Been thinking now and than about being on a pen-testing team. Oh how I would love doing that job! So, sometimes I think about the make-up of such a team. How would I design one? Now, I’m not a business manager so having a 50-person team may sound great but is likely not cost-effective. So, I’ll try to give my take on a “perfect” pen-testing team and their roles, as sketched in my own head. Note that some of these roles can be combined into single people.
The Lead – You need to have a lead person, most likely a very presentable and articulate senior person who is most likely to be the face of the team to the client. This person should also have coordination and delegation duties and be almost like a manger, most likely with some managerial experience to manage the team properly, keep them motivated, but also be able to relate to client managers. This is the coach and mentor.
The Interviewer – This role is an expert when it comes to policies, regulations, standards, and interviewing the proper people in a proper way to get definitive answers on a company’s strength with its people and processes and policies. Someone should, at the very least, be able to interview others properly and understand regulations inside and out (COBIT, PCI, etc). This person should be able to evaluate whether reality matches policy. This guy would be as close to an auditor as the team gets, and could also be familiar with risk analysis.
The Writer – Every pen-test includes reports and deliverables, and the more polished those deliverables look, the better. Every team should have someone who is strong with writing documentation, compiling information, evaluating results, correlating the risks to the client, and dealing with information in a constructive mannger. This person can also be the information-gatherer who can utilize search engines, DNS queries, and other reconnaissance means to profile a target. Even better, this person should be adept at vulnerability assessments and determining how important particular vulnerabilities are.
The Junior – Let’s get this guy out of the way early. There should always be some new blood on the team in the form of a junior guy. This guy may have any level of skill, but is the one doing the “easier” errands on the team. Host sweeps, port scans, Vuln scans, password cracking, and coffee-fetching. In fact, this guy can also do some of the widespread repetive things like exploiting various systems using automated tools, sifting through confiscated data and systems for juicy information, and might also best be suited to help support the systems for the rest of the team.
The Web – Any real pen-testing team should have someone proficient with web coding practices and languages, and the security of them. He or she should be the lead when it comes to source code analysis, web app scanning, fuzzing, SQL injections and queries, and best-practice approaches. A background in web servers and database servers would be beneficial.
The Exploit – Someone on the team should also be proficient with other coding disciplines such as Perl, Python, C++, and so on. They can work with and device exploits either pre-discovered from outside sources or custom scripts to discover new exploits. This person should also be able to evaluate and fuzz and test applications beyond web-based ones, such as web servers, email servers, DNS, etc. If a port is open on a server, this member should be the one poking at it the most. This guy should be an expert on buffer overflows (stack and heap) and most likely with malware creation and reversing.
The Packet Hound – Part of any pen-test should include networking devices and information leakage directly on the wire. Packet hounds tend to love sniffing traffic, tinker with networking devices, know the ins and outs (and arounds) of IDS/IPS and firewalls, map the network, and be able to penetrate and evaluate network devices and configurations. This guy should also be familiar with VoIP, phone systems, and wardialing. If you want a meaningful network tap in a crowded server room, this is your man.
The Wireless Expert – Anymore, wireless and mobility is a big thing. It is a benefit to have a team member who is proficient with wireless technologies to evaluate and penetration the security of mobile devices. This should include PDAs, laptops, and wireless networking.
The Social Engineer/Thief – Any team doing black box or physical assessments should have someone skilled with social engineering. There is no more successful an approach to breaking into a network than social engineering. This person should be adept at the common approaches to getting people to divulge information or do something that is otherwise a security risk, from opening email attachments to holding the door open after a smoke break. Lock-picking and physical security alarms and countermeasure knowledge is necessary; perhaps even someone with burgling experience and the willingness to get dirty with dumpster diving. (Note: since this is a rather fun and different task, other team members could enjoy helping out as long as someone on the team can act as a lead expert for this activity.)