Going on the Offensive: How to build and mature an offensive security program

Great, great. Awesome. Well, and you recently started a new role, is that correct? That’s correct.

Yes.

Is it okay to share that or like. Sure. Yes.

Yep, yep. Yeah. I shared on LinkedIn already, but I don’t really officially start until April 29, but I am starting work with Horizon3 AI. They have an automated pentesting tool, which is something kind of important. And as we dive into our talk, we’ll kind of discuss some of the importance of the evolution of pentesting because, you know, once upon a time, we didn’t have vulnerability scanners. This is before I got into pentesting. We didn’t have Metasploit, but those things help scale teams and there’s a need for more of that, even just like using tools like PlexTrac. Before people were manually writing reports. So all this automation and different specialized applications make a pentester’s job easier as well as help them scale.

Yeah, yeah, no, that’s great. And I think that flows into, like, there’s a couple things that, that are always on the top of people’s minds. Right. And so I think, you know, kind of what we’ll want to chat through today, just like what does it take to build a team and then, like, for individuals? Like, you know, I think you brought up a good point. Like what? Like, I get questions a lot. I’m sure you, you get it a lot, too. What does it take to get into pentesting specifically and offensive security? You know, I think a lot of security professionals just kind of in general, like have been or been asked a lot about how they get into security. But even, you know, pentesting is a much more specialized skill and then, and then how do we kind of like help these teams grow and scale? Because it is, it is a pretty niche skill set. But I guess maybe let’s start with like, you know, what would, what is the, you know, what is your advice to someone actually trying to get into pentesting, and then how does that foray into building a pentest team?

Let’s say one of the things is not to skip the basics, not skip the fundamentals because a lot of cases, and it’s kind of understandable. pentesting is a very interesting field and a lot of times people just want to jump into the, to learning the hacking piece, but it makes it a lot easier if you understand, you know, the different fundamentals. Because for me, I was, before I even got into security, I spent six years as a sysadmin, which was the most valuable experience I had going into being a pentester.

So you really have to understand the technology to be able to defend it and be able to break into it. The more you understand it, the easier it’s going to be. Because if you get a shell or command line to a Windows box and you don’t know the command line, you’re going to be doing a lot of googling and researching. So you really need to know those operating systems at a sysadmin level, but that doesn’t mean you have to spend six years as a sysadmin.

There’s some people out there, that’s what they recommend that you have to start out on helpdesk. You have to start out desktop support or sysadmin work all these other roles. You don’t, you just need the education of that. So you don’t actually have to spend all that time in those areas. You just need to learn. And good options too, for learning those basics is Professor Messer has some free videos on YouTube, on a Plus Network, Plus, and Security Plus. You get through those, it’ll give you a good base understanding before you start trying to learn the hacking piece.

Yeah, yeah. No, I couldn’t agree more. I mean, I think that, you know, while people really want to know how to get into security and into pentesting specifically, you know, having, having those foundational skills and technology, you know, really play a big role. Right? You know, like you mentioned, like, I think some of the best net pentesters that I’ve met were in that sysadmin role or in some kind of, you know, prior lives, so they really understood how the networks worked in the applications that run the networks.

Also, you know, my background is much more in web app security, and I was a web app pentester primarily. And I found that some of the sharpest web app pentesters, and it’s not always the case, but some of the sharpest ones were former software engineers, former developers. They understood kind of how libraries came together and how they, how the code would be pieced. And, you know, it’s always, that kind of that big puzzle, right? Of like, how do I break into this network or how do I find this odd vulnerability in this web app? And so having some of that baseline background in technologies, particularly, like software engineering, IT, and networking system administration, plays a big factor.

And I’m glad you called out those resources because it’s also not like, it’s also not one of those things where you have to go to go to college or say there’s always that big, but it’s more, and this is what I always tell people, is that having the knowledge and the skill set is the most important thing. How you get there and, you know, whether that’s through a formal training program or for a degree, of course, like probably back when we were getting started with it, there weren’t a lot of degrees back then, but I was very fortunate, you know. But, a lot of folks, you know, they just kind of pick it up along the way. So I think that’s a really good, good thing to remember for everyone. And,you have to kind of just be researching on your own, right? I mean, so, doing a lot of stuff. So. So, yeah, I think that’s a good foundation.

