What Is it Like Being on a Penetration Testing Team?
Working on a pentest as a freelancer can be one of the most flexible opportunities a pentester can take up. As a result, many freelance and new pentesters often wonder what takes place daily or on a project basis during team-based engagements. Multiple questions normally arise: for instance, do things get monotonous? What does a pentester within a team mostly work on and do activities differ much?
In this article, we’ll answer the most common questions asked about teamwork during a pentest.
What Do Penetration Testers Spend Most of Their Time Doing? How Does This Vary?
As a pentester working in a team, tasks will vary depending on the pentesting role assigned to you and what the company does in terms of penetration testing. For instance, the following are some roles that pentesters might find themselves in:
Penetration testers working in teams will divide objectives amongst themselves, such as social engineering attacks, host scans, exploit execution, Wi-Fi attack, and much more during a job. Such jobs normally take weeks or months and pentesters will find this particular task being their day-to-day job for the duration of the project.
Even though most bug bounty hunters are individual security researchers, there are many companies that are specifically focused on bounty hunting. Pentesters working in teams in such companies will be involved in daily attempts to find security loopholes. This is normally restricted by a scope that must be adhered to and is mostly done remotely.
Many organizations have a function responsible for conducting cybersecurity training for its clients. Penetration testers might be assigned to roles (in teams) that require developing course content. Content might range from actual publications to videos and, in some cases, webinars where students join in. This is a labor-intensive exercise and might end up taking input from a small to medium team of pentesters.
Some organizations specialize in creating various tools that are used during penetration testing, vulnerability assessments or even for the defense of organizations. Sometimes zero days will also be included within such tools. The amount of research and input will be tremendous, and so pentesting teams will spend days discussing ideas on what to include within these tools.
Is Penetration Testing Repetitive? What Can Make It More Rewarding?
Penetration testing environments will tend to change significantly on a regular basis, even considering the implemented technologies. This means that there is always something new to learn with every penetration test conducted. This constant learning curve means that teams of pentesters are rarely bored with how the scenario plays out. Companies may also sometimes organize internal capture-the-flag challenges that allow pentesting teams to compete against each other. Such tournaments create a competitive and fun environment for pentesting teams.
Sometimes there arise emergencies that need to be addressed and this completely changes the plans intended for that particular day. “We never know what is going to happen. A day can start out calm or start out on fire and very quickly go from one or another,” Jim Treinen, a security analyst for ProtectWise, told Dark Reading. (See Sources.)
Some companies also organize trips to hacker conferences such as DEFCON for their penetration testing teams. Organizations are opening up to the idea of making the working environment as casual as possible to accommodate hackers, and this is making the workplace more exciting by the day.
What Are the Typical Responsibilities of a Penetration Testing Team? How Are These Divided Into Specific Roles?
Penetration testing teams can be classified into red, blue and purple teams. In a nutshell: red teams are concerned with attacking the target, blue teams mainly defend from malicious attacks and purple teams sit in between, to help support the process.
Jim Treinen told Dark Reading that his team is divided into two different groups. The first consists of the classic network security researcher-type analysts, who gather the bits and bytes of network traffic off the wire to determine what is good and bad and pull apart malware. The second group focuses on security analysis, performing behavioral analysis, machine learning and all the heuristic analysis that goes into judging what is legitimate activity and what is not.
Let’s look at how these three teams differ in tasks:
Organizations will hire red teams to covertly attack and exploit vulnerabilities discovered within target environments. Red teams can be considered as the highest level of penetration testers: they will, as much as possible, seek to mimic real-world attacks by employing different techniques that range from using sophisticated technologies to manually writing their own exploits to be used for the job.
The main difference between red teamers and the conventional pentesters is the approach used. Pentesters will often use weaker, common tools, such as Nmap, Nessus and OpenVAS, which are mostly detectable by virtue of being too noisy on the target network.
Organizations will often have a Security Operations Center (SOC) to oversee the security posture of the overall organization. The pentesters that sit within this team are known as blue teams, and they continuously sharpen their skills to defend the network against attacks that may originate from malicious attackers. They are skilled in incidence response, analyzing of logs, and reviewing traffic flow for malicious intent.
Organizations will include purple teams within their security functions to oversee the activities of the red and blue teams. Their work is to ensure that attacks by red teams are effectively managed by the blue teams and that the red teams continuously remain at the forefront of the latest hacking technologies. A member of the purple team may visit both camps of the red and blue teams to oversee how activities are being managed by each team.
How Do Team Activities Differ Based on Project Phases?
