Chapter 4: Blue Team Careers

With the help of many people in InfoSec who kindly gave me advice and quotes, I have created a perhaps overly simplistic listing of common InfoSec roles in today’s market.

For each role I have listed a brief summary of what the job does, where these jobs can be found in the (primarily US) workforce, some suggestions for breaking into the role, as well as some common misconceptions about it. I also requested a person who currently works in each of the roles to provide me a brief quote on how they reached this point in their career and what is enjoyable about their role. Immense thanks to everybody who helped. You should follow all of these peoples’ fantastic feeds.

As a caveat, many of these roles are somewhat simplified and condensed. This is an overview, and this chapter could go on much further (and perhaps it will in the future). It is intended to give people new to the field a brief explanation of the types of jobs that we do as InfoSec professionals.

[If you currently work in one of these fields and wish to contribute an additional quote or comment, please DM me on Twitter @hacks4pancakes and I will do my best to accommodate you if possible, in a timely manner.]

 ==== SECURITY ANALYST ====

 What this job does:

Today, work in a Security Operations Center is a very common entry point into Blue Team InfoSec roles. Entry-level Security Analysts (or SOC Analysts) frequently do shift work in around the clock monitoring centers, monitoring security logs, responding to SIEM events, and performing security ticket handling. In a good work environment, this role should give the analysts a solid foundation in InfoSec work to move on into a more specialized role in one to three years.

Where are the jobs:

Managed security vendors, and medium to large organizations and agencies.

What gives a candidate an edge:

Showing keen outside interest and involvement in InfoSec (especially on the resume). Good certifications to have are Security+, Network+, or GSEC. Degrees are a plus.

Avoid this trap:

Ticket farms with no opportunity to learn. A good analyst role will offer formal and informal training and the opportunity to gain certifications as part of the position. It will also clearly offer the analysts the opportunity to shadow and cross train across multiple roles.

Personal career story: https://twitter.com/mcl

“Trained as a psychologist. Worked through school in IT. Spent 20+ years doing sysadmin/etc., before there were dedicated security positions. It was just part of the job. Refocused last year, decided I wanted a dedicated security position. Interviewed at several employers, got offers from all. Wound up as an analyst with CERT/CC. Interest, passion, and relevant (but not direct, paid, titled experience) pays off.”

==== FORENSIC ANALYST ====

 What this job does:

Forensic analysts are best known for recovering hidden and deleted data from hard drives, but today the role often includes lots of memory, mobile device, and network forensics. As opposed to ediscovery roles where forensics is limited to recovering evidence to be used in legal proceedings, on the security side, forensic analysts make up half of the “DFIR” team and figure out and report how digital devices were compromised, infected, or abused.

Where are the jobs:

Managed security vendors who provide DFIR services, medium to large organizations and agencies, computer crime investigative services.

What gives a candidate an edge:

Curiosity and a drive to investigate. A solid understanding of how operating systems, hard drives, and memory function extremely helpful. Forensic tools are fairly specialized, so exposure to commercial tools like AccessData FTK and Guidance EnCase are a plus if possible (they’re expensive). Memory forensics is woefully under taught in forensics degree programs and is now nearly a requirement, but the associated tools are generally free (such as Volatility Framework, Rekall Framework, and Mandiant RedLine). Good certifications to have are GCFE, ENCE, GCFA, GCNA. Most of the vendors named above provide formal training programs on their products.

Avoid this trap:

Believing the hype about steganography. Even law enforcement rarely sees it. But I’ve seen it as a senior capstone or conference talk subject more times than I can count. Forensics is not CSI: Cyber. It is painstaking, time consuming work, often involving hours of reading through file indices.

Personal career story: twitter.com/hacks4pancakes

“I started coding at a very young age, but I quickly realized my passion was at a lower level on systems, from computer hardware to the operating system. My interest in forensics was piqued as a teen when I read a Popular Electronics article on hard drive function and data recovery. I read all the (3) books that existed on the topic at the time and decided I desperately wanted to become a computer forensic examiner. Unfortunately, at the time, it was a very rare career that was not taught in universities. After many failed attempts to network inside the law enforcement forensics field, I started applying for entry level jobs. This seemed impossible after many discouraging interviews because I had no hands on experience with the expensive corporate forensics tools. However, I was still involved in the hacking community, and a friend of a friend eventually got me a security analyst job that allowed me the necessary experience with critical tools to move on into a forensics heavy role.  The best part of my job is starting with nothing but evidence, sifting through it, and building a story of what happened on the device until conclusions can be drawn.”