So then, like, you know, you’ve built security or you’ve built pentest teams and then been a part of consulting firms as well as, you know, worked with larger organizations. What were, what’s your advice and how, how have you gone about, like building, building, you know, a pentest team? And what are some of the key things, that you look for in your team members as well?

One of the things you’re going to need, too, because you’re building out a team and it depends on the size, is you’re going to need some good senior folks who are willing to mentor and help others. You know, I’ve seen people throughout my career who weren’t patient, didn’t want to help people. So you really need someone, who is almost as good of a leader and mentor as they are a pentester.

So that way you build the team out, you can kind of lean on them to educate the team and bring them up to speed. And one of the things, too, that you really need to instill in your team is a sense of teamwork. Because I’ve been on teams before where we’re all remote, totally isolated. No one was really helping each other. But when you got that cohesive team, they’re sharing that information. Because when you’re, you know, you’re first getting started out in pentesting, when you’re having to go through and validate vulnerabilities, you know, there’s manual ways of doing it. You just can’t, you just don’t take the output from Nessus and say that’s vulnerable.
You do manual testing techniques. And as pentesters, we’re all keeping our little notebooks and notes on how we do that stuff. But if we can have like a centralized repository of notes that we can share with the team, some of those things that we already figured out how to do, they can figure out how to contribute to that library and make things a lot easier instead of everyone wasting time. Research is good because you learn how to research, but why should someone have to research something that’s already researched and already documented?

Right, right. So along those lines, I think, you know, good teamwork, you know, some of that is personalities. Right. You know, so, so it doesn’t always come down to skills per se. When you’re kind of building a team like most people are, it’s like some people just may not be a fit for the culture of the team, but once you’ve kind of established, you know, the key players on the team, what are you, what are some of the ways that you’ve doing built the program itself? What are some of those key aspects of whether it’s a consulting type firm or even advice for organizations building an internal program. What are some of the key characteristics that you’ve seen be successful?

Yeah, making sure that kind of going back to that documentation, make sure you’re documenting the processes that you have a good runbook that’s easy to duplicate because once people come in, we’re humans, we make mistakes. So be able to document, have a runbook, that checklist, you can go back and make sure you’ve done those things. And some of those are options too, if I remember correctly, in PlexTrac that you can actually have those runbooks there. Make sure you got that checklist because it’s so easy to forget things. Make sure you get the processes documented, a good report template, that you are really making sure you’re building out a good executive summary.

So the folks outside of the technical side of things like your CISOs and your board, get value out of that report because you want them to get as much value as you do the tech team because they’re the ones signing the check and making all the approvals. And if you do a good job there, if you’re a consultant, they’re going to have you back. But in the report, really document the steps. If you exploited something, make sure you’re documenting all the steps you got in and not just a screenshot of proof, ideally best practices. You want to detail that enough so they could go back and replicate it themselves, or another pentester is going behind you, retesting that they’re able to easily duplicate those steps.

And also, I think, constantly, constantly educating, you know, if someone on your team doesn’t have experience with web, you know, get them training in web and then kind of have them shadow others to learn that. So one of my best jobs, my career was my second consulting job is any type of pentesting I wanted to do, they would tell me, go take this training, read this white paper and you can do the pentest. So being open to let people learn, because one of the reasons people leave companies if they’re bored, not getting to learn more. So make sure you’re keeping interesting for them.

And I would say stay ahead of the curve and learn some of the newer technologies that are becoming more, more prevalent in our industry. You know, like some of the large learning models and web three stuff. Start investigating that because notoriously you’re in a company and all of a sudden someone saw some presentation somewhere. Yeah, we’re going to this, you know, type of AI product or whatever.

Yeah, no, it’s interesting. And then, you know, I talk to, I kind of joke that, that hackers are lazy, you know, in a good way, if they have to do something twice, they will find a way to automate it. Right. It’s like, I don’t have to do this again. What have been some of the things that you’ve seen from a tooling perspective? I mean you gave a nice plug for PlexTrac. Obviously, we’re super biased, butt what are some of the other tools in the tool belt that you’ve seen be successful for teams, you know, and things that maybe, maybe people trying to get into it should maybe try to learn if they can?

