We think we know podcast

We think we know offensive security is an infinite game (and why)

Publisher
Pentest-Tools.com
Updated at
Tim Connell
Article tags

There is no end goal in this industry. You're always going to keep moving forward.

This quote from our guest does a great job at capturing the conversation we explore in this podcast: the love for the process, the hunger for knowledge, how to add value for clients, and become a better penetration tester. 

For the third episode of We think we know, we welcome Tim Connell, an enthusiastic penetration tester and the Director of Cybersecurity Services at Pulsar Security, to explore the most common security testing myths and misconceptions.

Tim shares some practical tips and examples that spotlight his commitment to continuous learning and community contribution. His enthusiasm and genuine dedication to this space are so inspiring - that we hope will lift you and get better at what you do.

So join us on We think we know, as we unpack the layers and narratives shaping offensive security work.

We think we know offensive security is an infinite game (and why)

Tim Connell bio

Tim Connell

Tim Connell is an influential figure in offensive security, turning his over five years of experience and his dedication to continuous learning into a valuable community contribution. 

His journey, enriched by OSWP and OSCP certifications and a background in sales and marketing, allows him to adeptly bridge the gap between technical expertise and business understanding. 

Tim excels in transforming complex cybersecurity topics into engaging, educational dialogues, contributing significantly to the penetration testing community. 

His approach emphasizes understanding client needs and effectively communicating the business impact of cybersecurity risks, making him a valued partner in the industry. 

Through open conversations, he shares practical tips and real-world examples, inspiring positive change and growth within the field.

Listen to the new episode to find out:

  • Why it’s essential to really understand what each customer needs from their pentest [08:31] 

  • How to improve your workflow by making some of it replicable [21:33]

  • Why it matters to learn as much as you can and use that to deliver better work [33:05]

  • How to speed up your learning process by building stuff and looking deeper into vulnerabilities [41:21]

  • Why (and how) visual representations boost clear communication in penetrating testing [46:31]

  • The perks of being more involved in the community, being resourceful, and keeping your motivation to move forward [50:05] 

At the end of it, you’ll walk away with many valuable lessons to use in both your life and career. Let us know which hit home for you!  

Resources from this episode:

Listen to this episode on:

Episode transcript

Andra Zaharia: Only the most curious and persistent people thrive in offensive security. 

How do I become a better hacker? How can I build and maintain my advantage over adversaries? And what's limiting my ability to think creatively? 

This podcast is for you. If you're the kind who's always digging deeper for answers, join me as I talk to some of the world's best offensive security pros about their work ethic, thinking, and real-world experiences.

This is We Think We Know, a Podcast from Pentest-Tools.com. There is no end goal in this industry. You're always going to keep moving forward. This quote from our guest does a great job at capturing the spirit of this podcast: the love for the process, the hunger for knowledge and improvement, the evolution of our understanding of technology, humans, and how they interact in surprising ways. 

Tim Connell is exactly the kind of person who blends all of these in his life and work. He's building an active community around his curiosity and passionate motivation. The same ingredients led him to leap across growth stages as a penetration tester. 

From leveraging a robust network to turn setbacks into progress, Tim shares practical tips and examples that spotlight his own commitment to continuous learning and community engagement. Learn how to mold specific use cases, even when you can't find the answer on StackOverflow. Find out why being resourceful can propel your pentesting career to incredible growth and why it's also the key to remarkable results in your engagement. 

We think we know how to develop a pentesting career but let’s be honest, there's still a lot to explore.

[01:59] Andra Zaharia: Okay, so what's your first reaction when someone says, 'ah, it's just a pentest'? 

Tim Connell: Yeah, it's a good question. Pentest means something different depending on who you're talking to. An organization, a small organization, might use Pentest as a buzzword to describe cybersecurity in general, where they might not even be at a point where it makes sense to do anything hands-on keys, and they're at the assessment level, whether it's risk, threat, or vulnerability assessment. Put some of those security controls in place. 

But when I talk to customers, people in the industry, the first thing I like to understand is, what does it mean to you? So it could mean a traditional just vulnerability assessment. Like I said, it could be a risk assessment or another level of the compliance side, or it could also be hands-on keys where we've done everything that we need to do and we really want to dig into the areas of our network that we're really afraid of losing data or if a breach comes in which will impact our business operations. 

So to really understand security as it pertains to risk, which is really what we do.  Our goal is to identify risk and help companies remediate risk for a fraction of the cost that it would cost if they got ransomware or if their business was shut down for weeks on end because they couldn't get access to their data.

[03:28] Tim Connell: Well, maybe not surprise, but a lot of times we're talking to customers, they're not ready for pentest. I just had a conversation with a customer last week and it was: I want a pentest on the internal environment, the external environment, a handful of web applications that we build.  And the first thing that comes to mind is, do you have 200 grand, right?! Because an actual pentest would cost that much money because it would take you a long time to get through all of that infrastructure. 