 ==== INCIDENT RESPONDER ====

What this job does:

The other half of the “DFIR” team. When a breach or major security event occurs, this person coordinates the response and recovery teams, establishes a timeline of what happened, and figures out how to respond to it with the aid of other security roles, management, lawyers, and IT. Incidents can vary from data breaches to malware outbreaks, to phishing or APT response.

Where are the jobs:

Medium to large organizations, security contractors who provide DFIR services.

What gives a candidate an edge:

This job requires good analytical, organizational, and communication skills. Candidates need to be able to work well under high pressure and high stress situations at odd hours. This is not a job for people who don’t like to manage a project or a team, or report to senior leadership. Good certifications to have are GCIH and CISSP.

Avoid this trap:

Taking an incident response role when you aren’t comfortable taking charge and maintaining control of a situation, or writing extensive formal reports. You must have self-confidence and leadership skills to fulfill this role.

Personal career story: twitter.com/Githur

“I used to work for a major shipping company. I hated the work. I’d do 60 hour weeks at weird hours and was unable to advance because of degree requirements.

I had an acquaintance that I played golf with that offered to float my resume around since he knew I had some technical skills. It took about a year before I heard back from him about a job.

He called me up one day to ask if I was still interested in working for him. I’d be writing tech policy and assisting with certification and accreditation work.

It was there that I learned I was making crap policy and had no clue if what I was writing had any sort of basis in reality. No one could tell me how any of the systems worked or if what I was writing would even be effective.

So I started looking into learning this stuff for myself. I stated teaching myself the anatomy of breach and what to look for during an intrusion event. The quality of my policy went up. It wasn’t overly restrictive but provided the required level of security. It started to get noticed.

After that, I was invited to help with network architecture on a small project. Again, I had to teach myself everything but I was working with more experienced people that loved the work I was doing.

Eventually that project ended and I was looking for work. It was only then that I fully got my start in info sec. I was hired to do enterprise security appliance integration. Take a SIEM and integrate it into a client environment.”

Personal career story: twitter.com/bond_alexander

“I got into infosec my moving laterally through related jobs. I’d built some websites as a hobby, so I got a job doing web programming. I entered the US Cyber Challenge and made contacts that let me get into QA at a security company, which let me play with malware and the like. From there, I was able to move to a security role at a fourth-tier social network, and from there to SOC work at Mandiant.

Key features that helped me was self-driven training, finding jobs that included things that I could do and things that I wanted to do, and hitting up the types of companies that were willing to take a chance on someone with low experience and drive to learn.

What I like about IR is how things are constantly changing. I’m always researching, exploring, learning. Always new challenges”

==== MALWARE ANALYST ====

What this job does:

Malware analysts figure out the nuts and bolts of how malware, adware, and hacking tools work, what their capabilities are, write signatures for them, and may attribute them to a campaign. They perform live, or heuristic analysis (meaning they run the malware in a sandbox and carefully analyze system changes and traffic), and static analysis of the code itself (which may be written, hidden, and packed in a way that purposefully makes this very confusing and time consuming.

Where are the jobs:

Larger organizations, cybercrime investigation agencies, antivirus and malware research firms.

What gives a candidate an edge:

Strong programming skills, especially scripting and assembly code. Strong network traffic analysis skills (you’ll be identifying and decoding lots of malware traffic). Experience with sysinternals tools and equivalent. Excellent analytical skills, and lots of patience. Good certifications to have are GREM or CREST CMRE. Previous exposure to writing IDS or Yara signatures may be useful.

Avoid this trap:

Assuming malware analysis is entirely heuristic or signature-based. Sandboxing alone is not adequate. You should understand assembly and programming architecture well in advance to succeed at this job.

