There's been a lot of talk around this topic lately. As I've been working to solidify my team's bond, I also have the challenge of helping those interested in getting involved in the offensive security world. This quest has helped me identify some things you might consider when trying to break into offensive security.
Things to consider
Have a well rounded knowledge of "advanced fundamentals"
Being able to sort out basic permission issues or understanding general functionality of major operating systems are not part of offensive security. However, understanding intricacies within operating systems and troubleshooting problems on the fly are. Operators encounter countless complications in the field and rarely are they basic.
Those considering a career in offensive security should have a solid understanding of a wide range of technical topics. A successful attacker doesn't necessarily know all the answers, but definitely takes the time to learn as much about the fundamentals of a target as possible.
Find your niche
It's important to know a little bit about everything, but it's equally important to find a specialty. Offensive security teams are often built around the strengths of the members. Members are often selected when engagements arise that require additional skills being added to the bench. Depending on the service offering of the team(s) you're involved with, bringing relevant expertise to the table is important.
My personal passions lie in social engineering and physical security. Other members of my team are stronger in other areas than I. In the field, weather operating alone or as a unit, we rely on each other for help. Knowing the strengths and weaknesses of the membership, proper preparation, and thorough documentation all allow the team to tailor to the engagement.
Know how to think, research, and study
An offensive security operator doesn't know everything about all the things. Successful operators know how to profile and research a target and study the engagement in preparation. Additionally, they're also able to think their way through unforeseen circumstances and overcome adversity in the field.
No matter how accurate the profile, no matter how much intelligence has been gathered in preparation, problems and unexpected situations are inevitable in the field. Operators must be prepared for everything and still be able to think their way through the myriad of things that can go wrong.
Be hungry for knowledge
You have to want to learn. Everyone wants to be a hacker, to be Neo but not everyone wants to put in the work to bend the spoon. Someone wiser than I once said it takes 10,000 hours to become an expert at something. If you're only learning during the 8-5, that's roughly a 5 year path.
Don't get lazy. Complacence is one of the biggest challenges to offensive security operators. They end up thinking they know it all and stop chasing the dragon, or they burn out along the journey. All too often, offensive security operatives fall prey to the latter, but the former is just as dangerous.
Have a strong work ethic
Offensive security teams typically operate based upon the needs of the engagement. if that means working late nights, early morning, or weekends, then we work when there is work to be done. As a team, members need to be available whenever the engagement requires. It's important that operators are prepared to be dedicated to the team.
This isn't as bad as it sounds. Learning the work/life balance, and learning how to work remotely, come with the territory. My team is expected to be available when it matters but they've also mastered the art of global availability. Weather it means fielding social engineering calls from the beach or conducting a vulnerability assessment from the audience of a school play, successful operators manage the demand of the workload while still trying to maintain a life.
Fourth quarter is the exception to this point. During fourth quarter, offensive security operators should expect to be running full bore with little room to breathe. The cyclical nature of fiscal business means that this is inevitable.
Field Marshal Helmuth Karl Bernhard Graf von Moltke once said "no plan of operations extends with any certainty beyond the first contact with the main hostile force." Nowhere is that more true in the field of offensive security. Neither scope nor plan nor backup plan nor change order can account for the infinite number and combination of things that can go wrong in the field.
Offensive security operators need to accept this and be able to adapt, and overcome, in the field. While process and procedure are important in business, flexibility during an engagement is vital to operational success. The objective is what matters, the means do not- as long as they're within the rules of engagement.
At the end of the day, offensive security is still a business. We must be able to prove what we do (and don't do), and we have to turn all the data into some actionable data that the client can use after. Successful operators live, and die, by their documentation. Not only for self reference, but the team should be able to pick up notes from other members and run with an engagement, if necessary.
Documenting the engagement as it happens, especially when milestones or objectives are met, are vital to keeping accurate record of what happened. The more data that gets collected during the engagement, the more detailed and accurate the reporting and debriefing will be. However you decide to do it, take good notes.
Don't be afraid to make mistakes
Offensive security is a kludge of computer science, performance art, and voodoo. Much of the information exists in available documentation but there is much more to be written. And even when we think we've covered it all, there will still be niches and nuances and caveats that can't be accounted for.
Be willing to take calculated, educated risks in the field. Realizing the objectives are what matter, operators need to be willing and able to take some creative freedoms in the field. This also means facing the consequences of those actions.
Own your attitude
In one of my favorite movies, Training Day, Jake Hoyt (Ethan Hawk) talks about how you can only control your smiles and cries. In the field, attitude and response to adversity are two of the very few things an offensive security operator can control. It's important to maintain this control and to remember that clients are looking to us as experts. If they see us responding poorly or carrying the dead weight of negativity, it will most certainly effect their overall experience.
Don't let the little things get to you. Realize that we live in imperfect chaos and the chances of anything going the way we want it to is highly unlikely, bordering on impossible. The successful offensive security operator maintains composure in the face of frustrating circumstances. The information security community is small and professional reputation is fragile. If the time comes that you're struggling to stay positive, keep your head held high and remember how hard you worked to get where you are.
Don't forget the soft skills
I work with computers because I really don't like people. On the same hand, it's important that an offensive security operator be able to interact with people effectively when deployed on an engagement. At the end of the day, the client is expecting a positive experience. The more pleasant a team makes it, and presuming quality work is submitted, the more likely they are to come back for repeat business.
The offensive security operator is burdened with the responsibility of taking a mass of data, and an often unpleasant message, to a client in a manner which they understand and can relate to. This translation process, in my opinion at least, is one of the single most important components of a successful engagement. Without making the data actionable for the client, the value in the service is diminished.
Advice from a perpetual noob
The sad truth is that not everyone is cut out to do every job. While I will always advocate for everyone having an opportunity to try out for their dream job, it's an indisputable fact that not everyone makes the cut to play in the NFL or to act in a Hollywood film. You have to be more than just "computer literate" to make the cut on an offensive security team. If you're not striving for absolute excellence, you'll be swimming in an endless stream of mediocrity. I believe anyone reading this has the ability to reach the goal of becoming an offensive security operator. Having the drive, however is a different story.
In my final thought, I want to stress that there is more to being an offensive security operator than just breaking things. In the field we are regularly placed in delicate environments with exposure to sensitive data. Morals and ethics are values of paramount importance to the offensive security operator. Degradation of these values may lead to loss of freedom in extreme case, but it will most certainly result in damage to the professional image of an operator. Reputation takes years to build but only moments to damage, and repair is long and tedious.
For those of you working to break into offensive security, I hope these tidbits offer you a little insight into my perspective into the consulting world. As a team leader and mentor, I wish you the best along your journey. As a fellow hacker, I look forward to learning with you!