Tips for an Information Security Analyst/Pentester Career - Ep. 97 - To Be a Better Consultant, Learn from Your Mistakes

 Intro

Hello, my readers, I know I haven't been very active lately, though I've been wanting to push technical content for a while.

I intend to come up with a post or a series showing the anatomy of an AD engagement, demoing how I'd go from zero to (hopefully) domain administrator. I'm working a crazy schedule and at the end of the day I feel depleted of any energy, especially over weekends, however I want to do this. One important thing I learned is AD engagements are totally random, meaning you can sometimes easily enumerate users, find misconfigurations and enumerate the hell out of that domain. Other times, instead, there's not a lot to go around and I wasn't even able to find a valid password.  So, my idea is to demo attacks against a domain without knowing in advance what I'm gonna find. Hopefully, I'll be able to set aside some time to configure a local domain in my infrastructure. 

I'm also struggling with studying CRTO and, by the way, if you guys know about a study group for it, please let me know.

The Core Idea

But enough digressing. 

Lately, I've been inspired by a Tim Connel's series of posts titled "Do you want to be a great pentester?" and came up with some ideas of mine. I like the guy and his contents and I mostly agree with his views, but I'd beg to differ on a couple of points.

This post doesn't want to be an attack or a harsh criticism of Tim's contents. Man, I admire you and what you do, I only want to offer a different point of view and an additional contribution, open a conversation, if you want. I write this stuff out of passion, I never gained one cent out of it, plus I consider myself a perfect nobody.

My View

I thought of providing a personal contribution about how one can up their game and get better with their craft.

The way I see it, rather than being a great pentester, one should want to become a better consultant.

It's not only a semantic distinction. A security professional can really make a difference only when they can have a dialogue with clients, educating them on the business impact of specific vulnerabilities and on the associated remediation strategies. Clients need to see a security professional as a trusted partner they can count on, not like an enemy shaming their blunders.

Now, pentesters aren't always client-facing. With my prior company, I wasn't. 

I participated in client kickoff and debrief calls but all the communications with the client were managed by my boss, so while I grew a lot in terms of technical background, this ended up holding me back, and I wasn't even realizing how much so until I moved to Optiv.

Now, as far as the client is concerned, I am Optiv, so I need to be impeccable and behave as a subject matter experts, even when sometimes I'm not 100% sure. I'm in charge of the project from start to finish. If a problem arises with the client or technical issues cause hold ups, I'm the one who needs to troubleshoot it with the client, and do it in a professional and personable way. This can pose a challenge when the client's unresponsive and time's ticking off.

As a result, I've accomplished way more over my tenure at Optiv so far than what I had done during the previous four years with the other company.

A consultant is called to develop a culture of service and to strike a delicate balance between keeping clients happy and drawing a line when their demands are too unreasonable. Consultants need to know when a battle is worth fighting and when it's not.

Beyond the different formal job descriptions between different companies, I personally believe that, if we look at the contents of a specific role, a consultant is next level compared to a simple technical tester. 

One can be a technically amazing tester but they don't make a real difference if they can't communicate with the client and explain their findings. Clients will feel frustrated, won't understand the impact of the vulnerabilities found, so they won't remediate them and will rightfully think all pentesting companies are snake oil sellers. Plus, these pentests are all but cheap, guys, so you want to make sure clients have value from what they paid for.  

My Contribution: How To Learn from Your Mistakes

Penetration testing, and especially consulting, is learned by doing. 

The only way to learn is to make mistakes. There's a value in making mistakes, but only if one learns from them and does not repeat them in the future.

For this reason, I've been keeping a file with lessons learned over the years, so I can refer back to them and avoid finding myself in unpleasant and/or problematic situations I incurred in the past. Of course I never include clients names or any references to specific projects I worked, I'm not that stupid. An example entry is shown below.

One tends to forget what happened over a specific engagement years ago, so one could have to face an alike situation repeating the same mistakes. Well, unless one can have a look at the solution adopted previously.

I also take note of how I troubleshot specific error messages, so I don't have to waste hours on a frenetic Google Search, or ask someone the same questions over and over again. This gets people mad, so the more it can be avoided the better.

This simple trick saves time and helps me get better at doing my job.

I'm curious to hear about other ideas I haven't yet thought about.

Feel free to contribute, if you'd like.