Personal career story: twitter.com/da_667

“So I figure I’d add my experience for breaking in to infosec. My background is in datacenter operations. I was a former sysadmin. My break into information security was knowing how systems work and studying for certifications to demonstrate that I had foundational knowledge enough for someone to take a risk on me. My key to success was to never stop putting myself out there and never stop submitting my resume. I know it seems lazy and banal, but study and persistence paid off for me.”

==== SECURITY ENGINEER ====

What this job does:

Security engineers are what most people think of when they hear that somebody works in network security, but today the job goes far beyond firewall management. They manage and update security appliances and rulesets. They may also keep data storage, tools, and log feeds working and useful for the other security roles listed. In today’s security world, they’re usually the people who manage SIEMs and security log aggregation tools. Sometimes security engineers are even responsible for scripting new tools and API integrations.

Where are the jobs:

Today, most organizations and agencies (that do not outsource these tasks) keep security engineers or system administrators with security engineering experience on staff.

What gives a candidate an edge:

Excellent systems administration skills, in Windows, CentOS, and Linux. Strong scripting skills (such as Python or Ruby). A general knowledge of security operations, practices, and applications. Certifications and training will vary by the specific position, as security engineering roles can specialize further. Some examples are SIEM and security appliance specific training through applicable companies like Cisco, Splunk, RSA Netwitness, Juniper, Blue Coat, Palo Alto, or HP ArcSight.

Avoid this trap:

Becoming too tied to a single platform or vendor. Falling for the ‘magic black security box’ sales pitch by a vendor without proper research. Avoiding open source tools entirely, or conversely, avoiding commercial tools entirely.

Personal career story: twitter.com/Phreaklets

“I broke into infosec because I have been interested in the field since reading “Cyberpunk: outlaws and hackers on the computer frontier” in 1991 and 20 years later I found myself working on an Internet of Things project in the same office as the guy who ran the Security team. We had lots of great security-related chats and one day I asked him: “hey, I’m interested in getting into security, can I join your team?”. He said: “Sure!” and the rest is history! 🙂 Being in the right place at the right time made all the difference.”

==== AUDITING AND COMPLAINCE ====

What this job does:

Security auditors and compliance staff evaluate and rate security programs and check organizations’ compliance with local, national, and international laws and standards. These standards can be required by law or merely ones that the organization chooses to strive for. For example, in the US, required standards include PCI for payment processors or HIPAA for medical records storage. Most formal security standards have regularly scheduled formal and informal inspections of documentation and procedures. Auditing and compliance staff perform these inspections, ensure compliance and improvement, and report their findings to leadership or regulatory agencies as required.

Where are the jobs:

Medium to large businesses, regulatory agencies, contract-based auditing firms.

What gives a candidate an edge:

Excellent organizational and report-writing skills. The ability to communicate courteously and diplomatically with all levels of an organization. Specific knowledge of applicable standards. Good certifications to have depend on the situation, For instance, the PCI Security Standards Council offers their own assessor certification.

Avoid this trap:

Assuming these jobs aren’t technical or demanding. In fact, many of these jobs require lots of travel (for on-site inspections), and a solid working knowledge of a wide array of security devices and concepts.

Personal career story: twitter.com/mjharmon

“Being an effective Auditor can be one of the most rewarding and visible positions within an organization as your work product makes it in front of all levels of management up to the board of directors and is based on: evidence (policy and process), legal fact (regulation or policy mandated standard), and verification through security testing. The core of all IT Audits is controls and residual risk. If you enjoy technical challenges, making well formed evidence based (legal) arguments, and enjoy reading legalese then you’ll love Auditing.

I started out as a UNIX/Linux Systems Administrator in the early 90’s and learned how much I didn’t know after reading through the Rainbow Series ([0],[1]) which I obtained after reading the alt.2600 Usenet FAQ, making what I thought was a prank call to the National Computer Security Center requesting a copy of the series. Surprisingly, the operator was happy to send me the series and they arrived a couple weeks later giving me an encyclopedia of material to read. After reading through the series, I became interested in other standards
such as ISO 17799 (Security Techniques) and 15408 (Common Criteria) and the NIST 800 series (Computer Security Guidelines), and became infatuated with evidence and investigations.

