“If you only knew the power of the Dark Side!”
Darth Vader, Star Wars: Episode V - The Empire Strikes Back
<MUSIC> duh duh duh DUN DA DUN, DUN DA DUN </MUSIC>
What is Ethical hacking, i.e. OffSec, or Offensive Security? It is the power of the Dark Side. The power of understanding and applying adversarial skills. It is about taking on the role of a Sith, but actually not being a real bad guy. You are emulating the behavior of a bad guy and carrying out the adversarial skillset.
Ethical hacking as a discipline has as purpose to test the security posture of a system, application, service, infrastructure, or asset from the viewpoint of an adversary.
An ethical hacker may for example take on the following roles:
- Network penetration testing
- Web application penetration testing
- System security testing
- Red team operator
- Vulnerability security assessments
- And the list goes with similar roles…
For simplicity, Ethical Hacking in this article is equivalent to OffSec and Offensive Security. So, if I mention OffSec or Offensive Security I am, in this article, talking about Ethical Hacking. The power of the Dark Side!
In this article, I will write about ”WHY” studying the discipline (Ethical Hacking) and some personal contemplations about the subject. ”Why” The Dark Side powers are a thing in the security universe.
I am a strong believer in the mindset of being a continuous learner when it comes to security. Personally, I love the process of learning something that interests me and that I think is fun.
I have always been enthusiastic and interested in ethical hacking. It is fun. CTFs (Catch The Flag) are fun but more on this later. Hacking stuff is fun. And this is something that also deepens the understanding and knowledge of security. “Breaking” something down, in a controlled way, is a form of engineering. Doing this with a structured and methodical approach is an art form of its own.
Back in the days, the knowledge around ethical hacking was a bit harder to gain though. The learning material was way smaller. There were no CTF platforms out there when I put my hand onto BackTrack (Kali Linux previous mate) for the first time back in 2009.
Ethical hacking has always fascinated me, and it still does. To gain knowledge and understanding of how things look from an attacking perspective. How attackers think. And this is also one of the reasons why I study ethical hacking it and found it interesting.
“Give yourself to the Dark Side.”
Darth Vader, Return of The Jedi
The Ethical hacking stuff is also somewhat similar to the sports world where there are offensive tactics and an opponent who applies defensive tactics. During my sports career, we were very good at studying and analyzing our opponents and their tactics. And the better we understood their offensive (and of course defensive) tactics the easier it became for us to exploit their weaknesses and apply adequate countermeasures.
Many games were won even before the game started. We knew what we needed to do. How we needed to execute. How we needed to adjust if we identified a weakness to exploit. For example, a less optimal defensive tactic left certain attack opportunities open. We had our baseline, i.e. ethical hacking process, that we followed and adjusted according to our opponent’s behavior.
And we were not the best team according to our roster/line-up compared to other teams. We were not ranked or predicted to be the best team in the pre-season in the league. But we ended up winning the season without losing a single game. This season in my sports career and the coach I had during this time told me something. How to think tactically and strategically. And at the same time being able to execute the plans in “game mode”.
The same principles, I described above, apply to the security landscape when it comes to cyber-attacks and threats. They are today real; it is not something that is made up by the media or product companies. Threat actors use tactics, and they can be studied. Threats are real and any organization with a digital footprint is a potential target. These last two sentences are obvious though but here and there I still hear comments like:
“This is not relevant for us. We have not been targeted by a cyber attack or had a security breach!”
That might be true but there is no vaccine invented for cyber-attacks and threats. And “you” think you have not been a victim. Many attacks go undetected, due to the lack of adequate detection management capabilities or that an identification of the breach has even not taken place.
The average time for an attack or security breach to be detected is around 270 days (figures from 2022). It is totally fine to live by those beliefs, that certain things are not applicable to your own organization. But those beliefs won’t help you if the sh*t hits the fan and Mr. Ransomware gets deployed.
