pen testing, red teaming, and more
TRANSCRIPT
Pen Testing, Red Teaming, and More
@ChrisTruncer
What’s this talk about?● Who I am
● How I got started in the industry● What is “red teaming” and/or “pen
testing”● Different Offensive Jobs● Where is the field going?● How to learn and get your foot in the door● Questions
uid=0(@ChrisTruncer)●Christopher Truncer (@ChrisTruncer)
○Hacker○Open Source Software Developer
■Veil Framework Developer○Florida State Seminole○Random certs… blah
●Red Teamer and Pen Tester for Mandiant
How I Started● College
○ College computer security class○ Hack my roommate
■ “Wow, hacking is real”○ Took a security class○ Decided this is what I wanted to do
■ …. is this even a job?
How I Started● Start off in a technical role
○ Wanted to get a technical foundation before moving into security
● First job, not what I wanted● Became a Sys Admin at Northrop
Grumman○ Stayed for about 2 years
● Began my plunge into security, and haven’t looked back
What is Penetration Testing or Red
Teaming?
Different Job Descriptions● Vulnerability Assessment/Assessor
● Penetration Tester
● Red Teamer
● Exploit Developer
Vulnerability Assessment/Assessor
But that’s it…Kind of boring right?
Penetration Tester
Red Teaming is a little different, but similar
Red Teaming == Objective-Based
Adversary Emulation
Pen Testing/Red Teaming Career Paths
Tale of Two Tracks● All team members will typically start in a
general pen testing position● With experience, you will typically specialize
○ Red Team? Web Apps? Thick Clients?● After specialization, two main tracks exist
○ Technical Track○ Management Track
Tale of Two Tracks● Technical
○ Performing research, or concentrating on leading technical challenges■ Tech SME
○ Live and die by your own sword● Management
○ Lead teams running assessments○ Could stay technical… “It depends”
Tale of Two Tracks● Both tracks have their pros and cons● Honestly, just figure out what you love to do
○ It’s what the beginning stage of pen testing is designed to let you do
● Find your passion in this, and go for it○ This field is filled by people who LOVE
what they do
Exploit Developer
Exploit Developer● Typically not on Ops
○ Not on keyboard ● Performing research on various technologies
○ Predominantly includes low-level analysis■ Be very comfortable in a debugger and
decompiler■ Understand the basics of exploitation
● Buffer overflows, SEH overwrites, egghunters, etc.
Exploit Developer● This can be really fun and rewarding
○ Perfect for people who really like taking apart puzzles and finding holes
○ Can be VERY time consuming - might take 6 months of research to find a vuln you can exploit
○ Might not find a vulnerability○ Make a lot of money
Where is OffSec Going?
Where’s the field going● Pen Testing and Red Teaming is relying less
on technology, and more on people○ Human error is easiest to exploits
■ Layoff Example○ Misconfigurations/Poor configurations are
what we look for now■ User-Hunting
○ This is likely the way forward
Where’s the field going● Exploitation is getting harder to do
○ Defensive technologies are making life hard■ Used to see lots of exploits, post Win 7
-> not as much○ Not many companies are offering pure
exploit development positions■ Government positions■ Third party companies
Certifications● They can be… ok..
○ Sometimes needed to help get past HR○ They are NOT a sign of competency
● Best certs, look at Offensive Security○ OSCP - Pen Testing○ OSCE - Exploit Development
● This style of certifications demonstrates knowledge and is respected
What I wish I knew● Be prepared to be uncomfortable at times
○ Always in a new environment with new “stuff” and you’re expected to break it
○ Perk of the job too :)● Build your process
○ Learn how you best approach networks, web apps, etc.
○ Use this to face what you don’t know
Get Into Coding● Learning to
code/script will be invaluable○ Add functionality,
or write your own tools
○ Manipulate large data sets
○ Nearly a requirement to be successful
Where to start coding?● Pick a language to
learn○ Windows ->
Powershell○ Linux -> Bash,
Python, or Ruby● Find something
tedious○ Automate it!
How to Learn● Go to security conferences!
○ Might be anywhere from $10 - $300○ BSides Conferences are local and almost
always free, or super cheap● Build your own lab
○ VMWare is your best friend○ VulnHub
● Try free CTFs● Twitter!
?Chris Truncer
○ @ChrisTruncer○ [email protected]○ https://www.christophertruncer.com○ https://github.com/ChrisTruncer