These two interests: standards and investigations, became my foundation for becoming an Auditor. After my first gigs as an IT Auditor I quickly learned that organizations would try to fake their way through an audit
so I applied my systems administrator knowledge and learned how to exploit systems after being told during a final presentation of findings that a control was in place that I knew was not applied. So, during the meeting I demonstrated the exploit I’d used to verify the lack of patching.

I soon learned exploiting things to provide controls weren’t in place was Red Teaming or Penetration Testing, which I see as a variant of IT Auditing – proving controls are not in place. Later, during a Penetration Test I’d discover that a system was already compromised and that would move me into digital forensics and incident response.”

==== THREAT INTELLIGENCE AND RESEARCH ====

What this job does:

Threat researchers study attackers and their methods, and try to quantify their tools, tactics, and procedures (TTPs). This means observing and reading reports of attacks, and not only identifying ways to better detect the attackers, but attempting to predict their next moves based on behavior or world events. In some situations, threat intelligence analysts may also be asked to attempt attribution of attacks to a specific organization or country.

Where are the jobs:

Large organizations, cybercrime investigation, threat research firms

What gives a candidate an edge:

This is one of the backgrounds that is harder to obtain. Many of the best threat intelligence analysts were prior government or military intelligence staff and were formally trained as such. In lieu of this, a strong background in political science, foreign languages, or international relations along with strong security analysis skills can be useful. As one would expect, good report writing skills are a must.

Avoid this trap:

Relying only on open source feeds of intelligence data. A good threat analyst is regularly identifying who might target their organization or customer based on current events, industry, or high value targets in their environment.

Personal career story: twitter.com/3ncr1pt3d

“I don’t have a comp sci degree or tech certs but I’ve been slowly working on them via EdX. My interest ignited when I read an online newsletter by Kaspersky. I didn’t know what half of it meant but it mentioned Stuxnet. The concept of nation state threat actors, tailored viruses, etc had me hooked and I went searching Google to learn more. But things really happened when I went on Twitter and literally fell down the rabbit hole that is InfoSec. I haven’t come back out. Everywhere I looked there was a link to learn something. I started by reading all the online content I could. And discovered online learning for free. Then, I read the bios of people I admired to see what their skills and advice were, and got up my nerve to ask questions. I followed the guys on Twitter who were finding stuff live and reporting it. I asked questions, and looked up what I didn’t know. I value beyond words my network of friends now on Twitter. The world opened up. As well, I made my own blog to share info at the ground level because I understood to well how it feels not to “get it”. When Shellshock/Bash hit, I became the go-to person in our office. From there, I launched a weekly team security briefing, and posted that news to share with clients on our sites. From there, I pushed for the security analyst/researcher role in my company. And I’ve carefully drafted a security plan we will roll out to our clients based on the wealth of knowledge I found from my resources here in InfoSec.

My strengths were more communications and learning, so I played to those to build up technical knowledge. And I was asked to contribute to online blogs, which was very gratifying. I could learn and contribute to this community! Perhaps the most amazing experience has been attending Cons. They inspired my blog about the learning and community that happens when we get to do face to face time. I listen carefully to where needs are, to look for where I can share my skills or knowledge. Or where there is an area needing more people to grow their skills. Currently, I’m working on becoming our key resource on Cloud Security, and pursuing a niche interest in Mainframe security.

I love the people I’ve met, that learning is everywhere, and that the work we do really matters. Everyday we make a difference. This is all I could ever want.”

==== GOVERNANCE AND POLICY ====

What this job does:

Finally, we get to the directors and executives of the security space. This is rarely a ‘breaking in’ point for people new to infosec, but it occasionally happens as skilled people in other areas of technology or policy management are picked to lead security programs and groups. These folks develop and maintain the fundamental security posture and procedure for their organizations, taking into account international law, industry standards, and corporate requirements.

Where are the jobs:

Most organizations of moderate or large size, particularly government and those which deal with sensitive data.

What gives a candidate an edge:

Extensive experience in managing resources and people, solid understanding of a broad range of IT concepts including security.

Avoid this trap:

Losing touch with the information security community whilst relying on vendors or agencies for critical news. The fastest way to know what is going on in the security space is to attend hacking conferences, watch social media and blogs, and participate in research and training. I can’t count the times I’ve met a governance executive who still thinks Def Con and its ilk are made up entirely of criminal hackers and refuses to attend (at the expense of great training and current knowledge).