Yeah, I think that some of the, some of the reconnaissance tools out there, like Amass Jeff Foley created Amass and that you mentioned people automating stuff. So that’s one of the interesting things about the AI and all that automation people are starting to do more of that because people were trying to automate the easy tasks. So I think trying to, you know, working on automation and that type of thing to help make your job easier and then you can spend more time on the most interesting thing. And that’s where people kind of worry about AI. But I think as practitioners we should be happy with AI because it takes us away from some boring tasks because I’m sure you probably experienced this as a pentester going back, validating SSL related vulnerabilities can be boring, especially on a big pentest. You’ve got hundreds of vulnerabilities related to that and you’re going through invalidating those things. You know, with AI and some of the automation, you’re able to spend more time on the interesting stuff.

Yeah, yeah, yeah, exactly. I mean, I use the term let automation take care of the low-hanging fruit. Right? Like, you know, Burp Suite was like one of the, one of the key tools in my tool belt for. And it still is. Right. You know, because, you know, it’ll find a lot of those things or at least find some of the initial things that like, oh, this looks juicy. I may, go here. Right.
And then, you know, like just like any tooling, you know. Then, like you said, it allows the testers to focus on the, even the much more difficult problems that take longer to solve.

I mean, the joke we always had was Friday afternoon was when you actually got the most interesting exploits developed. Because if it was like a week-long engagement you had all week to really kind of understand the application, understand the inner workings of it. So you would get these aha moments towards the end of the test because you were so familiar with the application. And if you didn’t have automation that led you to that, you might miss something. And then that’s just, you know, it’s then a gap that doesn’t get discovered, right, trom the engagement and could get discovered by an attacker. Right.

So, but, okay. No, great, great, great insight there. So what has been your experience? So, like, you know, you’ve built the team. You’ve got the, you got kind of the tools in place and the automation in place. Kind of thinking more programmatically, what are some of the, what are some of the key things that you recommend for teams? I’m thinking this could be a consulting engagement where it’s more continuous, but like internal teams especially, they’re doing this on a continuous basis. What’s been your approach or you’ve seen be successful for really having a continuous assessment program?

Yes, as far as continuous assessment. And being frequent is important, you know, because back several years ago, PCI DSS only required one pentest per year. So having those frequent pentests, I think as far as an internal company, you know, sometimes people would do this with consultants is rotate out the people that you’re, that are doing the tests because you bring someone in and you set eyes and maybe they find something and they’re more skilled in a certain area than the person before them, but rotating out, you know, those pentesters and really trying to get buy-in from the company as well as the IT teams and the security teams. The letter one, know that you’re on the same page, that you’re trying to help each other. You’re not trying to make them look bad.

As far as the pentesters go, when you’re doing these debriefings or report readouts, you know, be respectful. When you’re documenting the pentest, make sure you’re documenting all the things that they did well. That way you’re not just coming in on the offensive, making them look bad. So you want to let them know that you’re on the same side. And sometimes they understand that better, and they will. You’ll get more teamwork on their side. They’ll be more willing to help you out and make for a better experience for both sides.

Yeah, you bring up a great point because, obviously, we’ve been around the notion of purple teaming for quite a while. Right? And that’s one of the things that I truly, I wouldn’t say harp on, but it’s kind of my mantra around like it’s important to highlight the things that didn’t work from the pentester’s perspective. Right. So it did work from the defender’s perspective, like, hey, we blocked this type of attack or we were alerted to it or have forensic evidence because then you can actually track progress over time too, right? I mean for testers it is important to say, hey, not only did we find these things but here were the things that didn’t work that we really tested for. And it, you know, kind of if you’re like tracking against like you know, MITRE, ATT&CK, you can kind of say like, hey, you have some gaps in maybe privilege escalation but you’ve got some really strong controls in, you know, lateral movement or something like that.

Right. And I think it’s, I think that’s an interesting takeaway for teams to really, if you’re not, try to emphasize the things that didn’t, like from the tester’s perspective, didn’t work so that the security controls that were in place that did work. So that way you have this running trend of like, hey, these were the, over time, you know, this is the amount of stuff that continued to fail for every test that you did. And, you know, and then, you know, maybe a year later you can actually show a lot of progress. I don’t know. That’s just in my opinion, I don’t know if you got any.

