WHO SHOULD LEARN ETHICAL HACKING?

Posted on by Henrik Parkkinen

“To know your enemy, you must become your enemy.”.

Sunz Tzu, The Art of War

If you want to learn and get a deeper knowledge of how attacks are conducted from a more technical point of view from an adversarial perspective, I recommend you learn ethical hacking. There is definitely an added value for security professionals in learning more about The power of the dark side.

And I think that anyone, who is working in the security field would benefit from having at least a little bit of knowledge and understanding of ethical hacking. But should everyone spend time learning ethical hacking? The simple answer is No, but in this article, I will elaborate on my thoughts on the question.

ETHICAL HACKING

Today it is easier than ever to learn ethical hacking. There are loads of free and world-class study materials out there, in blog posts, models, methods, YouTube videos, and free training from academies. It can of course be discussed if it is ethical, from a security point of view, to put material out there accessible for anyone to access and learn how to hack stuff. But I will not go into that perspective in this article though.

Besides learning the theories, watching videos, and reading articles about ethical hacking, the best way to learn the discipline is to get your hands on the keyboard.

Hands-on experience is superior, not only when it comes to ethical hacking though. There are some great powers behind actually and practically doing the tasks on your own that you are trying to learn. And ethical hacking is a practical discipline. The actual attacks are done by pushing the buttons, they are not conducted on a PowerPoint. Ethical hacking is not a multiple-choice discipline. It is a technical hands-on discipline.

If you find Ethical Hacking interesting but do not have the ambition to gain technical skills I recommend you to at least read up on common processes and methodologies related to the subject, i.e. ethical hacking. Or study MITRE ATT&CK, which is a great source for learning the Tactics, Techniques, and Procedures adversaries apply.

And think about it. If you for example are interested in understanding how an attack, from a theoretical perspective, is carried out, a good starting point is to look into the Ethical hacking process and methodology. How a penetration test is performed or how a red team exercise is conducted. In this case, I think it may be enough to watch some good YouTube videos. Listen to some great podcasts around the subject or go with the reading form.

But it will have its limitations. You get the idea of things, but you might miss out on how things actually work. How does the actual attack get carried out? How does a C2 look and work?

There is always a trade-off when it comes to how deep into the rabbit hole one is interested to go from theories into practice. I do not put any blame on those who stay on the theoretical level, but as I said. It comes with limitations.

Hands-on stuff and pushing the buttons, especially when it comes to Ethical hacking, is superior. There are no substitutes. And as one of my closest friends of mine said regarding Ethical hacking.

“Ethical hacking is like an endless RPG!
You enter new worlds as your XP grows.
It is endless, a endless game that is insanely fun!”.

One of my closest friends ❤

Well said. I agree. It is an endless RPG. A place where there are endless rabbit holes. And my friend, you are a crusher in life and in your profession. Keep crushing!

UNDERSTANDING VS KNOWLEDGE

I think that it is wise to differentiate between two concepts, “understanding” and “knowledge”. They are not the same thing. Just because you watch a couple of YouTube videos or attend a course, demonstration, or similar do not directly translate to “knowledge” in my opinion. You have gathered some data, i.e. understanding, and now this needs to be processed into knowledge.

And when it comes to ethical hacking this is about getting some dirt under your fingernails. I am there again. Get in there and put your hand onto Kali Linux (or another weaponized OS) and go.

Test things out that you observed and have gotten explained. It is impossible to become good at ethical hacking without doing actual and practical things. Without applying the information, knowledge, and skills gained. Hacking is a practical discipline. Theories have their place but I strongly recommend you, if Ethical Hacking is your chosen pathway, to strive for practice.

WHO SHOULD LEARN ETHICAL HACKING?

I think that anyone who is working in the security field would benefit from learning, at least a little bit, about ethical hacking. Remember what Sun Tzu said about your enemy. If you have forgotten, scroll back to the ingress of this article.

Then I also think that another thing, that is less spoken about when it comes to learning the subject, is “fun” or “interesting. If you find ethical hacking fun and interesting, go!

If you do not find it somewhat fun, the time is better spent on other things. I think that having fun, independent of what you do, is a critical success factor. If you find something both fun and interesting, the setup is well-aligned for success. Learning is not something that is done by itself.

If you do not find ethical hacking fun, do not force it. But I encourage people in the security field to try it out, in some form and way. Try a simple CTF to see if that awakens some hidden interest in you? Or observe someone conduct a CTF. Or take part in a penetration test if that opportunity arises for you.

But as with everything, everyone does not find ethical hacking/OffSec fun or interesting, that is just how it is. I will not and do not try to convince you or other people who think it is boring to change their minds. My purpose with this article is to inspire others and more people to get curious about looking into the ethical hacking discipline, in one way or another. I think that to become a more accomplished security professional, one way to do so is by gaining multiple perspectives. The more perspectives you have as a security professional, you will gain a wider understanding of the security field from a holistic perspective.

HOW TO LEARN?

