Wednesday, May 15, 2019

How Do I Get Started in Pen Testing?


I teach several different classes at the SANS Institute. Sometimes students are just starting out, and they're looking at how to apply the tools and skills they just learned. I'm writing this blog to provide guidance on the next steps. I'm going to try to be agnostic across the SANS curriculum, since that separation doesn't exist in most people's workplaces.

Practice At Work

First, be careful about just doing things at work. Some of the tools and skills we teach in SANS classes might not be appropriate for your job role. Instrumenting a computer network with a sniffer and monitoring traffic is a valuable defensive technique and capability. But, it might also be considered a wiretap in the United States (and most other countries). This potential violation of federal and state laws could get you fired and charged with a crime if done without permission. Same goes for penetration testing or unauthorized collection and inspection of digital evidence.
Solution: Get written permission from someone with the authority to give that permission to install monitoring or do forensics, or penetration tests.

Practice Outside of Work

If you don't have a chance to apply the lessons at work, what's another path?  I advise you to do three things. First, find some additional practice opportunities. Second, find an organization who could use your assistance and volunteer for them. Third, start to moonlight as a contractor.

Additional Practice Opportunities
There are a number of websites out there that give you a chance to practice your skills. Here are a few lists of freely available challenges:

Volunteer Opportunities

After you're confident in your ability to do simulate work, then it is time to move on to a real world circumstance. Truth is, you're probably not experienced enough to go right into the contracting and delivery. So this next step is a middle ground. Find an organization that you care about. This might be your church, your school, or your child's school. It could be your friend's small business or your neighborhood association. Select an organization that you're willing to contribute your time for free. 

Offer this organization the service you intend with an actual proposal. This will be a written agreement, and you're treating it like it is a business engagement.

My suggestion for how to think about the scope is to review this fantastic resource:

It's a bit older, but is an exhaustive list of the potential attack surface for a pen test or vulnerability assessment. There are a couple of template documents available as well. The primary artifact you'll be producing from your work is a report. Here are a large number of example reports:

Deliver the report, provide advice on how to fix it, and check in six months down the road to see how they've progressed on the proposed changes. You'll probably see that they haven't made much progress at all. ;) It's ok. Look for ways to help solve those issues.

Keep working with that organization and apply a different scope for another engagement, or find another organization to help.

Start a Small Business

Once you've done a small number of engagements for free, you're probably ready to start to charge for your services. Don't quit your day job quite yet. :)

Register an LLC with your state.

Develop the appropriate sort of contracts, usually  Master Service Agreement (MSA) and Statement of Work (SOW). One example MSA:

Buy liability insurance and potentially errors and omissions for your business, you may also need workers compensation for some organizations you contract with (even if you don't have any employees):

Find customers, deliver value, and grow your business!


That's a quick opinion on how you might proceed to develop your skills. You could also just have fun doing capture the flags and Netwars challenges from SANS.  If you have additional resource links that you think people should review for any of the above areas I've linked to, please include them in the notes. I'll add really good links back into the text of the post.