So lo and behold, they weren't ready for that sticker shock. Their malice dropped a little bit and we took a step back and said, all right, well, maybe it makes sense to do a vulnerability assessment first. Just look at the areas of your infrastructure you care about and from there, based on what's vulnerable, what returns vulnerable, we can go deeper there and we can do it based on the areas that show the most vulnerabilities as well as the infrastructure that you're most afraid of being breached. 

And we can go and target that. So you take a $200,000 price point down to a couple of grand of a vulnerability assessment with ten grand of a pentest.  And now we're starting to talk about real numbers and a real engagement that really is beneficial to the customer, right? Because that's the end goal when you talk to a customer. 

The goal is to make sure that they are more secure when the project is done than they were before that first conversation you had with you. 

Tim Connell: So if you're not doing that, then you're not doing your customer any services. 

Andra Zaharia: And also, the thing that I really appreciate is that you have this very constructive attitude about all of the elements because it can be disheartening to hear that undertone of 'it's just a pentest,' to hear that dismissiveness in someone else's voice, to be faced with having to justify and explain yourself. But that's part of the job, isn't it? That's part of the work. 


I mean, helping clarify those elements and helping clarify the distinction between a vulnerability assessment and a pentest, that is part of the work. 

It's not something like an extra effort, which I feel sometimes people see as being detached from the actual work, which is the parts that they enjoy more than talking to people and building business cases and things like that.

Andra Zaharia: But this is where your background shines because you come from a background of sales. And I'm really curious to see and to understand what elements from your background and from your experience have helped you get to this level. 

Where in just a few years, you not only managed to acquire a lot of knowledge, but a lot of practical experience, grow a company and also become one of the most active members in the offensive security community. 

Andra Zaharia: So walk us through this process a little bit through that transformative journey that you've had. 

Tim Connell: Yeah, I love that question. A lot of people would probably shy away from the background of sales because it's a dark word, no one likes salespeople. But it very much was a positive in where I am today because it allowed me to understand the business, right?! When you're in sales, you're selling a product or a service, but your goal is to do something that the business needs that is going to either positively impact the business operations, the team's ability to do work to save the company money. 

So there are all these different consulting elements to it that have really helped expand my ability to bring value to our customers. When I was in sales - of course, we all have numbers, right? - a lot of times I have a number and I was working for a small company that had a venture capital board that funded us. And if I didn't hit my number, there were always questions about what's going on.  And I came to realize that the customers that I had the most success with, it wasn't about the number. They don't care about the number. They care about your ability to bring value to what they're trying to do. 

So if you take a step back and you think about it from three dimensional, not just looking at a transaction here, from sales perspective, you're really a partner to these companies. 

And when I'm talking to a customer, and some people would say otherwise, but I believe a pentester is part consultant. 

You have to be able to consult the company. You have to understand what they're trying to do. You have to understand what they do as a business. You have to understand how they make money. You have to understand the people you're talking to, what their roles and responsibilities are. You're talking to, let's say, an engineer versus a director. 

Tim Connell: An engineer is responsible for making sure boots are on the ground, things are running and are working right. The director is responsible for making sure that that's happening and reporting that back to the business in a way that turns to dollars and cents and justifies the work that they're doing to get more support in the things that they're trying to do. 

[08:31] So when it comes to doing pentesting and this is why, in my opinion, it's not a commodity either, because you have to not only understand what's vulnerable, you have to be able to speak to it in a way that the business can understand. And going back to that engineer director reference, an engineer is going to look at that in a way that's technical, whereas a director might look at it in a way that's a business operation, right? 

They're looking at it more from a CIS control standpoint where an engineer is looking for how to fix this code vulnerability that allows somebody to get access to our database.  So it's understanding all those components. 

And when you're in Sales, you really have to be almost an external project manager because a lot of times the customer doesn't know what they need. So if you can understand what they're trying to do, you can lead them in a way that is beneficial to them as a consultant and get them to ultimately get them where they want to be. 

Even if they can't articulate what that is, you have the experience to be able to show them and to back it up with your password and your output that will make them more secure when the project is done. 

Andra Zaharia: That's a super helpful process. And the clarity with which you described it, I think is so helpful simply because the sales process itself helps a lot of maturity. I mean, sales has been around probably since humans have been around forever. 

So it has all of these elements into it that are actually rooted in an understanding of human nature and how these relationship dynamics work and how things work, when we have to get people to work together and we have to get to people to do something. And that's why there's so much value there that we can carry into offensive security and figure out what these people need.

Because the conversation nowadays is often, increasingly often about how do we get people to understand the value that penetration testing brings? 

How do we get people to see the value that a penetration tester creates through his unique skills, unique knowledge, unique experience, and especially through his curiosity and all of the work that's in the background that fuels every tactic, every step, every surgeon and so on and so forth? 

And that's why I particularly wanted to talk to you about why penetration testing is a craft and not a commodity. 

