"I think like a Hacker" - Why I chose the job of pentester!
by Svenja Koch
Working in the IT security industry is incredibly varied. For example, as an IT security analyst, you can analyse and monitor the components of the entire corporate network and thus protect the infrastructure from attackers. As a system developer, for example, it's about designing and programming anti-virus applications and other protection tools against hackers. As an IT security consultant, it is your job to protect valuable data of your company and its customers.
I, on the other hand, have chosen a career as a pentester. In this article I explain what my daily routine looks like, what a pentester earns and what qualifications are necessary.
The training to become a pentester
Working as a penetration tester is not a traditional career choice, such as a teacher or bricklayer. Rather, in most cases, the pentester gets to this position via a career within the IT industry. There are courses that teach basic knowledge about pentesting. However, these are not fully-fledged training courses, but build on existing knowledge. A basic understanding of IT security must be present, as well as knowledge of computer science in general. In principle, it is therefore necessary to first complete a classic apprenticeship or degree in the field of IT.
I first studied to become an IT specialist with a specialisation in system integration and computer science B.Sc. in a dual course of study. After that, I worked for a few years in a company in the IT security sector. There I was entrusted with the maintenance and improvement of an application that was used for network security in remote monitoring. Due to the changes in the field of IT security and the growing number of cyber attacks, the company I work for expanded their service offering. This included optimising security in customer networks. In this context, we carried out penetration tests from then on, for which specialised personnel were needed. After further education and internal training, I switched to the pentester job. In the process, I acquired certifications such as Offensive Security Certified Professional (OSCP) or Offensive Security Web Expert (OSWE).
A career as a career changer is also possible. Many young hackers have taught themselves their skills, often at a young age. The skills of some of these young hackers are amazing and sometimes surpass those of trained IT security specialists. Therefore, this group of people is basically well prepared for work in IT security. However, anyone with a criminal record in the field of computer crime has a poor chance of getting a pentester job. In this career field, we emphasise being white-hat hackers. This means that we use our skills and knowledge exclusively for good purposes.
My everyday life in the pentester job
The tasks of a pentester are exciting and can hardly be compared to anything else in the field of IT. My central role is to find vulnerabilities in the networks and IT security of our customers. In fact, I carry out cyber attacks on their systems.
We always carry out penetration tests in person. There are providers of automatic tests, where programmes reel off a kind of checklist and thus seemingly test networks for security. As a human pentester, I am more effective than a programme. I not only act intuitively, but also according to the situation. That is why I chose the description "I think like a hacker" in the introduction. A real pentest requires a real person to simulate the cyber attacks. Thus, with my experience as well as the evaluation of the respective situation I find when penetrating foreign networks, I find every vulnerability. Of course, such cyber attacks only take place after prior consultation with our clients. In Germany and many other countries, the actions of a pentester are only legal if the organisation being tested is informed of them. Consent and knowledge are required because some of a pentester's methods of attack constitute criminal offences under the law. This is the case, for example, if I am successful in a penetration test, penetrate the client's network and obtain sensitive data or personal information.
The attack methods of a pentester have a lot in common with those of real hackers. There are no or hardly any restrictions on the attack methods of pentesters. This is important at the same time, because the pentester job is about me uncovering every weak spot, no matter how small, in our clients' networks. To achieve this goal, I have different investigation methods at my disposal. The security audit variants simulate the attack scenarios that also occur in real situations.
Methods I use in the context of a pentest
Black box audits are tests in which we have no knowledge of the client's passwords, network structures and other details. Black box audits therefore simulate cyber attacks as hackers carry them out every day. In this way, I test the general security of networks against external attacks. The pentester's attack methods in the context of black box auditing include DDoS attacks, for example. In such cyber attacks, I overload a network with a concentrated, high number of requests, for example via HTTP. This type of cyber attack in the context of a penetration test checks the general capabilities of a network to deal with threats from the Internet.
In a white box audit, on the other hand, we use information about the client's network for the simulated cyber attacks. We receive this from the client in advance. This includes passwords, access to accounts with administrator rights or access to the source code of applications. It is precisely during these tests that I often come across security gaps. The white box audit is often commissioned by clients with the aim of uncovering internal attacks. Former employees or even employees with bad intentions also have access to such information. But external attackers also get hold of some of this data time and again. For example, it often happens that hackers use an active account of an employee and steal data from there or introduce malware into the company network. The goal of the white box audit is to determine whether the IT security of an organisation can distinguish such actions from regular access by authorised employees.
