Core Competencies of a Professional Penetration Tester
Professional penetration testers have a tough job. Granted, it’s not as tough as the job of a CISO or network defender. In one aspect, we have it easy – like an attacker, we just have to find things that are wrong. And we can almost always find things that are wrong. In other ways, it’s more difficult, because of the breadth and depth of knowledge required to be a proficient is pretty large.
Our job is to swoop into an organization for a limited period of time and quickly understand the organization’s mission, key assets, data, and people, and then conduct an accurate risk assessment.
We must be able to be hyper-focused, but also be able step back up to the 10,000 ft view.
We must be able to communicate our findings to the technical staff without coming across as being high and mighty. We must also be extremely accurate in our assertions, lest we lose credibility and respect.
We need to be able to think at a high-level so we can communicate risk to management. Management does not care, nor do they need to know about any specific vulnerability. They need to know what it actually means to the organization, and what they need to do to fix it. They need to be able to measure the effectiveness of their overall Information Security program, and need to know how to improve it.
We need to have a solid understanding of security compliance, policies, and procedures, in order to identify gaps.
Unlike the attacker we emulate, we need to be able to present solutions to the problems we find.
Here are what we feel are the core competencies necessary to be a professional penetration tester.
Expertise in at Least One Operating System
A pen tester must be knowledgeable in as many Operating Systems as possible, but must be an expert in at least one. What good would it be for the tester to compromise a Solaris server and not know what to do with it? Or if he doesn’t understand where the passwords are located, how services are managed, where the log files are, etc. Expertise in one Operating System will provide a solid foundation for others.
A competent penetration tester is the master of at least one Operating System but can find his way around all of them.
Expertise in Networking and Protocols
It seems obvious that a pen tester must be experts in networking and protocols, as those are the mediums on which he conducts his attacks.
A competent penetration tester should know the service that operates on pretty much any port, on every protocol. They should be intimately familiar with all layers of the stack. They should be equally comfortable analyzing layer 2 and layer 7 traffic, and everything in between.
They should have a solid understanding of Intrusion Detection/Prevention Systems, routing, and firewalls.
A competent penetration tester is an expert in networking and protocols.
Expertise in Information Security
Operating Systems and networking are the foundational elements for Information Security. Without this solid foundation, a penetration tester could not be competent.
A pen tester must be an expert in Information Security. Not from an attacker’s perspective, but from a defender’s perspective. After all, how could a pen tester make a recommendation if he can’t relate to the defender’s job? From specific technologies to best practices, a proficient pen tester must be a master of his field.
Expertise in Information Security Testing Tools
Perhaps the easiest skill to develop these days is competency in penetration testing tools. Long ago, before exploit frameworks and GUI tools for everything, one had to know how to find reliable, trustworthy exploit code. Then read it, compile it, test it, and run it from the command line.
Compromising vulnerable systems is easy – it’s what comes after that’s the hard part.
Compromising systems without wreaking havoc on the target systems/network requires the foundational knowledge and specific tool expertise.
As you might imagine, the ideal penetration tester is first a system or network administrator. He then gets into system/network defense, which is a natural extension of being a system/network admin. He seeks to understand the threat. In order to protect his networks and systems, he needs to know how his enemies operate. How to detect and prevent them from causing harm. In order to validate that his system/networks are protected, he learns how to attack them. Attack, defend, repeat.
There are quite a few other skills necessary, but these are the core competencies we expect from our team.