Because not only do you understand these things, but you talk about them so often, especially on LinkedIn, which is where we discovered you.  You talk about this and you start conversations with people that go really deep. How have you seen people react to the type of nuggets that you post, to the types of observations that you share? What have you seen really kind of coagulate around, what kind of topics get people to come together in a way that makes them feel strongly about like, yeah, this needs to change because it's hurting our work and hurting our potential to grow. 

Tim Connell: Yeah, when I try to put information out there in the world, I try to think about it in a way where how can somebody who doesn't have any experience, how can they relate to this? 

Because I believe that when you're starting to learn something new, you're always going to try to relate that back to something you understand, which will make it easier for you to learn the new topic. 

So I try to be as real with it and talk more at a practical level about the things that I'm writing about and that I'm trying to put out there.  And I think that that is what is what gets me the most interaction. 

Because if you go really deep on a topic, nobody understands what you're talking about, why would it? You're not going to even know how to interact with that. 

So if you stay high level and you focus on topics that people are trying to understand, it helps them understand what they might need to either focus on more or what questions they should be asking, or just give them some different ways to think about the work that they do. 

And I've had people with ten years experience, I've had people who have no experience come and ask some of the same questions. 

And again, going back to that same mindset, someone with ten years experience, you're going to get a lot more technical with than somebody with no years experience because you also don't want to discourage people.

And I think that that's another major issue we have in the industry. I hear a lot of people talk about, we found all these vulnerabilities, nobody's fixing them. It's because you're not doing a good enough job translating what you're doing in a way that shows risk. Going back to the commodity scenario, you could find web applications. You can go and find a cross-site vulnerability that pops up a one of your screens that doesn't show risk, right? That shows a vulnerability, but that doesn't equate to somebody who's going to sign off on an engagement or the amount of effort and time it would take to fix that because it doesn't actually equate to anything that they can relate to. 

So if you take that process scripting and you turn it into, hey, I can take over your account, I can hack into your database, I can steal all of your customer proprietary information, you start making it more real. So it's important that when you do have these discussions and you talk to people regardless of where they are in their learning on the spectrum, that you're trying to make it as practical and as relevant as possible. 

Andra Zaharia: And you do that really well. And this is one of the things that actually contributes to growing the community in general and just mentoring people through conversations because having that space where someone with decades of experience comes together in a conversation with someone who's just starting their journey or perhaps they're trying to level up, that I feel is such a precious thing.

And this is why I used to love the cybersecurity community on Twitter before everyone moved to a different platform because I've been following for almost a decade these conversations that are happening in public. And that's how we all learn and that's how we develop our ability to speak about our work as well. That's not necessarily something that comes easily for people in this space, particularly. Not because they don't want to, but simply because they've spent a lot of time cultivating a different set of skills. It's perfectly natural.

Tim Connell: It's so hard too. I don't even want to go to that viewpoint of you can be a master at everything. It's just not possible. There's just too many domains. Things change on a day-to-day basis. If you can learn an inch deep across the whole industry, but you have a deep skill set on one specific domain, then you're doing really well. 

[16:00] So it's really important to be able to cultivate relationships and all those areas that you are maybe an inch deep to have resources that might be their expertise, and you can lean on them for the things that you need that they might know and vice versa. Because I believe you should never just ask for help. You should take some time and struggle a little bit, but not beat yourself up, not do it to a point where you have low you lower your self-esteem, and you're thinking of yourself. You can do it or not because you spent so much time and not really getting anywhere. 

So after about an hour, I'll reach out to my community, the people that I'm really close with, and say, hey, I actually just said it to our team. Hey, I have this issue. Spent some time on it. What do you think? And then we start to mind melding. We call it internally, we mind meld. We all have these skill sets. We're melding our minds. We're coming up with different ideas and different viewpoints, and you're taking something that seemed impossible, and you're leveraging the resources you have to get where you want to get to. 

And then once you understand how to do it, you either write it down or you archive it somewhere. And then when it comes up again, you have somewhere to go back to. So it's really important that you use the community, use your resources and give yourself some credit, because most people, they don't even try because this just seems impossible. Most people I talk to, if I tell them I do cybersecurity to look at me, frost their eyes, and then they don't even know what to ask. You steal stuff. I'm like, no, that's not what we do. Because they just think about what they hear in the media, right?! I think people got to have to give themselves a break.


Andra Zaharia: That's so true. And also because we lack benchmarks in this industry, because it's so a young industry. It's young and it's so nuanced in the sense that each pentest engagement is so unique. You can hardly compare things. So it's hard for people to figure out if they're doing well enough on their, let's say, career path or in their specific role or in their specific engagement and so on. That we just need each other as echoes, as a mirror to figure out where we stand, like, am I doing this right? Is this working? Is my process good enough? Is my report good enough? Are my skills good enough? How can you tell? Especially since, just like you mentioned, things evolve every single day. So how do you kind of gauge exactly, how you're doing without that comparison, taking over as a toxic thing that starts to chip away at your sense of self-worth?

