From Beginner to Expert as Penetration Tester

This article is part of an article series about my personal experience and career in the penetration testing and security field.
Part 1: Start a Penetration Tester Career
Part 2: From Beginner to Expert as Penetration Tester (this part)
Part 3: Working at a CERT and shifting to Technical Lead

My first job
The first job as a penetration tester was pretty exciting for me. I was lucky to have many collegues that engaged very much with the newcomers, and for the beginning everyone got at least three workshops lasting 2-4 days, if I remember correctly. The OSCP prepared me pretty well to the thinking of solving the day to day problems on the job. The job was at a consultancy company that mainly is doing penetration testing engagements in Germany. During that time I also started researching about antivirus evasion (in my free time btw). I most consultant jobs time on the job is short. For me that was a huge advantage, I was able to do web app testing in short time. Besides learning from colleagues I also read some books like The Web Application Hackers Handbook, The Shellcoder’s Handbook and Network Security Assessment.
I had my first presentation (in German at the Backtrack Day 2013) about antivirus evasion, which made me very proud of course. 
During the first job that lasted 18 months I also visited the CCC Congress twice, had several chances to conduct interesting pentests (mostly web and mobile) and did an interesting online course (Malicious Software and its Underground Economy: Two Sides to Every Story). Because I liked the hole exploitation topics I made the SLAE certification, which was a lot of fun and I highly recommend, also for preparing the OSCE. Now there is also a 64 Bit version.

My second job
I learned a lot and had great colleagues, but for me it was time to move on to my second job as a penetration tester, where I had the chance to travel more and to work for clients on site. Further I had the chance to do some Digital Forensics and Indident Response (DFIR) under the condition I do any certification, so I choosed the one the looked easiest for me, that was the CHFI (Certified Hacking Forensics Investigator). I would not necessarily recommend it, but at this time it helped me improving my career and also to do some forensics and incident response work. For the preparations I bought “The Official CHFI Exam Study Guide”. For gaining more in depth knowledge about forensics I attended a course at the University of Applied Sciences Albstadt-Sigmaringen about data storage forensics.
Besides the work I continued my research on antivirus evasion and gave a talk at the Deepsec conference 2014 (“Why Antivirus Software fails“).
Also I had the chance to speak at public and closed events from my employer and started to visit the OWASP chapter Cologne. For education and to get from professional to expert level I decided to make the OSCE certification. That was a blast for me. I never had such a challenging time in my career and I fell through the first test and had to take a second shot. The OSCE is highly recognized especially in the Red Team and Exploitation community. Like the OSCP for me it is not about teaching certain techniques, but training the right attitude you need for breaking stuff (Try harder). I was glad when I got the famous mail from offensive security after the second exam.
After 17 months on that job I took my chance and hired at a CERT, this will be the story for part 3.


Conclusion & some notes

  • be grateful for the knowledge and support of friends and colleagues – sometimes I forget to say this… so to everyone who helped me during my career: thank you!
  • when it is time to move on, move on, after all it is about business and your personal development
  • Giving talks gave me the great opportunity to network in the community and also to improve self esteem and public speaking
  • Be flexible, I moved for each job in the IT security field
  • for more networking I started to use twitter
  • Don’t give up, “Try harder”, the motto by offensive security also applies to searching for jobs and many more lessons in life, this attitude helped me also with my research
  • Working at a consultancy company is helpful, since it teaches you to be effective (time and costs), you learn to deal with pressure

Further reading:
https://danielmiessler.com/study/infosec_interview_questions/
https://netsec.ws/?p=517
https://coffeegist.com/security/my-osce-review/
https://master-digitale-forensik.de/

Short Review: x33fcon

x33fcon is a nice & small conference in Poland, Gdynia near to Gdansk.

“Welcome to x33fcon, a new gathering for IT security professionals and enthusiasts. It’s a new event where blue and red teams meet to exchange views and ideas, share experiences, and discuss the latest security challenges in the industry.”
From: https://www.x33fcon.com/

The ticket price is low (also if you plan to travel there privately), the content was really professional and interesting, a bit more than someone might expect when you see the size of the con. Kudos to the organizers for getting so many interesting speakers and talks. Besides the talks there is also a CTF and workshops, after the conference trainings take place. There is also some great food for lunch, in the breakes there is coffee and small snacks. The breakes are long, so you have some time to talk with speakers and other folks around. Seems to be that ATT&CK is the hot topic currently, at x33fcon alone they had three talks about that. 