Personal career story: twitter.com/catalyst256

“I’ve worked in IT for 20 years now ever since I left college (in the UK that’s when you are 18). I’ve always had an interest in Security ever since I watched the movie Sneakers when I was a teenage. Four years ago I decided to dedicate some time to improve my skills in Security. I created a training plan (which I soon ignored), started stalking people on Twitter (security people), and started a blog to chronicle my journey. I’ve taken part in UK Cyber Security, written magazine articles about some of my coding projects, run workshops at conferences, written tutorials and tried to contribute to a community that at it’s heart wants you to succeed and is willing to share its time and experience with you. A year ago I moved into a security role at my current employer, I know do technical security as well helping define and build the companies Cyber Security Strategy. I also work for UK law enforcement helping fight Cyber Crime. I love security, it’s the biggest puzzle you can get in IT. It’s like a ever changing, challenging and exciting rollercoaster ride that makes me glad to go to work everyday.”

==== IDENTITY & ACCESS MANAGEMENT ====
(Many thanks to Christina M)

What this job does:

As an entry level analyst you will most likely manage day-to-day processes around an existing I&AM/IDAM solution. As a senior analyst/architect you will design, build, test, deploy and implement I&AM architectures. This includes centralizing and automating firm-wide access control processes via an IDM tool which includes on-boarding/off-boarding, access requests & approvals, automation of flows, future integration of applications, maintenance of IAM technology infrastructure, app and user store integration. In this position you will interact with mostly every department in your org from senior management to associate.

Where are the jobs:

Professional services, government, financial services, technology companies, consulting and outsourcing industry.

What gives a candidate an edge:

Solid IT and technical background, system architecture, design and implementation, business ops and controls. Also, staying away from silos. Learning about other areas in information security/IT and the business. Also communication! If you understand how to translate business requirements into IT requirements and highlight value propositions from a risk/privacy perspective you will succeed.

Avoid this trap:

Believing that certifications like the CISSP/CISA alone will give you the experience and knowledge that you need to succeed. They will not. The best way to learn is hands on.

Personal career story: twitter.com/divinetechygirl

“Trained in information technology and network administration. While attending university, I interned at the computer lab and landed a help desk/desktop tech shortly after. After graduation, I went on to work as a Jr. network admin where I honed my skills in server administration, server implementation, network upgrades, troubleshooting patch panels, implementing VOIP. I got an opportunity to work in IT security for a financial co in 2007. While I didn’t have formal infosec training at the time my previous experience and understanding of network implementations & keen interested, landed me the job. I then learned about Identity and Access management frameworks, risk governance, centralization of access management, RBAC, access certification & automation. Went on to implement a full fledged identity and access tool and process at a fin org in 2012. Never be afraid to ask questions, try something new and take chances.”

==== SECURE DEVELOPMENT ====

What this job does:

Endeavors to ensure that software, devices, or apps are developed with good security in mind from the bottom up. Identifies deficiencies as products are developed and tested and acts as a resource for the development team.

Where are the jobs:

Any reasonably sized organization that develops things, from software, to SCADA to operating systems, to devices which will connect to the IoT.

What gives a candidate an edge:

Excellent software or hardware development and engineering skills. A good understanding of how the product type being designed could be practically exploited. Certifications not only in developing the device or language, but securing it (for example, GWAPT, GSSP-.NET, or the CSSLP). This can vary widely by what is being engineered. Some devices or software might need to conform to government or industry security standards.

Avoid this trap:

Believing that you will always win the security argument with developers and management, even when your argument is reasoned and evidenced. Assuming that every project you will be asked to will be designed with security in mind from dayone (sometimes it will be tacked on later at the expense of overall security).