Tim Connell: Yeah, I try my best not to compare to other people. Everybody has Impostor syndrome in this industry. I think of it from a positive, where if I didn't have it, that means I'm not trying hard enough, I'm not trying to learn new things. I'm not extending outside of my comfort zone, which I think means that impostor syndrome is a positive, even though a lot of people think of it as a negative. 

But when I'm working, especially if I'm billable, my experience and my value equate directly to the customer experience. So as long as I'm doing what my customer is expecting or doing better than what they're expecting, I like to think that I'm doing the things that I should be doing and learning the things that I should be learning. Now, every engagement that you're on, you're going to learn new skills and you're going to learn new things. And I think that there's value there too. So next time you work with that same customer, there's new things you can try. But I really try to be as humble as possible, understand and accept that I don't know everything, and just work and learn as much as I can. And when I'm on things like LinkedIn, a lot of people say that they don't connect. People can follow them. That's fine. I like connecting with people because everybody I connect to is putting out different things I've ever tried before or seen before. So I'm always finding new things there too. I'm not stubborn enough and I'm not arrogant enough not to use other techniques that other people put out there and give them kudos, words deserved or words helped. So, yeah, I don't spend too much time on things that I can't control.

Andra Zaharia: Which is something that we can all that's a good reminder for all of us, honestly. And we need it a lot more often than we realize we do, actually.

Tim Connell: Right.

[21:33] Andra Zaharia: So when it comes to, let's say, looking at things from under the microscope just a little bit in terms of what this craft aspect of penetration testing involves, it's clearly that huge, - so we talked about - a huge focus on each customer situation and understanding the inner dynamics of their business, how everything connects, like what are the pieces of the puzzle, what else, let's say what's special? Or how do you kind of build your work to make some parts of the process repeatable and replicable? Because you need that, because otherwise, that would be a lot of time that you spent just doing things over and over again. How much time do you spend on the things that are unique and that are very particular to that engagement in particular?

Tim Connell: Yeah, it's a great question. A lot of it depends on the scope. So I'll just use applications because of the easiest ones to just talk through at a high level and kind of narrow the scope. It depends on the customer. So are they a customer that is a part of a high-value industry? Is it government? Do they do transactions on credit cards? All the things that would make them more interesting than somebody who's going to go on Shodan and run some automated script looking for the latest VMware vulnerability on all publicly accessible Vsphere environments, right?! And from there, it's looking at the different aspects of the application that allow for potential vulnerabilities.

When I see an application, you're always going to look at the login, you're always going to look at the forgot my password. You're always going to look at the reset by password. You're always going to look at if there's a message board if there's a chat, if there's an email component to it. You're looking at areas where you input something and something happens, whether it reflects back to you or it triggers an API or it triggers another function that would make it vulnerable to certain types of attacks. And when I'm doing the recon, I'm taking mental notes of how all these pieces kind of play together and I'm taking notes on the endpoints that might be vulnerable based of some of the characteristics of the coding etiquette that the developers have in place.

And I'm seeing where I should go deeper. So of course, even things like file uploads and stuff like that, I'm focusing there and then I'm going to start going through each of those components in a much more granular detail. So I'm looking at, is there an Insecure direct object reference? Is there an ID value there that is directed to a specific database table row that you can then use in fuz to find other data? 

If they have a file upload that might have a whitelist of files on the front end. If I find a cross-site scripting vulnerability, are they enforcing that on the server? Because if they're only enforcing it on the client, I can bypass it with cross-site scripting. On the other side, do they only have it on the server? And anything that I submit on the front end goes through and I have to see on the server if it actually runs or not to run a remote-coded execution or a server-side request forgery type of vulnerability.


So it all depends on the scope. It depends on why customers use the application and what their workflows are. Sometimes, it also depends on the types of features in that application that are being used more than others to really transfer that over to risk. And it also depends on, can anybody off the street exploit this or do you actually need a login mechanism to do it? If there's a login, do they have MFA set up? If they don't have MFA set up, I'm going to go pull all the credentials in the dark web or cred stuff and see if I can credential stuff that because there are hundreds of millions of credentials out there and every application I found that doesn't have MFA. 


I can credential stuff that and get access to the application. But you need to be able to show the risk by showing I can get into another user's account. Just saying, hey, you don't have an MFA, that's a vulnerability assessment type of risk. It's a CIS control type. It's something that NIST says you should add, but at that point it's okay. They tell me I should do a lot of things I should shred on my paper too, right? But MFA is critical to your business. So there's a methodology to it, But it all depends on the scope and the targets that we're going after. And a lot of that just comes down to reps and experience. It's not something you're going to get up on bounty. It's not something you're going to get in a class. You really have to start working with people who are doing it to get some of those stories and some of those real-life experiences that you just can't get out of.



