Recently I took a new job as a penetration tester. This was a position I had been seeking for many years and one that was challenging to obtain. I wish I had some advice when I was navigating to this point in my life. I always wanted to know how I could break into pen testing....without ever being a pen tester.
This question pops up quite a bit on a site that I contribute to on a regular basis, ethicalhacker.net. People have also reached out to me privately to try to figure out how to land these types of roles so I'll try to tell my story and give some advice.
When I went to college, I started in architecture. I quickly learned that this was a career that wasn't meant for me so I switched to something else I was interested in, computer programming. Within a semester or so, I learned again, that this was not for me. I didn't really know where to go but I knew that I loved playing with computers and also knew I was a bad programmer so I took the middle route, and ended up in Information Systems. This was the mid-late 90's.
I managed to graduate with the knowledge that every CIO needed to have, but I was 22 and no one would hire me as a CIO. Strange. Someone I knew at the time was talking about the profession of networking and how this would be a job that would grow in demand and also allowed you to remain very technical, which is what I wanted. I started on the MCSE route and within 6 months, I had learned more practical networking knowledge than I had learned in 4 years of college. (I'm not suggesting that college is a bad idea at all, educate yourself as much as possible!)
I got my first job as an IT Analyst/Helpdesk at a local medical communications company. Within 6 months of starting, I was promoted to a Systems Administrator. The company was very small so I had to learn quickly on my feet, about everything related to IT. This was the best thing that could have ever happened to me. When you learn by fire and you'll discover things about yourself you never knew were in there... I was essentially one of two IT people in the company.
This is when I started to develop a extremely critical skill in the world of networking and that would later be applied to pen testing. That skill is logical troubleshooting. I cannot stress this enough. The ability to analyse a problem and then discover the root cause in a timely manner is a very critical skill to have. Tools are buggy, networks are flaky and applications don't always act they way you might expect. Try not to ever use a "band aid" solution, try to find the right way to do things. Over time, all those little things you figured out will pay off immensely in the middle of a pen test.
For 7 years I worked at that company, learning everything I could about networks, protocols, systems, firewalls, routers, switches, TCP/IP and the overall challenges of IT. I honestly had not even begin to think about "security." Looking back, this didn't happen until 2-3 years later and then I thought I was doing things "securely." If I only knew what I knew now...eek! I had no idea what the future would hold. If I had only begin to think about security then, who knows where I'd be today. After my time expired at this company, I took a network engineer role at an energy company.
I felt pretty confident about my abilities as a network guru but after my next position, I elevated my skills even more and was now in a very desirable industry in the security field....energy and critical infrastructure. I began to get very interested in security, and it seemed like a very sexy job to me. I also learned how incredibly insecure power networks are. This is probably when I learned about the profession of penetration testing. Someone would really pay people to hack into systems, legally? But how do you "hack" how does this stuff work?
I ended up going back to college for a masters because I wanted to learn more about Information Security and honestly, I didn't really know where else to go. I had no friends in the industry, so I was shooting in the dark. I went back for a Masters in Information Technology, specializing in Information Security. I took a number of computer security courses and my addiction to this field became apparent. One major piece of advice if you're considering this road, if you're not obsessed with this field, someone else will be and blow past you. There is too much information to know and without a major drive and desire to learn, you'll likely fail. You'll spend significant time on your own researching and learning. This is easy if its also one of your hobbies ;)
After I finished my masters, I knew that this is the field I wanted to be in. But how could I get into pen testing without any other pen testing experience? This was going to be tricky, but the strategy I used ended up working. I started looking at pen testing jobs and trying to figure out the desirable skills and began to craft those skills to be my own. The problem was, I was going to have to convince a potential employer that I was skilled at pen testing, had aptitude for it and loved doing it. How was I going to do all that with no real experience?! It seemed that all these jobs wanted certifications so lets start there.
There are a million certs in information security. I knew I was years away from getting my dream job so I really wanted to gain knowledge more than anything... in lieu of certification notoriety. After joining the ethicalhacker.net it seemed that the OSCP was highly regarded as one of the few certs that was hands on and taught you a lot. You can find my detailed review of this on my old blog. After the OSCP I went after the next cert they offered, the OSCE. You can read that review here. The problem with these certs was that no one in HR, the first people you have to get past to get an interview, knew about these certs. I had to get another cert that was more widely recognized, so I obtained the CISSP and you can find that review here. Well now, I thought I was set. Boy was I wrong.
Certs are a funny thing, they're a lot of work and you feel pretty proud to have them, but they're merely a check box for the HR or hiring manager. I had to do more.
So what I did was begin to talk to my current employer about what I could do for them in the security space to improve the companies security posture. I found problems and developed solutions that solved business problems but it also began to give me the experience I was going to need. The advice here? Start looking at everything you do in your operations job from a security point of view. How could someone hack this? How could you secure it? Would you know if it was hacked? How? etc. etc. etc. Then, begin to learn how to communicate these difficult problems effectively to non technical people, another very valuable skill.
I began pen testing my current company at specified intervals and was able to do this because I convinced management that it was important. This was critical for my future role. At this point, now I could say that I was actually doing penetration testing. If this is not possible at your employer, you'll need to figure out other ways to prove to people that you are passionate about information security and also that you've done things to prove that...
A few other things I did was look for bugs in software and begin exploit writing. All of my exploits can be found here. A few of them have been committed to the metasploit framework: GoldenFTP and Sysax. This extra work was particularly useful during my interview, they loved the fact that I had done this. The passion I am referring to is very important, but you have to PROVE it to the employer.Don't expect to walk into an interview and just talk your way through it, the proof is in the pudding.
After my certs and extracurricular work, I was finally at a point that I felt confident and begin applying for jobs. I interviewed for one pentesting job and got the job. They made me give a presentation on a security topic of my choice. I showed up in a suit and got excited. In the interview they appreciated everything I had done, but mostly liked the bug hunting and the Offensive Security certs. They also loved the energy background considering the problems that critical infrastructure faces today with malicious threats and government compliance.
All in all, I have found that my operations background has been extremely beneficial during pen tests. There have been times where a colleague will have root access but not know what to do with it. Since I have the network admin and operations experience, I know where the gold lies... I also understand the challenges that network administrators face, trying to manage large environments with not enough resources.... you learn how to cut corners, but now as a security professional, I know right where I need to look.
In conclusion, this was my road to pen testing: get ops experience/learn everything you can about networking ---> get certs ---> do extra stuff ---> keep learning (and don't ever stop) --> get job --> start the pwnag3.
I do not think that the masters degree is essential but it certainly didn't hurt. In fact, many of the best pen testers in the industry didn't go to any college at all. However, like I said above they did other things to prove to a potential employer that they were bad asses. The best part about education is that no one can ever take it away from you. It can't hurt if you're in a position to get more education.
This was my road and this job has been the most rewarding one I have ever had. I literally cannot wait to get to work the next day. I hope this helps others trying to break into the field.