Subscribe to the CyberThreatPOV Podcast

3 Qualities of a Great Penetration Tester

Intro

Working as a penetration tester is more complex than just attempting to access networks or exploit vulnerabilities. Throughout the process of penetration testing, there are skills that must be employed to complete the work and convey the findings to customers. It is very common for aspiring penetration testers to excel at the technical aspects of the job but fall short in others. There are many qualities that penetration testers may possess, but three will help aspiring penetration testers prove their merit.

Time Management

Adequately managing your time as a penetration tester is imperative. There are many occasions when our Offensive Security division is scheduling penetration tests 2-3 months in advance. Penetration Testers should make note of which customer is scheduled for each week to avoid both personal and professional scheduling conflicts. Our typical schedule involves a kick-off call, 3-4 days of penetration testing, and various follow-up interactions that may occur over the course of two weeks. Planning out a timeline of follow-up meetings in advance can save you headaches in the future.

During the course of a penetration test, there are certain processes that must be followed to conform to PTES (penetration testing execution standard) guidelines. Occasionally, a penetration tester may find a vulnerability during an early phase of an assessment. If that occurs, it is important to not pursue an exploit to that vulnerability and “go down a rabbit hole” until other stages of the process have been completed. It would be disastrous to chase a vulnerability found in reconnaissance for an entire day of your penetration test, only to run out of time for the rest of the processes that must be completed.

Completing reports in a timely manner is another aspect of penetration testing that is often overlooked. Penetration testers must work to compile their findings, evidence, and solutions into a deliverable document. Depending on the scope of the network, writing a report can take several hours or even days. A common best practice is to update your report with issues and corresponding evidence as you discover them. This saves time up front and allows the penetration tester to write a thorough summary at the conclusion of testing.

Communication

Effective communication skills are another important quality that penetration testers must possess. Before the penetration test begins, you must effectively communicate with the customer through emails and typically a “kick-off call” and discuss their expectations, limitations, and goals for the penetration test. Immediately before you begin the penetration test, it is customary to remind the customer and confirm that all the information you, such as IP ranges, have not changed. Throughout the test, you must be available to answer any questions that may arise. Customers will appreciate prompt answers and honest feedback during the process.

During penetration testing, it may also be important to communicate internally with your peers. You may come across an issue that you are not familiar with, but another team member may be more familiar with. You may also find new penetration testing tools by discussing your findings and challenges with your team.

When completing your test, writing your report is another way of showing effective communication. A professional penetration testing report should always include proper grammar, spelling, and syntax. Have a peer review of your report before sending it. This will be helpful to ensure your findings are clear. Generally speaking, writing a report that is easy to understand and does not get too “wordy” is best practice. Customers expect a concise and thorough in your reporting.

Critical Thinking Skills

Thinking critically is the foundation of any penetration tester worth his or her salt. You must have a baseline of technical knowledge to perform the testing. You should also be able to solve simple problems and anticipate “if this, then that.” An analytical mind is critical to navigating through a network, web applications, and cloud-based solutions.

A penetration tester must also be able to adapt and solve problems as they arise. There will be several times when you will come across a new tool, process, or application that you will have to research. You must then apply that research into developing an attacking process. Every penetration test will be different in some form, and you must expect the unexpected. Likewise, cybersecurity is a constantly evolving field. Tools and scripts may fall out of favor for newer more effective ones. You must constantly work to update your skills to remain relevant.

In addition to thinking outside of the box and being adaptable, a penetration tester must be able to follow a process. As previously mentioned regarding time management, following a process is the best way to be thorough in your work while following the PTES standard. Being comprehensive and following some sort of checklist will assist with staying on track during your test. Great penetration testers will find a balance between being innovative and following a set standard.

Conclusion

Being a great penetration tester requires a well-balanced set of skills. There are a multitude of personalities and skills that each individual will bring to the table. A team of penetration testers would ideally include people from different backgrounds and skill sets working together to accomplish the organization’s goals. The skills mentioned here are just a starting point and a subset of those needed to be successful. Developing your team’s time management, communication, and having a baseline of critical thinking skills are necessary to have an effective penetration testing team.