Andra Zaharia: And that connects so well to something a previous guest said, Alexei. He said that at some point you just start to develop like a 6th sense around “I know there's something here” because that intuition actually relies on the reps and experience that you just mentioned that just feeds off of every type of experience and doing and searching and forming kind of those mental models around how to approach your targets and how to approach a business.


And that all becomes kind of codified in a unique approach that you end up having as a penetration tester. And that's why I find it so fascinating that in this space we have such a diversity of not only people in backgrounds but also in approaches and in different ways of seeing the world and putting that to work in a way that ultimately is meant to help people in a very palpable, practical way. 


All of these examples are just so good because like you said, the media still kind of portrays this ethical hacking part as something that's very exotic and obscure and untouchable. And I feel that that creates distance for most people. It reinforces that distance actually, instead of making it like this is an actual career path that you can develop, this is something you can learn, this is something you can do. And examples like yours of transitioning from a different industry, a different role into penetration testing, I feel like we need so much more of those to show that this is, again, doable and learnable and something that you can develop in time and add your unique flavor and just way to go about it.


Tim Connell: Yeah, absolutely. I did a lot of classes when I first got in the industry and I think the most I got out of that was understanding what subjects I should spend more time learning, because that's what people were talking about and that's another huge issue. There's so much content out there. What should I focus on first? I get asked this all the time. It's like, hey, should I do Cloud? And I'm just like, that's not the right question. You should first understand what you want to do. There's plenty of work and need out there for every single domain in cybersecurity. So the first thing you should do is focus on what you enjoy doing and then understanding everything you can about that specific subject, right? And then as you go, you'll get that inch deep everywhere else. 


But you can't go and know, I'm going to go spend a month on Active Directory, I'm going to go spend a month on Azure, I'm going to go spend a month on AWS, and then I'm going to go spend a month on the way that it works because it's so much deeper. And if you want to be more than just a scanner right, which your job is going to be replaced if you're just looking for vulnerabilities, I'm sorry. It's like you have to be able to go as deep as possible. And, as customers are getting better, you have to be better than them. That is what they're paying you for. It's not a game. These companies, this isn't a CTF. We're not out there to find a root.TXT file and show that we can get some arbitrary hash that says that we got a new system. 


[30:08] They're looking to make their business safer. And the only way that you can do that is if you are adding value on top of their expertise. And that requires you to constantly be working on your craft and enjoy it. Because when I was in sales, I enjoyed it. I didn't enjoy the grind all the time and after eight or nine years at eight or nine startups, I just got burnt out. But with this industry, there's so much to learn, there's so much to be curious about and there's so much to enjoy that if you don't have that enjoyment for it, then you probably shouldn't go into pen testing because it's going to be painful. It's going to be painful. And if you're the person who's looking for immediate gratification and a pat on the back, you did a great job, that's not this industry. So it's really important that you take the time and learn as much as you can and keep adding value to your customers because, again, that's what they're paying for.


Andra Zaharia: And also figure out where and how you get that sense of achievement just like you mentioned. Knowing that perhaps you're not going to get that level of satisfaction and gratitude from customers means looking for that somewhere else. And if you don't have different, multiple sources to get that level of satisfaction, that sense of progress, then it can be frustrating really quickly, especially because again, we're talking about some misconceptions that get carried over from one, let's say generation to another or they just get carried over. 


Because we still have to do that work of clarifying things, of why penetration testing is not a vulnerability assessment, why it's not red teaming. And we just have to, I mean, these are necessary conversations because we haven't reached the level where there's an implied understanding of each of these individual types of offensive security activities. So we're going to have to just keep going and keep sounding like a broken record until hopefully, the future generation of ethical hackers come with this kind of built-in. They already know how to explain what to do and hopefully, customers become more acquainted with these concepts as well.

And you mentioned something that I feel is very important and it's tied to this craft aspect of penetration testing, which is automation. How do you feel about vendors and companies and promises of full automation? All you have to do is click a button and we'll do everything for you. How does that make you feel knowing the depth that this type of work implies and the intellectual and emotional labor behind it?

[33:05] Tim Connell: As long as it's being explained in a way that it is just a vulnerability assessment, I think it's great. I think reveal that as much value as possible in the shortest amount of time is really the most benefit. The customer gets the best bang for their buck. But it's the reporting aspect and it's not explaining the differences where I feel really bad for the customers to be honest with you, because they don't know any better. Well, most of them don't know any better and then they feel like they're getting taken advantage of. And a lot of customers come to us not because they haven't done a penetration test before, it's because they felt like their previous vendor didn't do them the right service. 

So a lot of times we'll actually ask for the report and I've got reports where it's literally a screenshot of an Nmap scan and that's part of their pentest and I'm like that's nothing, there's nothing of value there for you. And on top of that, the customers aren't being explained what the report is actually trying to tell them. So we've had a lot of customers too, It's like: “hey, I got a full-page report. They dropped it on their desk and we never heard from them again.” 

