Updated: Jan 11
The team of penetration testers I work with is excellent. In particular, there are three qualities which I believe are essential, and indeed make the difference between mediocre engagements and superior ones.
"In hiring a penetration tester, I can train them to do technical things. It's harder to train them to be good communicators."
Prior to introducing you to these qualities, of course it is important to note that a good pen tester has tremendous technical acumen, experience, and troubleshooting skills. My VP of Technology and lead tester Curt has such skills. I've worked with him for five years now, and it's not uncommon for him to find himself one keystroke away from downloading an entire sensitive database (of course he doesn't), breaking into video camera or other auxiliary systems, or being able to access HR and other sensitive data.
He is an AWS Architect, understands Azure and cloud technology, knows his way around Linux and multiple exploit tools. Of all the things that set him apart however, these three simple things lead to quality outcomes and better customer engagements:
1. Bedside Manner
2. Passive Reconnaissance
My father was a family doctor in a small town. His patients loved him because he cared. Similarly, Curt has excellent bedside manner. He cares, goes the extra mile, and communicates to clients in an affable yet concise way. Says he, "In hiring a penetration tester, I can train them to do technical things. It's harder to train them to be good communicators."
Good testers write well, document thoroughly, and most importantly, communicate with their clients in a pleasant, concise way.
Active scanning, pinging, and script execution may be important components of good testing, but public information that may render companies vulnerable can be just as valuable as the discovered vulnerabilities.
On one test, Curt started an engagement by performing passive reconnaissance on the target customer (as he always does). Pastebin was searched for any email addresses or passwords. Searches were also done for misconfigured AWS buckets or public Github repositories with sensitive information such as API keys. Linkedin, Facebook, and Twitter were also queried for names and profiles of the company's employees. Every major search engine was used to attempt to find sensitive information such as private Word, PowerPoint, PDF, or Excel documents hosted on the website or pages labeled “Internal Only.” Interesting findings were dozens of emails and potential login ID's, along with compromised passwords.
In this case, the company came up with a "clean bill of health" but the information provided in the research phase was valuable for internal education and clean-up of company login credentials. This is an often overlooked component of good penetration testing.
Last but not least is the quality of initiative. Curt will often go a little above and beyond the scope to research and test things that lead to bigger findings and concerns. For example, having finished a test on a client, this was the narrative:
"While finishing up the report I double checked something, which led to me going out of the scope a little but might lead to an important vulnerability. I found a wordpress login, which led to idenfitying a wordpress plugin they are using that is vulnerable to remote code execution. If this exploit works I'll have total control of their web server listening at xx.xx.xx.xx. So it dips a little into the web application vs external IP, but only because a web server configuration check found a breadcrumb that led to it. After testing the Remote Code Execution vulnerability thoroughly, I was not able to achieve an exploit. The server is vulnerable but the attack requires that something be put on a blog entry. Their website currently blocks all user blog entries."
It was important this client know that if they enabled blog entries with the outdated plugin, they would have become vulnerable to a full compromise. Initiative here makes the difference between a serviceable effort and an excellent result.
Great penetration testing is not so much about skillful wielding of Kali Linux tools or Metasploit or Burp Suite as it is about bedside manner, reconnaissance and initiative. Being able to advise, being useful and proactive are critical components of successful penetration testing engagements!