From my point of view as a Red Teamer some more talks about breaking stuff on exploitation level would have been great. x33fcon is a great conference, the only critics from my side is that the attendees are being filmed in every talk from any perspective possible. At other conferences they ask when making photos or filming, maybe that might be an idea when not filming the whole audience.

Besides the conference Gdynia, Gdansk and the beaches around are really nice:

Conclusion: Highly recommended.

Start a Penetration Tester Career

This article is part of an article series about my personal experience and career in the penetration testing and security field.
Part 1: Start a Penetration Tester Career (this part)
Part 2: From Beginner to Expert as Penetration Tester
Part 3: Working at a CERT and shifting to Technical Lead

From Administrator to the first Penetration Tester Job

I am sharing this because people ask me often about how to get into information security and how to improve a career. In this post, I describe my personal career and learning path including recommendations for books and more learning material. This may not be perfect to other people, for me it just worked. In later posts, I will give some recommendations for a more idealized learning path for different careers, for example as a penetration tester or a forensics specialist.

When I was working as an administrator back in 2011, I began starting to think about how I might change my career. My job back then included some Windows and Linux administration as well as some PHP and VBA coding. Further, I had coding skills in C and Java. In October 2012 I started my first job as penetration tester.

At this time, it was not clear to me whether to go more into depth as a network admin or to security. Since it seemed to be a good idea to have some networking skills, I started to work out a plan for getting the CCNA. 

Network skills
I started with the Mikrotik MCNA, since there was a training possibility in the town where I lived, I only used the training material offered by this course, but if you want more information have a look at the official Mikrotik page: https://mikrotik.com/

Then CompTIA Network+ followed. For the test preparation, I relied on two sources. The first is the free video series from professor Messer, these are excellent and I used to make notes about the content and reviewed them before a new training session. After the videos, I bought the book
Mike Meyers’ CompTIA Security+ Certification Passport” that included some example questions for training.

The CCNA was my first “bigger” certification and I remember that I put a lot effort in it, for example I bought a bunch of old switches and routers for a home lab. This was not necessary, but of course, it added some fun at this time. Much easier is to use simulation software for doing some labs.

Besides my own experiments, I worked through the book CCNA Routing and Switching Complete Study Guide. The certification at this time included not only the multiple choice tests, but also lab exercises.

Security skills
Because it became clear to me that I wanted to go into Security in my career, I started the CompTIA Security+ certification. As like for Network+ I used the Professor Messer tutorials and the book Mike Meyers’ CompTIA Security+ Certification Passport. 

I wanted to work as a penetration tester; I decided to do the OSCP certification and I am happy I did choose it over the CEH. Here is my review in German, more reviews in English here.

I made the certification in 2012, and nowadays I do not think that you must have an OSCP necessarily, although I strongly recommend it. It is a great certification and it surely helped me especially when it comes to attitude, endurance and patience. However, it can be a frustrating experience and if you do not have enough time or motivation, it will be hard. For me it was fun!

During the OSCP preparation, I bought two books:
–      The German book “Hacking mit Metasploit” (Hacking with Metasploit) by Michael Messner, which helped me a lot because it also introduced some Exploit Development and Client Side Attacks.
–      Hacking: The Art of Exploitation by Jon Erickson 

After the OSCP, I was lucky to find my first Job as a penetration tester.

Besides the certifications I also did a course at coursera “Webapplication Engineering” which I liked but it seems it was not continued.

Together with a friend we published an article in the German issue of the pentest magazine about pivoting, which was good having it on my CV for the first job in the field.

Conclusion
If you want a job in this field, the most important thing for me is to show that you are motivated. Nowadays I had some job interviews “on the other side” from the perspective of an employer. So besides qualifying with certifications and courses you should consider:

  • Start your own blog
  • Start your own projects on github
  • Contribute to projects
  • Networking (when I looked for my first job as a penetration tester I used Xing and wrote to company owners and asking for a job, which was successful) 
  • Consider publish articles on platforms like Xing, LinkedIn, magazines etc.

In the next part, I will go from starting the first job to going for expert level.