It's like just feel and I don't like the businesses that do that but I also feel bad for them because eventually they're going to be found out and they're not going to be in business anymore. And it's like they might actually think that they're doing the right thing because there's so much of a misunderstanding as to what this industry is all about. They might really believe that they're doing penetration tests and it's not that simple. 


And we do pentest. We give you -  a lot of times now, actually, we're giving you the full attack chain. So there might be four vulnerabilities in one finding, with the output being the end result of stealing an account or getting access to the server. And we're breaking it down with proof of concepts. We're breaking it down with the actual output of code. Take this code, put it into a file and run it and you'll see that this thing is real. So we're trying to give them as much data as possible to realize that their money was well spent and if they need help, we can help them fix it. They should think of it more, again, as a partnership and not a contract. This is a partnership. 

Cybersecurity is a journey. It's not a task. You're never going to be at the end and it's going to take you a lot of work to get it right. And to think that a single pentest or a single vulnerability assessment is going to just check the box and we're done. It's just not that simple. So being able to provide that data to a customer and actually explain how to fix it, I think it's when those things aren't there again, I feel really bad for the customer.

Andra Zaharia: And it hurts everyone. It hurts the customer, it hurts the industry. That's why penetration testing still has a bad rep in certain aspects. It still doesn't get the respect that it deserves and just making sure that people understand what it's about. So it's still kind of a very fuzzy, undefined discipline for the people who it helps the most, which are the business owners because that's who we're trying to help. 

And those are the people who decide that they can allocate budgets for this. And those are the people who, at the end of the day, care about protecting their businesses. But we need to help them doing it in a way that's meaningful and truly helpful and not just, again, not just something that helps them be compliant and stay in business because they're just in line with all the legal requirements.

Tim Connell: It's so funny you say that. I was actually at a conference this week and it was around really around risk. If you want to say the one word that described the whole conference was around risk. Most people there ask questions around cyber insurance, right?! Because we don't know. So we need to make sure we have insurance so when we get hit, we can stay in business. And the overall perspective that I got out of it is that we're still too reactive. We're too reactive to risk and we have to do a better job at getting out in front of it and putting in the right controls. Because even if you get breached, because you're never going to be able to get everything if you have the right controls in place to isolate the damage, you're going to be taking what might take months to fix, a couple of hours, maybe a day and you have backups you're up and running again. 

So it's like you are a business in a place that has a high possibility of an earthquake, right?! You're going to have a disaster recovery someplace else in a different geographical region. So if something happens where you are, you can still operate as a business. So you have the controls in place to, when that happens, you have the ability to stay online. And we as an industry need to do the same thing in the virtual world, right?!

Like I think about it all the time, okay, business email compromise is huge. So we need to start implementing more zero trust on email, right?! Making it so if someone gets in your email, the number of ways that attacker can pivot is only isolated to that email and then it's around how you're archiving email and how you are sending passwords and email. So you're starting to really fence in that threat or I guess that risk and make it so that threat can expand and launch ransomware in your business. 

So that's the mindset we need to have. We won't be more proactive. And a lot of that comes down to our ability as industry heads, testing office security industry, to portray that information so the customer can understand.

Andra Zaharia: And all of the attack chains, all of the proof. Every time a business owner walks away with a clear understanding of what they paid for, that's a huge win for everyone because that business owner will be more inclined to invest in this, will understand what the value is. And I feel like every type of element, every type of experience that we're able to give people who are outside the industry, the people who we serve, at the end of the day. 


All of those experiences kind of snowball into a bigger mindset, change into just a bigger inclination to just have these topics in their universe somewhere gravitating around them rather than instantly rejecting them and instantly saying, like, this is not for me, I don't really care about this. I have more pressing issues. And yeah, just being able to talk about this and make these conversations public for people to use and to see if they're getting their money's worth - again, that's something that's very generous of you to do, both in this conversation and generally in the community.

What's something that you're really passionate about these days? What's something that you're really digging deeper into and feeding that curiosity, that's so typical of the ethical hacking mindset?

Tim Connell: There’s a cup, so again, I spent a lot of my time doing web apps. There are a lot of vulnerabilities out there that people don't think are a big deal, and they are. So I like to really focus on how to make them as impactful as possible. For example, clickjacking, UI redress attacks. It's the ability to have a fake page or form over a real form that is invisible. So when a user inputs their email and password, that will then get sent to an external database somewhere that could be used for credential harvesting. 

[41:21] I actually spent some time building something that was actually usable and putting that in my reports because almost every customer is vulnerable to that. The biggest organizations in the world are vulnerable to it. Not just on a browser, a brochure type of page in the browser, but like a login page, a forgot password, pages where people are going to actually give information that could be used to get access to their account. 