Personal career story: twitter.com/voodooKobra

“Way back in 2002, I decided to start building dynamic websites in PHP for hobbies of mine. (I was in middle school at the time.) Some of the folks in one of the communities I was trying to contribute to were very toxic, so I kept getting hacked. I quickly caught onto how they broke in and started learning how to stop more advanced attacks. I found myself on websites like HackThisSite and EnigmaGroup, but I always felt outclassed, so I just kept reading, learning, and writing better code. And that kept going on for years: Read, learn better habits and strategies, rewrite entire websites from the ground up, rinse and repeat. In 2013, I decided to start contributing to open source projects on Github. I quickly identified some flaws in the cryptography code used by CodeIgniter, Kohana, etc. that seemed really obvious to me (timing attacks on the HMAC verification that shielded the unserialize() in their session drivers from being a remote code execution vulnerability), but whose team members did not find so obvious. I had a similar experience with Facebook’s SDK developers (which I wrote about https://paragonie.com/blog/2015/10/coming-wordpress-4-4-csprng …). Recently I published Halite, a PHP library that serves as a user-friendly wrapper for libsodium to make high-speed cryptography accessible for PHP developers and I’m pushing to make libsodium a core PHP extension in 7.1.

Being a secure developer is challenging; you have to exist at the cross-section of keen information security awareness and still be able to keep up with people who write software full-time. But it’s also incredibly rewarding, as long as you learn this lesson earlier rather than later: People who specialize in secure development are incredibly rare. Things that seem obvious to you might not be.

The one thing I like most about my job is that I get to take rare knowledge (in my case, cryptography engineering) and apply it in areas where it would otherwise not touch (i.e. web applications)..”

---

---

Chapter 5: Red Team Careers

 

==== PENETRATION TESTER (TRADITIONAL)====

 What this job does:

 Pen-testers are the folks who simulate a real network attack on a target to identify their security flaws and vulnerabilities. They can look for these vulnerabilities across a wide range of platforms and architectures – from traditional networks’ DMZs, to SCADA systems, to complex internal networks. Their job is to play the bad guy within well documented rules of engagement, and report back to their employer what was discovered. Entry level and intern pen testing is a starting point for many people moving into ‘Red Team’ roles.

 Where are the jobs:

 Medium to large organizations, smaller organizations which handle highly sensitive data, contracting firms which provide these services.

 What gives a candidate an edge:

 Extensive knowledge of multiple operating systems’ operation, including command line, authentication, and permissions. Solid knowledge of networking. Knowledge of social engineering tactics. Comfort with common hacking tools like the Kali distro and its installed packages. Experience with Metasploit / Armitage / Cobalt Strike is useful. Good certifications to have include OSCP and GPEN, with specialized certifications and experience in specific systems as required.

 Avoid this trap:

 Thinking that penetration testing will be the rock star job the media makes it out to be. This isn’t an episode of Leverage. Except for when it is, occasionally. Penetration testing is a lot of work that involves legalities, meetings, and lots of paperwork. There are usually heavy restrictions on what pen testers can attack and when. The job can also be travel heavy for contractors.

 Personal career story: twitter.com/J0hnnyXm4s

“I have landed every single InfoSec-specific job I’ve ever gotten via making friends in non-Professional contexts. Game nights, house parties, book signings, poker games, bartending. . . when you allow your career to flow from organic, human interaction (as opposed to forced professional contexts), you have a much higher chance of ending up somewhere you actually WANT to be. You’ll click with your team (and possibly the company) better, you’ll be naturally motivated to work simply because you care, and this will likely lead to you hanging around a company longer, racking up that sweet, sweet vacation time. All of this stems from dropping the shop talk and the constant immersion in InfoSec, and saying ‘Hey; I’m just people, and you’re just people, and maybe us people can get something done somewhere by just being people together.“

Personal career story: twitter.com/dan_crowley

“I was going to school in Boston, knowing that I was going to go into computer security. My university required two coop terms for the degree, and I was lazy about the first one, so I did a term in a computer repair shop. For the second, I was determined to get a coop at a security firm. I searched around for all the local security shops, then cold called them asking if they had coop programs. There was some forensics shop, [redacted], and Core. The forensics shop had no coop. I interviewed with [redacted] and they turned me down.

So, when I went to Core, I compiled sanitized reports from freelance pen testing I’d done, presentations I’d given at a security meeting I organized on campus, and writeups of bugs for which I had CVEs. I laid them all out in front of the guy interviewing me, talked him through each one, and asked if he had any questions.
He smiled approvingly, nodded, and said I certainly seemed to know a lot about security.

