Softskills: CV, Job Application and Interviews

This one might be a bit too specific, since every country has its own CV and interview culture. For example in the US you don’t add a picture of yourself, in Germany this is very common. There should be much more differences, so please don’t take everything here for granted in the area or county where you want to get a job. I try to be as general as possible here.

From my previous post Softskills: Networking for your Career you should be aware that it is good to get a job over a personal network and could be the most promising option.

CV & Job Application

A couple of points for the CV & job application:

  • be honest, when people found out you lied or made things up you are out
  • don’t go into details that don’t have something to do with the job you are applying to, unless it seems necessary
  • everything else write detailed, I like to have much information, but other people might have a different opinion
  • take a clean and easy to read format
  • write a great motivation letter for your application
  • proof facts, for example if you write you have a certification add a copy or scan of it to the application
  • check for grammar and spelling
  • if possible let somebody read your application who can give good feedback

Job Interview

I was on both sides of the table, conducting interviews and also of course being the candidate.

  • know your CV well, you should be able to explain everything without looking it up
  • if you have a bad feeling you normaly should not take the job, unless it is a huge chance for you or you can use it for jumping to a better job
  • prepare for the interview, think about what questions might be asked
  • try to prepare for standart questions like
    • what was your biggest mistake
    • where do you see yourself in five years
    • what is your biggest weakness
    • what do you expect from your employer
    • and so on
  • prepare for technical questions
    • there is nothing worse for example when you say for example you know XSS but could not explain the difference between a stored and a reflected XSS
    • have a look at the Daniel Miessler interview questions (see also below)
  • if you have weak spots in your CV you can try to handle this pro-actively, if not prepare for critical questions
  • prepare questions that you want to ask, for me an interview always has to go into both directions

Links
https://us.experteer.com/magazine/should-you-put-a-photo-on-your-cv/
https://danielmiessler.com/study/infosec_interview_questions/
https://www.indeed.com/career-advice/resumes-cover-letters/motivation-letter

Career Path Red Teaming

For some people Red Teaming seems to be something like the holy grail and many people want to do it. In my opinion a Red Teamer should have experience in Penetration Testing before starting. Some experience  in DFIR might also be useful, or at least you should have some understanding of this topic.

For me (I am planning and leading internal Red Team engagements since about two years now), Red Teaming is very different from pentesting, although experience here is important.

“Penetration testers have this problem where they frequently can’t see past the end of their Kali USB. They establish the false equivalence of: “China hacked $X; I can hack $X; therefore, I am an APT and an APT is like me.” An APT is literally the instantiation of a nation state’s will. It is not a toolchain.” 
https://medium.com/@thegrugq/cyber-ignorethe-penetration-testers-900e76a49500

This sums up my experience. Some pentesters think: OK, let’s just use bloodhound, mimikatz and empire and and start firing, when I am domain admin it is red teaming. Well, maybe kind of.

But do real attackers think that way? Think more about WHY a malicious actor is trying to hack you, and then how. What are attackers looking for? That might define the scope of your engagement. You should read threat intel and incident reports for being up to date regarding TTPs and scope. When doing Red Teaming you should start thinking more into this direction.

I also tend to go through single scenarios, and not only full blown attack simulations, like:
• Account compromisation 
• Exfiltration if possible 
• APT traffic simulation for testing and enhancing capabilities of the blue team 
• Phishing 
• Water Holing 
• Malware Simulation 

This is also a good starting point for enhancing a penetration tester career, since usually you are not able to start with full blown Red Team engagments.

I can recommend “The Hacker Playbook” series, review for the third issue here. Further the book “Advanced Penetration Testing” is a good read.

More recommendations:
• https://www.cobaltstrike.com/training 
• https://medium.com/@thegrugq/cyber-ignore-the-penetration-testers-900e76a49500
• https://www.pentesteracademy.com/redlabs
• https://github.com/aptnotes
• https://attack.mitre.org/
• https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2019.pdf?__blob=publicationFile&v=3

Working at a CERT and shifting to Technical Lead

This article is part of an article series about my personal experience and career in the penetration testing and security field.
Part 1: Start a Penetration Tester Career
Part 2: From Beginner to Expert as Penetration Tester
Part 3: Working at a CERT and shifting to Technical Lead (this part)

A new job
Because I was interested in Incident Response and wanted to specialize more in the field of penetration testing I applied at a CERT in one of the 30 biggest DAX enlisted companies in Germany. The environment was of course completely different to consulting companies:

  • more long-term thinking
  • not much overtime
  • more administrative work
  • more time for in-depth work

As in every job there are some advantages but also some disadvantages, but the advantages predominate for me.