So building stuff like that, that is kind of dispelling the belief that it's not that big of a deal. Cross-site scripting is another one. A lot of people say, okay, I can put a 1 in the browser, no big deal. Okay, cool. What are you going to do with that reflected cross-site scripting? Okay, someone actually has to click on a link. So what? Like they don't want, no big deal. But if you take that and you can actually use it, weaponize it in a way, you don't need anybody to click on anything. But by triggering it, you're actually pulling data that's hidden or is going through the DOM, the Document Object Model, the backend JavaScript page. 

It's allowing you to take over Ajax requests so it goes into the backend that is showing impact, it's showing meaning. And by finding ways to make those more malicious and increase the risk, you're finding a lot of vulnerabilities that people don't take seriously. And by doing that, you're helping them understand that they need to fix these things. It's not a big deal. So those are the ones I'm really enjoying right now. I'm starting to get more into the server-side stuff. So let's do cross-site scripting to get access to local files or to get access to server-side request forgery or local file inclusions. Can I use this to basically do an IDOR across the whole website and literally pull on the frontend the full database? So you're starting to look at things that are a lot more complicated, a lot more complex, because I also believe a lot of people are doing that in these engagements, especially not in ones that are three to five days long.

Andra Zaharia: And that's basically, I mean, do you feel like this is kind of reflects the reality of penetration testing, which is like 1% really exotic vulnerabilities that are very again, very interesting from a technical perspective. And is it 99% vulnerabilities that have been around for over a decade, first of all? Second of all, they seem, just like you mentioned, unimportant, but they actually make up the bulk of things. Do you feel like that's an accurate reflection of what you find in the day-to-day work that you do?

Tim Connell: Yeah, a lot of it comes back to just your ability to be creative. You got to be creative when you find something and think, okay, what would somebody do here? What type of vulnerability would this potentially trigger? This information I found, what is it used for? And starting to actually go deeper in understanding and putting that attack chain together by fighting all of these what might be low or even informational vulnerabilities. And you stack them together and you get something that might be highly critical, right?!

And that is what the best are doing. Like if you're a target, if someone say, hey, you're a company that is high value, I'm just going to go focus on you for a year. That's the things that they're doing because they don't want to be found. So they're not going to be doing brute forcing. They're not going to be doing things that are going to trigger your Cloudflare, WAF, or anything else that might set up alarms on the server that might get you blacklisted. We do a lot of things like, okay, you have the ability to do ten logins before your IP gets blacklisted. So what if we change your IP address? Have you taken that into consideration? 

Another one that's very basic is username enumeration, right?! If I put in a right email, a wrong password, and it says your password isn't correct or your username isn't correct, right? That's one layer of it. But another layer of it is looking at the timing of that. So time-based user enumeration. So if I can go and say you have 10,000 records in your database and what the way the code is working, is it's going to check for if the username is correct first and then it's going to traverse every single password to see if there is one or if it's doing that all in one function, it's two functions or one. 

You're going to get different timing, which is going to help you understand that, okay, my username is correct because it took 15 milliseconds to get back versus my username was incorrect and it took 0.5 milliseconds to get back. So it's getting more granular in understanding how the applications work and how developers build code and build applications. It's those things that I think are going to provide that Australia. 

[46:31] Andra Zaharia: And they really do putting all of these things together and creating this very intricate mind map of all of the things that go into your work. I think that that's one of the reasons why there's such a fascination with mind maps and penetration testing. Every time someone develops, like a really complex one, it just blows up on social media and everyone wants to share it. 

Because just having that reflection of all of these elements and all of these steps and all of these kinds of successive connected elements that work together is such a fascinating thing to see. And again, one of these aspects that I feel is so powerful in reflecting that craft aspect of penetration testing is to be able to make all of this thinking visible in some shape or form - Whether it's mind maps, whether it's conversations, whether it's graphics, which I think the industry really lacks in. 

We need more graphical representation of things because our biology hasn't caught up to the level of complexity penetration testing evolved.

Tim Connell: Seeing is believing, right?!


Andra Zaharia: Exactly. Perhaps yeah, like pentest reports, perhaps might benefit from having graphical artists or just simple drawings of like this goes there and this affects that and that's how it's all connected together oh yeah, but. 


Tim Connell: It's really hard right, going back to my comment earlier about there's a lot of information it's like what should you focus on? There's a ton of information out there for that 1st 10% of a discipline. But once you get past that 1st 10% where everything isn't sort of the same and you get more specific, it gets very hard to build content. And it's very hard to find that content if you're trying to do something very specific. And you might not even find it on StackOverflow because it's just such a specific use case on a specific function, on a specific language against a specific target infrastructure that it's very hard to get that information. 


So I'm with you. I've thought about that too. How do you do more graphics and how do you do things that are more relatable as you go deeper? You'd have to have an eBook of diagrams because there's just so much to it. 