Yeah, I really, really like your comments on the purple teaming. I think that’s awesome. I’m a big fan of it and I think people can bring up the postures of their organization so much quicker because you figure if you’re only doing an annual pentest or biannual pentests, then you’ve got that amount of time because, you know, it’s a cycle. You do the pentest, you do the remediation, repeat the process. So if you’re only pentesting once a year, there’s all that time that nothing’s going on. But if you can go in, do the purple team exercises, eliminate some of the possibilities from the hands of a threat actor, remove some of the tools that they can use, that goes a long way with improving your security posture, right?

Yeah, yeah, exactly. Exactly. And then I think that the nice thing about, you know, kind of the world that we live in today, you know, while some of the requirements still may require annual testing or maybe that’s the minimum.
I do think that the teams are starting to get the notion of the importance of just continuous testing. Right. So, like keeping those, you know, the scopes of those engagements small and maybe even very pointed. Or, hey, the product that we normally test is releasing a new feature. So just getting that into getting testing built into the lifecycle of deployment and release, which I would say hasn’t been, like when I first got started, that definitely was not the case. Right.

You know, testing was, was an afterthought and everything was in production at that time.

Yeah, yeah. And then so much of the pentesting being based on compliance and not really done for the true reasons why you should have a pentest done, right?

Yeah, yeah, exactly. Like just getting the box checked so the report just ends up on the shelf. And I mean, that’s true. I mean, you know, I, I remember distinctly in my consulting days, you know, we’d have repeat customers, you know, testing the same app. And while we tried to mix up who would be testing different apps, you’d kind of come back to it after like two years or something. And I definitely remember picking up one of the old reports that a team member of mine had done on a web app that was like two years old. Right. And I’m like, hey, I’ll just test to see if any of those findings still exist. And sure enough, like, you know, one of the session cookies was still valid. This is two years later, you know. So. And it was, it was that same type of finding. So they, they, they didn’t fix it, and then it was the same session token. Right? So it’s just like, oh, my gosh. Yeah, this is crazy.

Not, not remediating is scary because I did a test one time at one of the places I consulted, we did a pentest of this company. And so we went in, they had a REIT 90-day retest. So I went in, performed the pentest. They actually remediated the criticals, highs and mediums. But by the time I came back and retested one of the low vulnerabilities, someone had figured out how to — Not in that environment — but someone had figured out how to exploit that vulnerability. So I went back doing my Nessus scans and stuff. Then it popped up that it’s now a critical or a high because someone in that 90 days figured out, a security researcher, threat actor, figured out how to exploit it. And if it hadn’t been for me, coming back and they would have waited another year. They would have been open a year to possibly be unexploited. Yeah.

Yeah. Well, I think that that’s a good lead into kind of the last, the last kind of thought I wanted to kind of bounce off of you is, is like, you know, truly kind of being able to show the value that you have and getting buy in from leadership. I think that’s always been a, you know, the pentesting investment, security investment in general always is kind of this give and take in terms of budget and time and people. So what, what would you say? You know, you would give tips to teams as people are building it out to, like, truly show the value that you’re demonstrating over time and keeping the, you know, keeping the key stakeholders engaged. What are some tips and tricks there?

So I’d say, you know, keeping good documentation, you know, on reports to make comparisons so you can kind of see how, how things are improving, you know, keep stats on that as well as educate management and the other teams on pentesting. I mean, you know, come in and maybe even, I do a talk that I call offensive security awareness that I’ve given at conferences. And basically, the goal of it was to teach people that are not working on the offensive security side about red teaming and pentesting and the different assessment types and show the comparison. So I think really explaining to them and going beyond your typical security awareness is a good way to let them understand and see the value in it, because I think when people don’t realize how critical it is, it’s kind of an afterthought. They really don’t take it seriously. But whenever you can educate folks on why it needs to be done, you know, whenever certain vulnerabilities come out, they’re exploitable. Share that same information that you’re seeing with the teams to let them know. Just let them know how serious it is because education goes a long way, and also tracking how well the company is doing with the remediation, and all that. Because the pentest. Yeah.

And do you have any experience, I mean, from the, for an internal team, they understand the context of the business and the risk and threat profiles and the stakeholders. But do you have any experience with, like, consulting firms where, hey, for different customers, you might have to approach the risk conversation in different ways. Right. Kind of tailoring it to what that business truly might care about. I mean, this was just a random thought. I don’t know if you’ve got any advice there or not.

