Industry

by

thanealldis
in

Introduction

Hello! If this is the first blog post you are reading, my name is Thane and I want to use this space to talk about my year within the cybersecurity industry. I was a consultant tester for ECSC from August 2022 to August 2023 as part of a student placement opportunity with my university.

The purpose of this article is to have a public space where I can go over all the great things I went through during my time at the company! Even though a disclaimer is probably unnecessary, no details about specific codes, clients, or colleagues will be discussed as this will focus solely on what I did. If I say “the client”, I am simply talking from a broad perspective and not about a singular entity.

The job and responsibilities

As mentioned, I was a Consultant Tester primarily focusing on web security. Before the job, it was my responsibility to make contact with the client to remind them of the work that was going to happen within the week and to make sure they were still happy for me to continue. If any login details needed to be provided, I would ask them for it during this stage to ensure the test went smoothly on the actual days.

After this, I would then proceed with the regular testing duties, which would be to start the scans with the tools provided such as Nessus, TestSSL, NMAP, Burp Suite, and more. By combining the knowledge gained from these tools, I could start to look for vulnerabilities within their infrastructure. It was important to always keep in mind that these tools aren’t just going to hand you a booklet on all the available vulnerabilities and to recheck any information they may have given you. So always make sure that while these tools are helpful, it is a manual test. You will have to use the knowledge you have or research into different topics to ensure proper coverage for the client.

The Challenges

As someone who only had university/hack-the-box experience, at first it can be quite overwhelming to see how different the business world is compared to these challenges. Don’t get me wrong, Hack The Box is one of the biggest platforms out there for a reason, they are genuinely amazing, but when you are offered a blank slate without the thought that a vulnerability could be present within a piece of software can be terrifying.

There will be aspects of certain programs or vulnerabilities that you won’t know, and the best advice I can give is DO NOT be scared to ask someone for help. Every person on your team should want the same outcome; a happy client and a knowledgeable pentester at the end of it. There is no way to escape the fact that you are new to this world, people won’t be upset with the fact you are new. The best thing you can do is try your best to confirm your suspicions because even they come back and tell you there is nothing to exploit there. You now know in the future if you see this again, you will not have to ponder what could have been done and get back into it and try harder to look for other vulnerabilities. Either way, you have learned! As someone who can be quite an anxious person, the thought of ‘distracting’ someone else to help me was awful, but I wanted to provide a good service to the client so I knew I needed to. I was lucky enough to work with some of the most amazing people I have met who were happy to help me whenever I needed it, and if they couldn’t they could point me in the direction of someone who could.

Skills/Knowledge Gained

By working in the industry, it helped me gain confidence in my technical skills with web applications. By having this hands-on experience with tools and websites, I managed to learn more about network protocols, secure coding practices, access management, compliance standards and more. While it is possible to research and read into these things, having a live target to test them on made the results much more valuable allowing me to develop a comprehensive skill set to enhance my ability to secure applications and respond effectively to their outcomes.

By being in the industry, I also improved my soft skills tremendously. Before this, I had never professionally interacted with clients. Through shadowing colleagues or being CC’d on emails allowed me to understand the standard of professionalism that is expected from us and the kind of questions that we may need to answer to ease the mind of a client.

Another area of professional writing was the reports. Whilst we may be having fun on the tests, we must also remember that the report is technically what the client is paying for, and it needs to be understood by executives and technical people depending on the document. It is extremely important to make sure that you provide enough information/screenshots on the vulnerability so the client can replicate it and figure out what is wrong so these issues can be fixed. So another bit of advice; SCREENSHOT AND DOCUMENT EVERYTHING! You don’t want to be handed a random issue from the cyber gods that won’t allow you to replicate what you just did.

The final thing I will mention in this post, cyber is a journey of lifelong learning curves. Most tests won’t be the same but having a mindset of teaching yourself new things as often as you can is important. Also, do not feel bad for not having started “x” amount of time ago. Forgive yourself and start ASAP! It is possible you can be your own worst enemy sometimes but that shouldn’t stop you from becoming the person you want to be 🙂

Testing Processes and Methodologies

So, 99% of the testing I did was manual. This means that although I may be running automated scripts, I am also searching myself and looking to find vulnerabilities beyond what the tools could find. There are 5 main phases of a pen test:

  • Reconnaissance
  • Scanning
  • Vulnerability Assessment
  • Exploitation
  • Reporting

The first phase is the recon phase. In this phase, you want to try and gather all the information you can find on the target, whether that’s the applications used, the versions of different plugins/code they are using or user accounts, and more. While you can gain information passively through publicly available sources, you can also find information by directly interacting with the target to get the larger picture of what vulnerabilities the target may have.

