>>1. Aside from: linux cmds, nmap, metasploit, sqlmap, mimikatz, kali's well known tools - what other tools are often used by pen testers ?
I think those + your typical scanners (Nessus, Nexpose, etc). One gap I know of, is proper organizational tooling. I.e how do store your results / reports / findings in an effective manner to be consumed downstream via other tooling. For us, it was a big uplift to standardize how our pen testers store and score results. We ultimately end of settling on a numeric score rather than "High" "Medium", "Low", etc and mapping back to CWE.
>>2. How is MFA beaten in today's enterprises ?
I think there are a variety of ways -- the biggest gap I've seen is improper configuration. I.e, not properly enforcing MFA on all aspects of your application. What if I steal your session and call the API to disable MFA on your account? Are all of your forms / pages / etc accounted for? Or just your home page?
>>3. Do most engagements assume one is already in the network ? If not, how does one scan (basic OSINT towards their externally facing website, but let's assume that is very secure)
There are definitely multiple levels of how tests happen in larger enterprises, we have some pivot externally to internally (both virtually externally, and physically externally, e.g getting past physical security). So it really depends on how much your budget is and your paranoia level :)
>>4. How well do pen testers know the defense side and amalgamation of so many defensive tools - how do they learn what to beat ? Is it really as simple as try to fingerprint and then look for known vulnerabilities on msf ? Or do pen testers not care if xyz enterprise is using this version of Palo Alto or a carbon black EDR etc.
Some testers come from engineering backgrounds and have deployed the tooling in the past and know a bit about it. We've even found vulnerabilities in some of the defensive tooling and products themselves. But, I've enforced the policy of not caring for my organization. Controls fail, new techniques come out, tooling becomes out dated.
We do factor defensive controls into the localized "prioritization" score for how we make developers and engineers prioritize what to fix, but ultimately, our pen testers do not care. Not to say that's the same for everyone else.
>>5. How do you keep up ? aside from Reddit
The "massive" banks have a lot of great user groups and information sharing -- personally, I keep up by constantly developing in my free time. If I'm not a great developer, then I'm not going to be great at what I do now.
>>6. any advice to future job seekers working their way into learning more infosec ?
Don't focus too much on being the most skilled hacker. Focus on the field you want to work in, and target the types of attacks and vectors that would be relevant to that area. Too many testers I interview are only focused on "look at how quickly I can place a shall on this box!" vs. talking to me about how "as a bank, you are more likely susceptible to physical attacks on ATMs and tunneling through some approved firewall rules to the core infrastructure, here's how I'd scope out some of the issues and pivot from there".
Granted my view is from more of an executive level than an actual tester these days, but I still have my share of fun finding things broken across the environment and discovering vulnerabilities and flaws :)
I think those + your typical scanners (Nessus, Nexpose, etc). One gap I know of, is proper organizational tooling. I.e how do store your results / reports / findings in an effective manner to be consumed downstream via other tooling. For us, it was a big uplift to standardize how our pen testers store and score results. We ultimately end of settling on a numeric score rather than "High" "Medium", "Low", etc and mapping back to CWE.
>>2. How is MFA beaten in today's enterprises ?
I think there are a variety of ways -- the biggest gap I've seen is improper configuration. I.e, not properly enforcing MFA on all aspects of your application. What if I steal your session and call the API to disable MFA on your account? Are all of your forms / pages / etc accounted for? Or just your home page?
>>3. Do most engagements assume one is already in the network ? If not, how does one scan (basic OSINT towards their externally facing website, but let's assume that is very secure)
There are definitely multiple levels of how tests happen in larger enterprises, we have some pivot externally to internally (both virtually externally, and physically externally, e.g getting past physical security). So it really depends on how much your budget is and your paranoia level :)
>>4. How well do pen testers know the defense side and amalgamation of so many defensive tools - how do they learn what to beat ? Is it really as simple as try to fingerprint and then look for known vulnerabilities on msf ? Or do pen testers not care if xyz enterprise is using this version of Palo Alto or a carbon black EDR etc.
Some testers come from engineering backgrounds and have deployed the tooling in the past and know a bit about it. We've even found vulnerabilities in some of the defensive tooling and products themselves. But, I've enforced the policy of not caring for my organization. Controls fail, new techniques come out, tooling becomes out dated.
We do factor defensive controls into the localized "prioritization" score for how we make developers and engineers prioritize what to fix, but ultimately, our pen testers do not care. Not to say that's the same for everyone else.
>>5. How do you keep up ? aside from Reddit
The "massive" banks have a lot of great user groups and information sharing -- personally, I keep up by constantly developing in my free time. If I'm not a great developer, then I'm not going to be great at what I do now.
>>6. any advice to future job seekers working their way into learning more infosec ?
Don't focus too much on being the most skilled hacker. Focus on the field you want to work in, and target the types of attacks and vectors that would be relevant to that area. Too many testers I interview are only focused on "look at how quickly I can place a shall on this box!" vs. talking to me about how "as a bank, you are more likely susceptible to physical attacks on ATMs and tunneling through some approved firewall rules to the core infrastructure, here's how I'd scope out some of the issues and pivot from there".
Granted my view is from more of an executive level than an actual tester these days, but I still have my share of fun finding things broken across the environment and discovering vulnerabilities and flaws :)