Finally, the grey box audit is a mixture of the two previously mentioned attack methods of the pentester. With the grey box audit, I have limited data about the client's network at my disposal. I use this in my attempts to penetrate the network. This information includes, for example, network diagrams, e-mail and IP addresses or employee names. This data makes it easier for me to simulate attacks on a network. More importantly, however, real hackers also like to obtain such data in advance. This happens especially in the context of dangerous targeted cyber attacks. Hackers often have financial interests in such attacks, such as extortion by placing ransomware. With the grey box audit, we increasingly look for security vulnerabilities that enable such attacks.
A special area is the social engineering audit. The sophisticated cybercriminal is no longer just using malware to penetrate corporate networks. One of the biggest security risks in companies is the employees. As part of the social engineering audit, I apply various techniques that cybercriminals also use. For example, I send targeted emails to people who work at the client company. These are manipulated in various ways. I attach malware in a compressed file, send a manipulated Word file or pretend to be a partner company and ask for sensitive data.
One of the special attack methods used by pentesters is red teaming. This audit is one of the highlights of the attack simulation. In Red Teaming, I work together with several colleagues on a cyberattack. The approach is fundamentally different from the other pentester attack methods. In the white box, black box and grey box audits, for example, I look for vulnerabilities and log them. However, there is no active attack or exploitation of vulnerability. In Red Teaming, on the other hand, my colleagues and I act as real attackers. There are no limitations, no fixed target systems and no restrictions on action. The goal of such a Red Teaming attack can be industrial espionage, financial fraud or even a complete deactivation of systems. Red Teaming is mainly used in security tests of larger companies that have a correspondingly powerful IT security. This can be a separate Security Operations Centre. The client's IT security staff then reacts to our attack in real time. From our client's point of view, it is a real cyber attack, so real action is required. I also exploit all the attack methods of a pentester to get to our internal target. The goals of red teaming are to find out the Time To Detection (TTD) as well as Time To Adversary Success (TTAS). So it's about seeing how long it takes the client's IT security to detect and stop our activities.
Continuous training is also part of my daily routine. The security situation on the Internet is dynamic. New forms of cyber attacks, current developments in IT security as well as updated attack methods for pentesters change the situation.
The earnings potential of a pentester job
Earnings as a pentester depend on a variety of factors. Most important is experience in the sector, as there is no classical training. Starting salaries are usually in a range between 3,750 and 4,500 euros gross per month. Penetration testers who have more than five years of experience in this job, on the other hand, earn between 5,500 and 6,500 euros a month. The top salaries in Germany are up to 8,000 euros gross per month.
Challenges - that's what makes the pentester job so varied and exciting
One of the biggest challenges is also what makes the pentester job so exciting. Every assignment is different. When I start a new project and go through the different pentester attack methods, I never know what to expect. Every network is built differently, existing IT security reacts differently and companies use different applications. This makes each task unique and makes the pentester job very varied. I also always see the penetration tests as a personal challenge. The goal is to overcome IT security and compromise the network. In this respect, a good pentester thinks exactly like a cybercriminal in a real attack. He also does everything in his power to achieve his goal.
What my clients expect
Our clients naturally expect clear and comprehensible results from me. Communication is also of central importance. Open cooperation is important and creates a basis of trust. This is necessary because in my work I penetrate sensitive areas of companies and organisations.
Part of my pentester job is also to create result reports. On the one hand, these reports contain clear details about the vulnerabilities found. On the other hand, I also give instructions on how to fix these vulnerabilities. In addition, I point out potential dangers to the clients. The result is a complex report with clear recommendations that enable the client to concretely improve his IT security and close security gaps. I or one of my colleagues present the results to the client in a personal meeting.
The profession of a pentester is versatile and exciting. Those who want to work in this field must have a natural curiosity as well as knowledge of IT security and network administration. Creativity and a drive to achieve a set goal are also important. The pentester has a high level of education, continuously trains and accordingly has good earning potential. Due to the increasing number of cyber attacks, the pentester job is also a safe career choice.