There are many common questions associated with this aspect of pentesting. How do team activities differ based on what phase the team is on in a given project? Do teams often shift from one project to another when there are multiple ongoing projects? How does this impact the work day?
Pentesting teams will often have their activities separated, based on the phases of pentesting to be covered. Sometimes there might be a very large number of hosts to be scanned for vulnerabilities or to be exploited: consider an environment with over 1500 hosts within 20 VLANs. Such an environment would require teams to divide themselves accordingly, based on the number of available pentesters.
In the event of multiple jobs, constant shifting of teams between client sites might significantly reduce the pace at which the teams effectively conduct the pentest. For instance, it could result in the teams working half a day at both clients, resulting in longer engagements than would otherwise be. Cybersecurity companies will, as a result, prefer to finish a job as fast as possible before moving to the next in order to minimize any confusion or lags that may otherwise result from multiple engagements.
What Is It Like to Conduct Pentesting Phases?
There are several standard phases to a pentesting project: intelligence gathering, planning and logistics, vulnerability assessment, exploitation, analysis and report writing. What is it like to conduct these phases?
While carrying out a pentest, intelligence gathering is by default the bit that will take the most in terms of time. Teams would divide themselves and pick target hosts, protocols and technologies to gather information on. For instance, Team A would maybe pick VLAN1, VoIP, VPN, SSL, HTTP and HTTPS, while Team B might pick VLAN2, TCP, UDP, SMB, DNS, and RDP. At the same time, Team C would perform man-in-the-middle attacks, network sniffing and brute-force attacks across VLAN3 within an environment consisting of 2000 nodes across three VLANs.
Planning and logistics isn’t a trivial exercise; it comes with experience. Several pentest methodologies will be considered if the client doesn’t provide one to adhere to. Project tracking tools such as Jira may also be employed to monitor the project progress. Again, it’s all about preference. Some clients will have different preferences from others.
Analysis will mostly depend on the tools that you have. “Depending on the types of tools you have in hand, you can trade searches off of that or elevate the monitoring of specific applications,” Treinen says. The amount of information you keep off of the target network. “If you keep enough history and enough memory of what has actually happened on your network, you can discover something you didn’t see before.”
Vulnerability assessment would most likely be the second exercise (after info gathering) to be conducted by all teams against their assigned VLANs. This makes it easier for the project going forward, since the VA will have discovered the potentially-vulnerable nodes within the network. But due to the reality of false positives, care needs to be taken and verification done using different vulnerability assessment tools.
Once intelligence gathering and vulnerability assessments have been conducted, the teams can then proceed to exploit the discovered vulnerabilities. The exploits will be informed by the information previously gathered, taking care not to unintentionally cause a denial of service or critical system downtime. Custom exploits may be authored for targeted and non-intrusive exploitation.
What Is the Work Culture Like on a Penetration Testing Team? Does It Depend on the Company?
Work cultures within companies vary a lot. Some companies will tend to be more formal, while others will tend to be casual.
Working in a pentest team within a formal company will often have several things dictated: for instance, the time to report for work and the dress code required while at the office. Working on a project and in a team, a pentester would be required to fact-check tools’ runs, communicate consequences before running certain tools and report any abnormal activities as a result of any tools run. There really will not be so much freedom to experiment within projects and this can become monotonous and kill creativity.
Pentesters seeking to join such companies will mostly qualify on the basis of their credentials and will need to work upwards, increasing their knowledge and obtaining coveted certifications in order to get to higher positions. Such companies are very mindful of their image, especially towards their clients. While hiring, they will conduct aptitude tests to assess the capabilities of the candidates wanting to join. Regular assessments and reports will be conducted to ensure that employees are constantly competitive.
Casual companies, on the other hand, are more interested in the deliverables, which will be determined by the skills honed by their pentesters. A pentester working within such an organization will notice that the flexibility allows for open-mindedness, creativity and innovation. For instance, in a project, a pentester would be allowed to try out creative methods to discover all sorts of vulnerabilities. Such organizations have come to learn that when passion is cultivated, it yields desirable results.
Pentesters seeking to join such companies will find that common basic requirements such as having a minimum of a bachelor’s degree in an IT field are not as much sought after; instead, skills demonstrated during an interview or in their professional history will matter much more.
The most important thing about being in a pentest team is the amount of skills gathered. Pentesters will often be involved in different kinds of projects with other, more experienced pentesters. They will learn the different approaches that would apply to different problem scenarios, and this will sharpen their pentesting skill considerably.
As pentesters move between different companies, they will learn the different work cultures and learn priceless people skills. Pentesters should always be willing to learn and pick up relevant information as they go.
A Day in the Life of a Security Analyst, Dark Reading