Want to never think about your job again? Don’t become a penetration tester or a red teamer.
Penetration testers (pen testers) and red teamers never stop learning. The cybercriminals they replicate move fast, very fast.
The vast majority of exploits are developed much faster than patches or even firewall rules to block resulting attacks. When AI chatbots hit the mainstream recently, criminals didn’t waste time. We saw a 1200% jump in phishing emails in 2023, hacked ChatGPT variants, and a lot of noise about AI-generated malware.
Offensive security teams can’t coast. They are up against some of the world’s most motivated learners and even need to front-run them.
To explain the kind of learning offensive security teams do, we asked industry experts Mindaugas Slusnys and Rodrigo Fonseca and turned their insights into this blog.
Fundamentals Are Only the Start
Offensive security means T-shaped learning.
Anyone considering a career in offensive security needs to be a broad expert in IT to start - enough to be able to do a “standard” IT job at a high level but also go a level beyond this and be able to spot the gaps that show something can be broken and know how to break it.
Specifically:
Penetration testers need to understand how web applications, mobile applications, networks, operating systems, etc., interact. They need to know how front-end systems talk to back-end systems. More advanced testers need to know technology down to the level of the machine code that sits between applications and a device's hardware so they can reverse engineer processes to spot exploitable gaps.
Red teamers also need to know how corporate environments work, from email and web filtering and employee “soft spots” to Microsoft Active Directory and various systems within the enterprise (Azure, SQL databases, Linux servers, SAP systems, payment systems and so on).
Once they grasp these fundamentals and stay up to date with the countless different trends in how applications and networks are architected, offensive security experts are not done learning.
They then need to specialise.
The more you know in a specific area, the easier it becomes to research additional things to build on top of that (rather than starting from scratch)." Secforce offensive security expert.
Some people might become experts at SQL injection attacks; others might specialise in testing Operational Technology (OT) systems or know a lot about binary exploitation.
For example, at SECFORCE, we’ve built a team of IoT experts. This means they can replicate emerging attack vectors, like cyber attacks against autonomous vehicles. Not all penetration testers can do this.
Degrees Are Good, But Skills Are Better
Offensive security is a practical career. A good hacker is an individual who can pull off successful hacks, not someone with a master’s degree in hacking.
Like other practical fields, you do not need a degree to have a career in offensive security.
Degrees can provide the initial base of knowledge described above, but deciding to commit to a college degree rather than self-study is more a matter of personal choice.
Unless an offensive security professional wants to pursue work in a government body (where degrees are obligatory in many countries), self-study with the right combination of certifications might be a better combo.
“I would say degrees are 'important' to exist as an option but not necessary to be successful and only 'required' for very specific scenarios." Secforce offensive security expert.
Degrees might not be extremely important, but certifications can be.
Certifications like CompTIA Security+ are almost like specialised degrees and help open doors for hackers into offensive security. For some roles, advanced certs like the CREST Registered Penetration Tester (CRT) can even be a strict requirement.
Generally speaking, a cert might be a tie-breaker if an offensive security company was torn between two similar candidates for a job.
Beyond certs, training exercises like those on HackTheBox are a common way for hackers to stay up to date. Participating in capture-the-flag (CTF) exercises is worthwhile, too.
"HackTheBox and other practical CTF sites and also CTF competitions are good ways to improve your skills and meet like-minded people. The online CTF sites especially create good conditions for beginners to learn about hacking as they provide infrastructure ready to go." Secforce offensive security expert.
How Do You Stay Sane?
One member of our team enjoys the DarkNet Diaries podcast, which, while more general than technical in terms of content, can still give ideas for new ways to approach a hack.
Along with getting inspiration, making a long-term career out of offensive security depends on staying, well, sane. Surveys continue to show that the majority (in some surveys, over 90%) of cyber security professionals report being “burned out” or overwhelmed with their jobs.
Our team thinks that the problem of burnout is less prevalent among offensive security professionals than it is with blue teams responsible for stopping attacks. As one of our offensive security experts said, “It is easier for us attackers as we do not really defend threats but rather learn from them.”
It helps that our hackers would probably be hacking even if they weren’t working a day job. Case in point: One of our offensive security experts stayed up for 20 hours while participating in a CTF event.
Looking Around the Corner
What's coming next?
Right now, some of our offensive security professionals are looking at how smart contracts could impact financial services and what risks they might create or reduce. Others are interested in AI attack vectors.
But while technology is changing, our experts reckon that some of the basic weak points in cybersecurity will become even more glaring. Even in large, well-funded organisations with lots to protect, our team sometimes finds that major companies have very bad security controls and politics.
Defensive security technology is getting better at spotting and stopping malware. As a result, one of our offensive security experts predicts that there will be more attacks involving humans as the weakest link in the security kill chain. “More insider threats, leaks, backdoors in open and closed source software," he says.
Continuous Learning Powers SECFORCE’s Expertise
Continuous learning is absolutely essential to being an offensive security professional. Everyone on the SECFORCE technical team spends 20% of their work time on learning and research.
Need an offensive security specialist? Contact SECFORCE experts today.