More specialization
I was lucky that it was possible for me to attend lot of training and learning on the job. At this time my plan was to specialize in the field of exploitation. Among the training I did was:

  • “Tactical Exploitation and Response“ by Attack Research
  • Internal Incident Response Training
  • SANS Sec 660 with GXPN certification
  • “Windows Kernel Exploitation” by Hacksys (higly recommended)
  • Corelan Bootcamp & Corelan Advanced (higly recommended)

Also I was able to go to conferences like Brucon, Blackhat, Defcon and others and I could present Avet now three times at the Blackhat Arsenal, which is by the way one of the most fun events I presented.

But it became different
… than it was planned by me, which is not a bad thing. I did a lot of Incident Handling and later I was involved ramping up a vulnerability management system. While the latter is not that interesting for most people working in penetration testing, I learned a lot about companies politics and also management, which helped me a lot within my personal development. Because I traveled mainly to Asia I could also get Chinese lessons at work, which is a great thing. 

Promotion
After about three years I was promoted to a technical lead position in the Red Team of the CERT with some new duties:

  • Ensure that all provided services (Pentesting, Vulnerability Management and so on) work properly
  • Adjusting with the other CERT teams and management
  • Conducting job interviews
  • Organizational tasks (yes, writing excel sheets)

About the new position I sometimes have discussions with other professionals. One thing is that I definitely shifted away from technical stuff. On the other hand it is possible to influence the direction for the future, for example what should be in focus for the next time. By job descriptions and job interviews you can find suitable people for your team and so on. 
Important for me is not to loose the connection to the hands on work, so I like to be involved here too. But being also involved in some management tasks also gives the opportunity to self improvement and training on a non technical level.
If you do not like these tasks you better continue you technical career, which also gives you opportunities for improving and developing.

Conclusion
Besides all things I learned from a technical point of view (Incident Response, Trainings etc.), the more important lesson for me was and still is what I can learn from a management point of view and the personal development. Sometimes the attitude and the political thinking is more important than the technical knowledge for improving things in a big company, I try to find a way where I can combine both.

Two important take aways:

  • The exploitation trainings in that depth were not necessary when I look back at this time. It was no total waste of resources, but choosing more careful and adjusting your learning goals is always a great idea.
  • After staying for 18 and then 17 months at the two jobs before it is a good idea to stay a bit longer at the new job. Changing jobs too often might look bad on your CV. Also staying for a longer time is also opening new perspective (when you are on the right company).


That concludes the career article series from my personal point of view (so far) and I hope you enjoyed reading and that my experience is also helpful to other people and especially to beginners in the field.

Links

Some Online courses I did during that time:

Books:

For more links and book recommendations please have a look at the recommendations list.

From Beginner to Expert as Penetration Tester

This article is part of an article series about my personal experience and career in the penetration testing and security field.
Part 1: Start a Penetration Tester Career
Part 2: From Beginner to Expert as Penetration Tester (this part)
Part 3: Working at a CERT and shifting to Technical Lead

My first job
The first job as a penetration tester was pretty exciting for me. I was lucky to have many colleagues that engaged very much with the newcomers, and for the beginning everyone got at least three workshops lasting 2-4 days, if I remember correctly. The OSCP prepared me pretty well to the thinking of solving the day to day problems on the job. The job was at a consultancy company that mainly is doing penetration testing engagements in Germany. During that time I also started researching about antivirus evasion (in my free time btw). I most consultant jobs time on the job is short. For me that was a huge advantage, I was able to do web app testing in short time. Besides learning from colleagues I also read some books like The Web Application Hackers Handbook, The Shellcoder’s Handbook and Network Security Assessment.
I had my first presentation (in German at the Backtrack Day 2013) about antivirus evasion, which made me very proud of course. 
During the first job that lasted 18 months I also visited the CCC Congress twice, had several chances to conduct interesting pentests (mostly web and mobile) and did an interesting online course (Malicious Software and its Underground Economy: Two Sides to Every Story). Because I liked the hole exploitation topics I made the SLAE certification, which was a lot of fun and I highly recommend, also for preparing the OSCE. Now there is also a 64 Bit version.

My second job
I learned a lot and had great colleagues, but for me it was time to move on to my second job as a penetration tester, where I had the chance to travel more and to work for clients on site. Further I had the chance to do some Digital Forensics and Indident Response (DFIR) under the condition I do any certification, so I choosed the one the looked easiest for me, that was the CHFI (Certified Hacking Forensics Investigator). I would not necessarily recommend it, but at this time it helped me improving my career and also to do some forensics and incident response work. For the preparations I bought “The Official CHFI Exam Study Guide”. For gaining more in depth knowledge about forensics I attended a course at the University of Applied Sciences Albstadt-Sigmaringen about data storage forensics.
Besides the work I continued my research on antivirus evasion and gave a talk at the Deepsec conference 2014 (“Why Antivirus Software fails“).
Also I had the chance to speak at public and closed events from my employer and started to visit the OWASP chapter Cologne. For education and to get from professional to expert level I decided to make the OSCE certification. That was a blast for me. I never had such a challenging time in my career and I fell through the first test and had to take a second shot. The OSCE is highly recognized especially in the Red Team and Exploitation community. Like the OSCP for me it is not about teaching certain techniques, but training the right attitude you need for breaking stuff (Try harder). I was glad when I got the famous mail from offensive security after the second exam.
After 17 months on that job I took my chance and hired at a CERT, this will be the story for part 3.