He then asked me what I knew about marketing. It was at that moment I learned I was interviewing for a marketing position. I put my head in my hands and explained the misunderstanding. The gentleman across the table from me said that he’d be willing to give me the position, and that in any down time I had after doing marketing work, I could do security research. I accepted, and within a month, I’d scripted away all my marketing work, essentially resulting in being brought into a security research position. I impressed enough people that I ended up in a pen testing role, starting my career in infosec.”

 ==== PHYSICAL PENETRATION TESTER ====

 What this job does:
Similarly to a traditional, network-based penetration tester, a physical penetration tester tests an organization’s non-computer security measures. This can include evading guards, locks, or cameras to reach a target, breach a defense, or conduct a network penetration test from inside a building.

 Where are the jobs:

Due to the nature of the job, physical penetration testers almost exclusively work on a contract basis for other organizations.

 What gives a candidate an edge:

Knowing locks and security systems inside and out. Being great at social engineering people and playing a role even when circumstances change rapidly. Potentially the full network penetration testing skillset, as well.

 Avoid this trap:

Expect to travel. A lot. Engagements can be days or weeks long, and can even involve pretending to for days work at an organization you’re trying to exploit. Don’t expect the job to be constant fun and games. There’s lots of reconnaissance and research that goes into breaching a building’s security, and plenty of reports to write afterwards. Expect to potentially be arrested or even go to jail before your employer or contracting agency can clear things up legally.

 Personal career story: twitter.com/deviantollam

“I made the move from “conventional” INFOSEC work to Physical Penetration when one client had a sysadmin rage quit.  We were called in to pop the domain controller and re-establish access for the company, but upon arrival learned the server room was locked (and the key had left with the ex-BOFH).  As they “awaited the locksmith” I offered to simply open the door for them.  They allowed it, we easily got in, used the pnordahl toolkit to give them back their admin accounts, etc.  But it was the door-opening that floored this client the most.

“Show us that again!” they entreated, and we spent another two (billable) hours just walking around their facility, explaining how their doors could be picked or bypassed. Knowledge that for me was merely a fun hobby turned out to be valuable to clients.  That’s the most key element of establishing yourself in some security sphere: figure out a weak surface that no one is protecting (because they don’t yet think to) and learn to be as well-versed as possible in that vein.

Then publicize your findings and share knowledge with others.  My associates and I would never have become known as go-to people for locks, alarm systems, elevator access controls, etc, had it not been for our talks at conferences and training at places like Black Hat and SANS, etc.

In that regard, I have to offer huge thanks to people like Heidi Potter, Bruce Potter, Beetle, Jeff Moss, Ed Skoudis, John Strand, BernieS, and many other conference organizers who encouraged their events to host lockpicking and other physical security content from me before I was as well-known.”

==== VULNERABILITY RESEARCHER ====

What this job does:

Vulnerability researchers study products and software in great detail to find hardware and software vulnerabilities so that they can be fixed in a timely manner.

Where are the jobs:

Medium to large software companies, hardware engineering companies, vulnerability research organizations. (Many vulnerability researchers are self-employed and work for bounties.)

What gives a candidate an edge:

Excellent computer science and/or electronic engineering skills (depending on the target products). Excellent reverse engineering skills. An intense desire to research and understand how things work.

Avoid this trap:

Assuming anything about gaining this career as a legitimate form of employment will be easy.

Personal career story: twitter.com/EdwardPrevost

“I started with computing at a young age. My uncle (a professor) gave me C and BASIC texts. I read them. Having only school computers, I mostly theorized and scribbled on paper. Years later my father purchased an IBM Aptiva (~1994), and established dial-up access into the RPI network. Shell and MUDs became my home amongst RPI students. The knowledge I would gain from those late night experiments would shape my future. A future in vulnerability research. Through keeping a Socratic approach to all things computer related, I established a variety of friendships and contacts within the InfoSec Industry. Having a passion for identifying, and proving out flaws in applications and devices drove me through the, sometime very annoying, monotony that can be research. I began consulting on-the-side while attending school for Biology, and was given some amazing opportunities with Albany Medical Center, NYS Prosecutors, and GE Global Research. Those opportunities lead to the expansion of fellowship I had within InfoSec, and exposed me to a wide variety of specificities within the industry. That exposure solidified my calling of research; and I haven’t looked back since.”