At this point, it is too late to nuke that PDF named “202x years employees’ salaries summarized.pdf.exe” out of orbit when things start to go mayhem. Or if the criminals who attacked your organization stole the intellectual properties and those are getting sold on the dark web for bitcoins.
Having a bit of understanding of that ethical hacking stuff might not be such a dumb thing! That might provide a better understanding of what protective measures and security controls need to be applied, improved, or that are totally missing. This is also why I recommend more peoples to get, at least, a little bit of understanding of the offensive security stuff. Ethical hacking is a value-adding skillset transferable to many security roles. A good starting point could be to just gain understanding of the ethical hacking process, like the one illustrated in this article.
KNOW YOUR ENEMY
“To know your enemy, you must become your enemy.”
Sun Tzu, The Art of War
The quote speaks for itself and applies to every scenario and situation where defensive and offensive operations, tactics, and strategies are applicable. And this is also how I approach ethical hacking and the application of my learnings.
As I have said, it gives me a better understanding and insight into the attacker’s mindset, perspectives, tactics, techniques, procedures, and a broader understanding of the security landscape.
The security game is a two-sided battlefield. The offensive side needs to understand the defensive side of things and the other way around.
To become good at offensive security, i.e. ethical hacking, it is very wise and recommended to have made a fair sense of defensive security and infrastructure management. This is a personal opinion though. Getting your hands and brain into the defensive things will provide the same form of a broad perspective and understanding of how things work for those on the defensive side. How core components within an infrastructure are designed, operated, and built. How and why certain defensive security controls and capabilities are implemented and how they are operated.
I am not saying that one must first do a couple of years in defense-city, joining the Blue team, before going into Offensive-land and working with ethical hacking. This is not by any means a requirement or something that is an absolute path to walk. There are those in my network who do not have this background and are killing it without walking this pathway. Those who are ethical hacking crushers. This is though how I would have done if I started out from scratch. And this is also the way I have walked.
So, it may come out a bit empiric and subjective, but I am grateful for the journey I have taken. I started out with defensive security and infrastructure management which gave me tons of understanding. Those years provided me with a solid and strong fundamental base of how things work. Not only from a technical and operational point of view but also from for example a process, architectural, tactical, and strategic.
Those years early in my career are still something that I carry with me today. Technologies evolve but the core fundamentals of how things in the on-premises infrastructure, processes, and in the cloud back-end are more or less the same. And some things will always be the same. There will not be major changes to how networks, general infrastructure, firewalls, DNS, DHCP, wireless, storage, and these forms of capabilities and technologies work.
And I am glad for all those who helped, mentored, and coached me back in the days when I was new to the industry. Thank you, all of you! The list would be long if I would start to namedrop all those who I have learned from so that does not feel like a smart thing do to right now so I will pause here. But once again, I am grateful for the help I have gotten and still get from those master minds I have around me. Security is a team sport.
START WITH “WHY”
I have been asked, ”Why should I learn Ethical Hacking?”. The reason is given above, I think it makes one a more accomplished security professional…if that is what the end goal is though.
In these dialogues, when I get asked this question, I provide my own “Why” and contemplations about the security landscape. And I tell my story that I do it mainly due to that it is fun and the effects of it make me a more accomplished security professional. If I would not found it fun, I would have done other things instead. Simple as that.
“Become My Apprentice. Learn To Use The Dark Side Of The Force.”
Darth Sidious, Star Wars Episode III: Revenge of the Sith
In any case, in these conversations, my next question to the person on the other side is “Why? Why do you want to learn about ethical hacking?”. The answer does not always come clearly or directly. And this is ok. That answer does not need to sit there in the frontal cortex of the brain and wait to be said out loud. For you, who are reading this article, and are thinking about and want to go into OffSec-ville. Ask yourself the question “Why?”.
- What is the driver behind why you want to learn ethical hacking?
- Is it to better accomplish a certain job role but not necessarily something totally related to what you do in your role?
- Is it because you find it fun?
- Is it because of that you want to start working as an ethical hacker (Red teamer, penetration tester, security tester, security researcher etcetera)?