There are today loads of good platforms that provide fantastic possibilities to go absolutely bananas on the target boxes, i.e. machines that you shall hack. Back in the old days when dinosaurs walked on planet earth, when ethical hacking was done against a personal lab environment, it was not as smooth all the time. If things went totally south, and the target box or environment got broken, a snapshot was hopefully available to revert to. In the worst case, it was time for reinstallation.

“Yet another day of training my skills to set up that infrastructure once again after I had it destroyed”.

Now it is a different ball game, it is magic! And I also think that this has helped a lot to boost the interest in ethical hacking. Both for those trying to get into the security field and also for those already in the field who want to transition into Offensive-land.

Keep in mind though, the real world is not a CTF where you are looking for rootflag.txt. Security testing is something else, it is a different form of animal. A security test, such as for example a penetration test, is very different from a CTF.

For those interested in penetration testing and want to experience a lightweight black box exercise I recommend checking out the eJPT exam for INE. I took the eJPT version 1 exam.

The examination is purely hands-on but not a CTF. You as a student get a “rules of engagement” document and need to take it from there. As I said, it is a black box penetration test in an entry-level format. I loved it; it was an incredibly fun examination and certification process.

eJPT version 1 gave the student 3 days to finalize the exam. Absolutely no need to rush the exam, which I also think is a good thing. I completed the exam in 8 hours without stressing or rushing. 8 hours split between two days, 4 hours spent during evening one and 4 hours spent during evening two.

The time period given for the exam, to some extent emulates the real world from that aspect as well as you as a student have a quite long period of time to conduct the exam.

The exam did not either put any limitations on which tools were allowed. The student was given free hands to choose the tools and weapons of choice. Also, something that is relevant to the emulation of a real-world scenario.

eLearnSecurity Junior Penetration Tester (eJPT)

But this examination is and shall be seen as one part of the learning curve for becoming a penetration tester. It is not the end game. The scenario is limited but still relevant and tests the ethical hacking process and methodology. You as a student are not required to write or present the findings, verbally or through a report, in this exam. This part is not covered. This is a test of hands-on knowledge in a limited, simulated, and practical environment. Anyway, I loved it and think it was a fun one. And I do not get any commission for saying this.

But as I found it a very fun experience, I want to make a shout-out to eLearnSecurity and INE for a great certificate. Thanks!

Besides those CTF platforms and certifications, there are tons of FREE information and knowledge shared and provided out there on the internetz. Before jumping into paid courses or more advanced stuff I strongly recommend checking out and going through the free stuff.

And this is especially true if you are new to Ethical Hacking. And from time to time academies and industry 1337 pros put out huge discounts on their learning materials. Keep an eye open. Subscribe to those academies and pros on for example LinkedIn and you will better catch these offers.

For your information

Take a look at this article, Gaming for Security Enthusiasts, and scroll down to the “Shout Out” section. These dudes I mention are absolute pros and provide tons of useful and high-quality content for free on their channels. Such a great and beautiful contribution. A true way how to help with closing the security shortage and knowledge gap by making knowledge available for everyone. Mad creds to everyone who put their knowledge out there for others to learn from!

IS ETHICAL HACKING FOR ME?

“I am working as <ROLE>, is ethical hacking something for me?”

I have been asked this question, by people in my network in the security field who are less technical and more focused on decision-making, security management, and leadership.

Would studying ethical hacking be something for them and if it would make any sense? In general, the answer is “yes”. But I think it comes back to that “why” and “it depends”. It would make sense to learn it but it is not a must to become good at security in a non-technical role.

As I have said a couple of times now, I think that anyone in the security field will benefit from learning ethical hacking. But it is by no means necessary or a requirement. For a GRC expert, it may provide good know-how and understanding but I would not say this is something that is required for the role in general. It adds value in terms of knowledge and broadens perspectives. But you do not need to be a 1337 h4x0r to become a GRC expert. There are other skills that are way more important in these roles.

Another example, a sales professional of defensive security solutions. Would it benefit a person in this role to have an understanding of how attacks are conducted and how the attackers work? Certainly yes, but is it necessary or required? No. But of course, if a sales expert can explain how an attack is conducted and at the same time can explain how an organization can protect itself against it…yes, that would fly very well for me. But is it necessary to succeed as a sales professional of defensive security solutions? No absolutely not.

Personally, I do not require or expect that ethical hacking is something all security leaders, GRC roles, and sales professionals need to have. There are other more critical skills these roles need to possess. For example, the skill of listening and understanding a customer’s challenges, business, organization, success realization etcetera.

A CISO or a security leader, does not need to know how to operate Cobalt Strike, how to develop exploits, analyze malware, or have an understanding of attack chains. There are way more important skills a CISO or security leader should have in the arsenal and spend their time on. For example leadership, business management, and emphatic intelligence. The list goes on. If you are interested in reading more about CISO stuff, you can start out reading part one here, A day at work as a CISO – Part 1, in a three-part series.

You can become good at a security profession without knowledge of ethical hacking. The time you have in your professional career at work and outside of the work shall also be taken into the equation. Where shall the time be spent? How much time do you have? Time is in general somewhat limited, choose wisely where to spend your time.

WHERE TO GO FROM HERE?

If you are a person who finds ethnical hacking interesting and fun, I say “go”! The knowledge and understanding of how an adversarial attacker behaves and how an attack is manifested is always valuable knowledge to possess. But it is not something that is required for every security role.