Conclusion & some notes

  • be grateful for the knowledge and support of friends and colleagues – sometimes I forget to say this… so to everyone who helped me during my career: thank you!
  • when it is time to move on, move on, after all it is about business and your personal development
  • Giving talks gave me the great opportunity to network in the community and also to improve self esteem and public speaking
  • Be flexible, I moved for each job in the IT security field
  • for more networking I started to use twitter
  • Don’t give up, “Try harder”, the motto by offensive security also applies to searching for jobs and many more lessons in life, this attitude helped me also with my research
  • Working at a consultancy company is helpful, since it teaches you to be effective (time and costs), you learn to deal with pressure

Further reading:
https://danielmiessler.com/study/infosec_interview_questions/
https://netsec.ws/?p=517
https://coffeegist.com/security/my-osce-review/
https://master-digitale-forensik.de/

Start a Penetration Tester Career

This article is part of an article series about my personal experience and career in the penetration testing and security field.
Part 1: Start a Penetration Tester Career (this part)
Part 2: From Beginner to Expert as Penetration Tester
Part 3: Working at a CERT and shifting to Technical Lead

From Administrator to the first Penetration Tester Job

I am sharing this because people ask me often about how to get into information security and how to improve a career. In this post, I describe my personal career and learning path including recommendations for books and more learning material. This may not be perfect to other people, for me it just worked. In later posts, I will give some recommendations for a more idealized learning path for different careers, for example as a penetration tester or a forensics specialist.

When I was working as an administrator back in 2011, I began starting to think about how I might change my career. My job back then included some Windows and Linux administration as well as some PHP and VBA coding. Further, I had coding skills in C and Java. In October 2012 I started my first job as penetration tester.

At this time, it was not clear to me whether to go more into depth as a network admin or to security. Since it seemed to be a good idea to have some networking skills, I started to work out a plan for getting the CCNA. 

Network skills
I started with the Mikrotik MCNA, since there was a training possibility in the town where I lived, I only used the training material offered by this course, but if you want more information have a look at the official Mikrotik page: https://mikrotik.com/

Then CompTIA Network+ followed. For the test preparation, I relied on two sources. The first is the free video series from professor Messer, these are excellent and I used to make notes about the content and reviewed them before a new training session. After the videos, I bought the book
Mike Meyers’ CompTIA Security+ Certification Passport” that included some example questions for training.

The CCNA was my first “bigger” certification and I remember that I put a lot effort in it, for example I bought a bunch of old switches and routers for a home lab. This was not necessary, but of course, it added some fun at this time. Much easier is to use simulation software for doing some labs.

Besides my own experiments, I worked through the book CCNA Routing and Switching Complete Study Guide. The certification at this time included not only the multiple choice tests, but also lab exercises.

Security skills
Because it became clear to me that I wanted to go into Security in my career, I started the CompTIA Security+ certification. As like for Network+ I used the Professor Messer tutorials and the book Mike Meyers’ CompTIA Security+ Certification Passport. 

I wanted to work as a penetration tester; I decided to do the OSCP certification and I am happy I did choose it over the CEH. Here is my review in German, more reviews in English here.

I made the certification in 2012, and nowadays I do not think that you must have an OSCP necessarily, although I strongly recommend it. It is a great certification and it surely helped me especially when it comes to attitude, endurance and patience. However, it can be a frustrating experience and if you do not have enough time or motivation, it will be hard. For me it was fun!

During the OSCP preparation, I bought two books:
–      The German book “Hacking mit Metasploit” (Hacking with Metasploit) by Michael Messner, which helped me a lot because it also introduced some Exploit Development and Client Side Attacks.
–      Hacking: The Art of Exploitation by Jon Erickson 

After the OSCP, I was lucky to find my first Job as a penetration tester.

Besides the certifications I also did a course at coursera “Webapplication Engineering” which I liked but it seems it was not continued.

Together with a friend we published an article in the German issue of the pentest magazine about pivoting, which was good having it on my CV for the first job in the field.

Conclusion
If you want a job in this field, the most important thing for me is to show that you are motivated. Nowadays I had some job interviews “on the other side” from the perspective of an employer. So besides qualifying with certifications and courses you should consider:

  • Start your own blog
  • Start your own projects on github
  • Contribute to projects
  • Networking (when I looked for my first job as a penetration tester I used Xing and wrote to company owners and asking for a job, which was successful) 
  • Consider publish articles on platforms like Xing, LinkedIn, magazines etc.

In the next part, I will go from starting the first job to going for expert level.