Pen Testing, Red Teaming, and More

@ChrisTruncer

What’s this talk about?● Who I am

● How I got started in the industry● What is “red teaming” and/or “pen

testing”● Different Offensive Jobs● Where is the field going?● How to learn and get your foot in the door● Questions

uid=0(@ChrisTruncer)●Christopher Truncer (@ChrisTruncer)

○Hacker○Open Source Software Developer

■Veil Framework Developer○Florida State Seminole○Random certs… blah

●Red Teamer and Pen Tester for Mandiant

How I Started● College

○ College computer security class○ Hack my roommate

■ “Wow, hacking is real”○ Took a security class○ Decided this is what I wanted to do

■ …. is this even a job?

How I Started● Start off in a technical role

○ Wanted to get a technical foundation before moving into security

● First job, not what I wanted● Became a Sys Admin at Northrop

Grumman○ Stayed for about 2 years

● Began my plunge into security, and haven’t looked back

What is Penetration Testing or Red

Teaming?

Different Job Descriptions● Vulnerability Assessment/Assessor

● Penetration Tester

● Red Teamer

● Exploit Developer

Vulnerability Assessment/Assessor

But that’s it…Kind of boring right?

Penetration Tester

Red Teaming is a little different, but similar

Red Teaming == Objective-Based

Adversary Emulation

Pen Testing/Red Teaming Career Paths

Tale of Two Tracks● All team members will typically start in a

general pen testing position● With experience, you will typically specialize

○ Red Team? Web Apps? Thick Clients?● After specialization, two main tracks exist

○ Technical Track○ Management Track

Tale of Two Tracks● Technical

○ Performing research, or concentrating on leading technical challenges■ Tech SME

○ Live and die by your own sword● Management

○ Lead teams running assessments○ Could stay technical… “It depends”

Tale of Two Tracks● Both tracks have their pros and cons● Honestly, just figure out what you love to do

○ It’s what the beginning stage of pen testing is designed to let you do

● Find your passion in this, and go for it○ This field is filled by people who LOVE

what they do

Exploit Developer

Exploit Developer● Typically not on Ops

○ Not on keyboard ● Performing research on various technologies

○ Predominantly includes low-level analysis■ Be very comfortable in a debugger and

decompiler■ Understand the basics of exploitation

● Buffer overflows, SEH overwrites, egghunters, etc.

Exploit Developer● This can be really fun and rewarding

○ Perfect for people who really like taking apart puzzles and finding holes

○ Can be VERY time consuming - might take 6 months of research to find a vuln you can exploit

○ Might not find a vulnerability○ Make a lot of money

Where is OffSec Going?

Where’s the field going● Pen Testing and Red Teaming is relying less

on technology, and more on people○ Human error is easiest to exploits

■ Layoff Example○ Misconfigurations/Poor configurations are

what we look for now■ User-Hunting

○ This is likely the way forward

Where’s the field going● Exploitation is getting harder to do

○ Defensive technologies are making life hard■ Used to see lots of exploits, post Win 7

-> not as much○ Not many companies are offering pure

exploit development positions■ Government positions■ Third party companies

Certifications● They can be… ok..

○ Sometimes needed to help get past HR○ They are NOT a sign of competency

● Best certs, look at Offensive Security○ OSCP - Pen Testing○ OSCE - Exploit Development

● This style of certifications demonstrates knowledge and is respected

What I wish I knew● Be prepared to be uncomfortable at times

○ Always in a new environment with new “stuff” and you’re expected to break it

○ Perk of the job too :)● Build your process

○ Learn how you best approach networks, web apps, etc.

○ Use this to face what you don’t know

Get Into Coding● Learning to

code/script will be invaluable○ Add functionality,

or write your own tools

○ Manipulate large data sets

○ Nearly a requirement to be successful

Where to start coding?● Pick a language to

learn○ Windows ->

Powershell○ Linux -> Bash,

Python, or Ruby● Find something

tedious○ Automate it!

How to Learn● Go to security conferences!

○ Might be anywhere from $10 - $300○ BSides Conferences are local and almost

always free, or super cheap● Build your own lab

○ VMWare is your best friend○ VulnHub

● Try free CTFs● Twitter!

?Chris Truncer

○ @ChrisTruncer○ CTruncer@christophertruncer.com○ https://www.christophertruncer.com○ https://github.com/ChrisTruncer