Maybe it was just me, but when I first started pen testing, I thought my goal was to do cool hacks and show the client how awesome I could be. Seriously I couldn’t be the only one that thought this. It could just be that we work so hard and learn so many things that we believe that our job is to show off our skills.
To some degree, that’s true. But I think that problems arise when we hold on to that belief too rigidly. When we hit a lull in our career, fail to compromise multiple clients in a row, or feel that we aren’t growing fast enough compared to our peers, it can lead to many negative emotions; imposture syndrome, depression, feeling like a failure.
Based on LinkedIn and Twitter posts, burnout and imposture syndrome are spreading amongst practitioners of all skill levels with no signs of slowing down. Some of my favorite influencers are working to shed light on these problems, such as STÖK (@stokfredrik), who often mentions mental health.
This post is really a mix of mental health awareness and understanding your true purpose as a pen tester. If you think your job is to be an elite hacker every time, you are wrong. And you could be harming yourself over time by maintaining this belief.
For example, let’s take a look at a typical pen test. You are given five days to break into a network with millions of dollars for a budget, defenders watching your every move, and rules of engagement that restrict the types of attacks you can do. The odds are stacked against you every time you get up to bat in the game called infosec.
Now compared to the real adversaries who have all the time in the world and no rules of engagement, your job seems nigh impossible. Good. It should.
As a pentester, your job is to look for impactful issues given constraints on time, consultant's skills, and scope of work. These are three significant things to remember: time, skills and scope. We are extremely limited in these two resources.
You may only have forty hours to test an environment with thousands of computers. Or forty hours to test a handful of devices that are fully patched with no services running. Time can mean the difference or nothing in some cases.
In terms of skills, a pen test is meant to test an environment against currently known adversarial techniques from a perspective chosen by the client and using the skillset of the assigned consultant. Yes, you are a part of that equation.
Although we use computers well, we are not computers ourselves. There is no way to know every attack ever created. And an environment may not lend itself to the skills we do know. This is the cold hard reality. Mature businesses know this as well. One of their requirements is to use a different pen tester every year to take advantage of practitioners’ varying skills.
Some businesses even design the scope of the pen test so that the consultant finds minimal issues. When jobs are on the line, people will do anything to save their own skin. For example, I had one client who placed my testing appliance on an isolated network. All internet-facing systems were out of scope, and phishing was off-limits. What could I do? Nothing. I confirmed that I shouldn’t see anything and produced a report with minimal information.
My point is that as ethical hackers, we are at a disadvantage contrary to what the blue team says. Pen testing is hard and especially difficult for junior-level roles with less developed skills. I just wanted to bring awareness to the issue we all face and let people know they aren’t alone.
Take vacation days. Find a hobby outside of computers. Stay positive and keep growing. Infosec is a marathon, not a sprint.