But what if you are interested to learn ethical hacking but lack of fundamental technical understanding of networks, infrastructure, and those things? In this case, the learning curve will be a bit steep. But if the time is there, you find it fun and interesting -> GO! As a leader or person, I would never say no to someone who is motivated to learn new things and not go in that direction.

And keep this life-hack in mind. If the learning curve is steep the payback is instant. You will learn at an extremely fast pace and grasp sh*t loads of new knowledge in short periods of time. For many, this is a very rewarding feeling. But then there is always that time consideration…again. What shall be squeezed in there? When will the studies be needed to be done? Do you have the resources needed? Do not underestimate that things take time. If you choose one thing you might need to say no to another.

The journey of personal growth and as a security professional

See and treat knowledge as an investment. If you are in the security field, you will need to keep learning more or less during your whole career. Learning and a career is not a sprint; it is a marathon. If your time is limited, see if you have a little bit of time here and there to spend on sharpening your ethical hacking skills. All the knowledge you gain is adding up. The game of security is infinite. No need to rush. Just start and start from where you are. Do it and see it as a “journey of your personal growth”. Doing something that makes you as a person and professional to grow. And make sure to have fun while learning!

If you are a beginner, then start with those things. Start with the fundamental parts. Start to learn about networking, infrastructure, and defensive security. CTF platforms (TryHackMe, Hack The Box for example ) have great learning paths for beginners.

If you are a more intermediate or advanced “player”/student of the security game, good! Then start from a point where that makes more sense to your time investment. Every percentage of knowledge gained adds up. Strive for a sustainable progression. And make sure to have fun.

EPILOGUE

Ok, so I think I have made my point clear. I think that ethical hacking would be beneficial for everyone in the security field. The discipline is broad, and all digital things are more or less hackable. Even humans are hackable (by for example social engineering). Choose an area within ethical hacking that you find interesting and fun. Usually, this also goes hand in hand with the role a person holds.

If you are a person working with networks and active directory the main interest may not be how an IoT coffee machine can be hacked. This is though a potential way for how an attacker could gain access to the internal network. A casino got its network breached through an IoT-connected fish tank.

Ethical hacking is a wide discipline and if the goal is to maximize knowledge in relevance to a specific job role, I would go for a concentration on ethical hacking in that area. For example network penetration testing. And every organization has a network.

I can not emphasize enough on the quote from Sun Tzu in the ingress and the power behind knowing your enemy. The form of knowledge is without a doubt, independent of a situation and context, valuable when there is a game taking place between an offensive and defensive side.

And within the security realm, we can simulate those bad guys, adversarial actors who try to evade and break through an organization’s defenses. We can play those games by gaining knowledge of how they conduct their attacks and through that increase our organization’s security posture and cyber resilience.

Personally, I do not think there is a need to become an expert, grand master, or Sith Loard in ethical hacking. Put the ambition level in accordance with the resources you have available. Aim to start where you are and learn from there.

If you observe yourself finding it interesting, I also strongly recommend you get your fingers on that keyboard of Kali Linux early out in the process. Ethical hacking is a practical discipline and skill. Playing around a bit with the most common weapons once or twice and trying some of the most common tools is a fun exercise on its own.

The DIKW pyramid of Data, Information, Knowledge and Wisdom

Getting a little bit of an understanding of ethical hacking will also be value-adding knowledge if you are managing an organization, team, or people working with security. You will get a better understanding and knowledge of the job done by the team. Can speak, parts at least of, the same language and understand the broader perspectives. And put up adequate defensive operational, tactical, and strategic plans becomes both easier and more fun.

Personally, I find those leaders and managers more inspirational who, not only tell others what to do and have no understanding or never, done the things on their own. I would never tell, require, or demand someone to go in there alone to do a job or something that I have never done myself. If that situation would take place, I would make sure to be there and do the task together with my teammate. Making sure the right resources, support, and requirements are in place. As a manager or leader, you do not need to be 1337 h4x0r but it is good if you have an understanding of the discipline, i.e. ethical hacking if you are leading persons working technically on the defensive or offensive side. It is not a requirement, but I strongly think this is value-adding for both you as a leader and for your team members.

Learning ethical hacking

This is a part of my leadership mentality and philosophy though, nothing explicitly personal but I put a true value in it. Something that I learned from my sports career. In a team things are done together and helping each other out is expected from everyone, independent role, skill, grade, and experience. And from those who lead, formally and informally, the expectations are even higher. The expectations on the leaders in a team shall be high. A leader shall show the way and do so with high standards.

I do respect that others think otherwise and operate in different ways when it comes to leadership. I do not say that there is something wrong with how others lead, manage, or do things. This is only how I operate. This is how I do things when I lead, myself and the people around me. Leadership is something that comes in many forms. There is not one style or method that fits everyone and all situations. Leadership is something situational dependent and style dependent. Copy-paste of someone else leadership styles is less often a successful method for leadership. Find your own way and philosophy. Follow your own heart. Be the leader that you want to be led by, for others and for yourself.

Henrik Parkkinen