Yeah, I’ve seen that in some organizations, and I actually worked for a company for a while that started out as a consulting company, but they created a cloud-based solution for importing the pentest results and doing risk quantification. They even showed, like, the cost for any kind of compliance-based fines, the cost to remediate and all that. And that way it kind of showed you what to focus on as far as for prioritization of the remediation. So I think those types of items are good. And I see things going more towards a risk-based approach. And that is something that’s the kind of the lingo that the board and the business groups are going to understand. So we come back to them with a risk quantification or risk-based approach, they’re going to understand it a lot better than some of the jargon that we would rattle off on about the different vulnerabilities or exploits. Yeah, yeah.

You know, and that prompted, you know, kind of almost in my head, kind of come, coming full circle, full circle to, like, the team members themselves. As you know, it’s obviously the technical skill set is super important. Right. And being able to have the chops to do the hacking and understand the technology and what you’re actually doing, even from the toolset, I’m always a big, big believer in understanding what the toolset is doing under the hood, right. In terms of not just being able to hit the button, what we used to call the script kiddie, or maybe we still do call them script kiddies, but also being a really good communicator. Right.
Being able to effectively communicate the risk. Right. Because you have to know your audience. Right? Like, you know, Speech 101 or Communications 101 is like, know the audience. What are they going to care about? And so you hit it on the head.

I think, in terms of the stakeholders, you know, they’re going to speak a different language in terms of business risk. And so being able to accommodate and tailor your communications and your assessments toward that audience is important. Right.

So, yeah, well, great. I know. These sessions go by so fast. We could spend probably three more hours talking about all this in much more depth, but we just love to be able to kind of bring people on, share their experiences, talk about interesting topics. I know this one, we have a lot of stuff we could go into, but I would say I would sum up the key takeaways as building yourself in terms of knowing the underlying technologies — taking it on yourself to understand and learn those resources — automating as much as possible for your team, and, you know, building that continuous kind of assessment mindset and paradigm, and then really staying in the mode of progress over time and how you’re communicating that value to your stakeholders. Those seem to be kind of the big themes that we chatted about from building a mature offensive security program.

Is there anything else that, anything else you want to throw in there, or does that sound like a plan?

I think you covered it well.

Great. Why don’t you share with us, you know, some of your resources, you know, as we, as we sign off here, like, I know, how can people find you? Where can they learn about any services and trainings that you’re offering and then, you know, any, any last, any last parting words?

Sure. Some of the best places, of course, my website, www.thehackermaker.com, but you can reach out to me on LinkedIn. I’m always happy to answer questions. I have folks that are trying to break into security or penetration testing or just people in general just wanting to understand more about the offensive security space, reaching out to me all the time. I’m also available on X, formally known as Twitter. You can find me there. And you can also go to my YouTube channel, which is Phillip Wylie. And if you go there, I even have like a whole semester of the lectures I taught at Dallas College on pentesting, so people can take advantage of that and see some recordings of those presentations, as well as my podcast, the Phillip Wylie Show. I have different people from the industry sharing how they got into it from a broad range of backgrounds.

Awesome. Awesome. Well, and thanks so much for all that you do for the community, too. I mean, that’s always an important aspect of our industry. I think it’s unique to our industry that we really have a community that for the most part, really tries to share and help each other grow and learn and be successful in our own rights, because I think we’re all in a, we all share the same mission at the end of the day. So thanks for all that you do. Thanks for coming on.
We really appreciate your time. We know it’s valuable and we look forward to doing this again sometime. And definitely best of luck. We love the folks over at Horizon3 and love the product Node Zero, so we’ll give them a plug as well. But we’re excited to have had you on the show. And for all those that haven’t tuned in before, feel free to leave comments in the chat. And we will.
We will definitely try to reach back out and get those answered. But also, I also plug, like, if there’s anybody else that you’d be interested in hearing or any other topics that you’d like us to kind of flesh out on a Friday, please let us know, and we’ll, we’ll see what we can do. But really appreciate everybody’s time today. Phil, thanks again, and we’ll definitely be seeing you soon. So that’s it for now. Thanks, everybody. Happy Friday.