The next phase is scanning. This is where we use tools to gather information about the purpose of the target and try to identify any entry points attackers may have (open ports, network traffic, etc.) This is the phase where it is important to test anything an automated process may tell you as there can be a lot of false positives. So just by listening to the tools used could hurt the reputation the client has with you, for example, you say there is XSS (Cross-Site Scripting) and they say “Prove it” and the only response available is “Well, Nessus told me so!”, they may not have the best reaction after that panic.

Now that we have all the available information, the next phase is to assess the vulnerabilities by using the data gathered in the previous phases to try and identify any vulnerabilities that can be exploited. By doing this phase after the first two, the information combined will allow you to focus on where there may be issues and stop you from trying to throw something into the target space until something sticks.

Next is exploitation. This is where we take the vulnerabilities we may have and try to leverage them to access things from the target we are not supposed to. It is important to be wary when exploiting, even though we want to make sure the target is secure, we don’t want to disrupt the day-to-day of the client’s site (Don’t Ddos clients, essentially).

The final phase is reporting. As mentioned previously, it is extremely important as this is what the client has paid your company for. The report should be well structured and include an executive summary as well as a technical portion of the document to ensure it can be understood by everyone who has access to it, regardless of their technical expertise. Afterward, it will be a detailed breakdown of the vulnerabilities uncovered along with their risk/CVSS score ranging from critical to very low. This section will include where the vulnerability was found in the range, along with how it was found and some remediation steps at the bottom.

Lessons Learned and Advice

Although I have given advice throughout this post, I think it is important to have a section on the lessons I have learned and give some advice on what I think aspiring pen-testers may need to hear. Again, I have only had a year in the industry but I feel like feedback is needed whether it’s someone who has been testing for 6 months or 6+ years.

The first piece of advice is about the value of automated testing. By having proper tools at your disposal can enhance efficiency and allow you to cover a lot of the scope in a short amount of time. It is important to test what is found and to not take it at face value. As per my experience, tools may find ‘high’ or ‘critical’ vulnerabilities that when checked, provide no results. Be sure to use these tools with the thought in your mind that it is there to simply help you while manually testing, not as a way to test areas and take the outcome at face value.

Communication is key, whether it is with a client or colleagues. By having a good method of contact with the client, it allows you to make sure the testing process goes smoothly. They may pay for 3 days worth of testing but an attacker has no time limit. We must make sure that we are using this time wisely to ensure full coverage of the scope. As for colleagues, they can be one of your greatest resources as you enter the industry. If you have a friendly team, use their experience to help you advance further in terms of knowledge and testing. Have no test that day? See if you can shadow a team member who is working on something relating to what you want to do or are interested in. This leads to my final point, continuous learning.

Cyber security is such a vast field that it will be impossible to keep up with every trend on every topic at all times but if you have a clear day, use that day to enhance your skills and become a better tester. Start working on your certifications, shadow someone doing a test, anything that can help you become a better version of yourself and advance your career further 🙂

Future Outlook

For the future, I want to explore many different avenues in cyber. As I have just finished my degree and have had one year in this industry, there are so many stones to turn over and look for where I want to go. Having this year has made me look at becoming more than just a web tester. Although, whilst I am unsure where I want to go exactly, I know that I want to grow my skills as much as possible and gain as many useful certifications as I can.

Conclusion

So, with just one year in the industry and a future I am hopeful for ahead of me, I am excited to keep everyone updated. I hope this post has been a good insight on some of the stuff I have learned from the short amount of time in the industry and I can’t wait to see where my next steps take me.

If anyone has managed to find this post and is wondering about the industry, if this is something you think you would be interested in, I implore you to give it a go. I was unsure what path I wanted to take in life until someone new to the industry told me to give Hack The Box a go, since then, I have fallen in love with all things cyber and I hope I can continue to learn more about this amazing industry. You got this!

As a final thought, I just wanted to thank my amazing boss and team at ECSC for the year I had there. You guys have helped me with so much and I will always be grateful to have met you all. This opportunity meant everything to me and I’m so glad it happened 🙂

Comments

Leave a comment