- Or do you just want to know more, to broaden your security perspectives? How the offensive side works? How it is on the Dark Side, i.e. OffSec-land.
I look at knowledge as an investment. Before I start out by investing my time and space in a certain knowledge area, I spend a great deal of time understanding “why” I do it. The ”why” will guide me in my journey. It will guide me in how much time and energy I will put into the task. Invest in knowledge.
What is driving you to want to learn ethical hacking? Is it something deeply rooted within yourself, something you have chosen on your own? Or is this something that someone has told you to fulfill as a part of your obligations in your job? Or is it a combination of both? As knowledge is an investment and as time, in general, is limited the “why” is such a fantastic question and guide. Sort that out and the rest will follow easily.
FINDING YOUR “WHY”
To help you to find your “Why” I think that the most time and energy, in relation to other questions in the learning journey, need to be spent on this part of the equation.
To find out a “Why”, independent of context, I like to use this model.
Each layer of the pyramid represents the energy, resources, time etcetera that shall be given for each question. The left-sided pyramid is a good way how to find out the “Why” with the help of a bottom-down approach. There it starts with finding “What” shall be achieved and ends with the “Why”. This usually works well.
The right-sided pyramid is a better model. Most of the energy, resources, time etcetera is put into understanding and finding out the “Why”. When that is understood and achieved the rest will follow. The “Why” gives everything a purpose. Without a purpose, the other parts may suffer. Find your purpose. It may take a bit of time, but I promise you, it is worth it.
Understanding Ethical Hacking on a general level is one thing. Learning the stuff is something else, i.e. translating the learning into knowledge. Mastering Ethical Hacking is a lifelong journey.
Gaining a better understanding of how an attacker works, thinks, acts, and the tools, techniques, tactics, and methods they use will make you a more accomplished security professional.
Is it necessary to have these skills if you want to become a more accomplished security professional in, for example, defensive security? No. But it will help you. It will provide strong value-adding perspectives and knowledge.
Threats, attacks, vulnerabilities, technologies, processes, methods etcetera continually evolve. And so does the ethical hacking discipline. I am by no means an expert, master, or a Sith Lord in the subject, but I am one of those who find it fun and interesting.
I have done and still do a fair share of CTFs, hack stuff, and study ethical hacking. I am glad to have a hobby, i.e. Ethical Hacking, that at the same time makes me better in my overall profession. This is a side effect of things, that I become a more accomplished security professional, but this is not what drives my enthusiasm for ethical hacking. I think it is fun. That is my main driver.
Take a look at this article, Gaming for Security Enthusiasts, it is a prequel to this one. It gives you a few interesting perspectives of what the learning journey can look like. And something within it that I also found to have similarities to hobbies I had as a kid.
“Invest in knowledge.
Knowledge is an investment.”
As a general recommendation, if you are about to go full into ethical hacking, and you are clear with your “Why”. GO! Go after the knowledge! But it is not something that is just about “clicking on the buttons” and chasing root.txt. Ethical hacking is not a CTF. But CTFs give good exposure to the skills needed. Do the CTFs but be aware that this is not how things are done in the real life when it comes to Ethical Hacking.
Ethical hacking is a skill. An ethical hacker also needs to have the communication skills to communicate the vulnerabilities and recommended remediating actions to the findings.
This is what it is about. For your customers to get an increased security posture the message and recommendations need to be communicated. They need to be explained and made sure they are received and understood by those who you help out. Without an understanding by the customer, the value realization and effects of the investments in the ethical hacking engagement will be left out.
As a part of your personal ethical hacking journey, learn how to communicate both verbally, visually, and in text. Sharpen your storytelling and communication skills as along side as you gain more skills in how to conduct technical hands-on hacking. You need both parts, i.e. technical and communication skills, to become an accomplished ethical hacking professional.
If you want to become a true master, as with anything, it requires commitment. Go after it but start with your “Why?”.
<MUSIC> duh duh duh DUN DA DUN, DUN DA DUN </MUSIC>