Andra Zaharia: It really is. Which goes to show that there's a lot of work to be done, both in improving the process and how we talk about it and how we relate to customers and how we present ourselves and how we engage with the community, with the outside world that goes beyond our bubble and our echo chamber, which is so important.


So if there's one thing that you can share from experience that has helped you, keep you motivated and engaged and energized on your path, what would that look like? What would that be as a roundup to our conversation and something that listeners can just take with them and think about?


Tim Connell: Yeah. It's very easy to get in a rut, especially if you're trying to do something and it's not successful. It's very easy to get down on yourself. It's very easy to think you don't know anything. It's very easy to have impostor syndrome kick in in a way that actually isn't productive. And again, I think impostor is a great thing. I think it just means you're pushing yourself out of your comfort zone. 


[50:05] So if you're starting to look at all those negative aspects, which again, is going to stop you from trying to keep moving forward, take a step back and understand what you're trying to actually do. It's not I'm trying to run this piece of code or get this piece of data, what are you actually trying to do? What domain are you working in? And start getting more involved in the community. One of the things that I think is going to be or is the biggest soft skill, the greatest soft skill outside of just integrity that you need to have in this industry is your ability to be resourceful. 


When I started, I had a handful of people who I had daily conversations with. I luckily got OSCP within one year of starting in the industry. One of those was every night of people's Slack, their emails. I'm calling on to say, I'm stuck here. I need your help. This is my sales part kicking in. It wasn't, hey, do you have five minutes? I need you right now. I'm getting to a point where I need you. And they know, I mean, a lot of them I'm friends with or I've known for a while, so they get it. 


And just every time you get a step further, just celebrating those small wins, if you get one more line of code to run, take a step back and say, this is awesome, this is great because you're going to need that to keep yourself motivated to move forward. So don't always look towards that end goal because there never actually is. There is no end goal in this industry. You're always going to keep moving forward, but take some time to really to pat yourself on the back and be proud of what you're trying to do, because most people, the majority of people can't even do they can't even open up the command prompt and run a print, hello, or an echo high. They don't even know how to do that. 


So give yourself some credit, build your network, be resourceful, and you're going to see your progression take off like a hockey stick. Because what you're going to do is you are going to be able to jump ahead of those hours, days, weeks, months of the person who you're asking the help from, the struggles they had to put in to get to where you're trying to get to. And then once you get there, pay it forward, find people who are in the same spot and help them do the same thing. 

And you're going to not only help yourself because you're going to get better at talking to these subjects and figuring out how to teach them, but you're also helping our next wave of people who are trying to get into the industry get better, land those first jobs and make our overall world safer. Because at the end of the day, that's what we're trying to do. We're trying to keep people safe. And we're trying to make sure that people are getting compromised, their money is not getting stolen. God forbid, people are getting killed. We're trying to make sure that stuff doesn't happen.

Andra Zaharia: Such a powerful and energizing perspective. Thank you for your generous insights, for your examples, for all the energy and your fully engaged presence that you gave us in this conversation. I really appreciate you. I can't wait for people to discover more of your work. So make sure you follow Tim on LinkedIn and make sure you also engage in those conversations and not just look at them. It's okay if you're a lurker. We all are sometimes, but it's even better. It gets so much better when you actually are there and when you actually show up and talk to people. Thank you so much, Tim. This has been a great conversation and I can't wait to share it with everyone.

Tim Connell: This was great. I hope to do more, and as much as I just want to make sure people are getting better or happy, try to do the things that are pushing their careers forward.

[54:00] Andra Zaharia: Ever wondered how deep the rabbit hole goes in the world of ethical hacking? Well, we're still falling, and we're dragging you along with us. One question at a time. Thanks for wandering through this maze with us as we tackle the nitty gritty, flipped misconceptions on their heads, and maybe, just maybe, made you rethink some of the things that are important to you. This has been the Rethink We Know podcast by Pentesttool.com. And before I sign off, keep this in mind: there's always a backdoor, or at the very least, a sneaky side entrance. See you next time.

Get fresh security research

In your inbox. (No fluff. Actionable stuff only.)

I can see your vulns image

Related articles

Suggested articles

Discover our ethical hacking toolkit and all the free tools you can use!

Create free account

Footer

© 2013-2024 Pentest-Tools.com

Join over 45,000 security specialists to discuss career challenges, get pentesting guides and tips, and learn from your peers. Follow us on LinkedIn!

Expert pentesters share their best tips on our Youtube channel. Subscribe to get practical penetration testing tutorials and demos to build your own PoCs!

G2 award badge

Pentest-Tools.com recognized as a Leader in G2’s Spring 2023 Grid® Report for Penetration Testing Software.

Discover why security and IT pros worldwide use the platform to streamline their penetration and security testing workflow.

OWASP logo

Pentest-Tools.com is a Corporate Member of OWASP (The Open Web Application Security Project). We share their mission to use, strengthen, and advocate for secure coding standards into every piece of software we develop.