Pentest Diaries Ep.9: Talking Certifications with Heath Adams

Welcome and happy Cybersecurity Awareness Month!

In this edition of Pentest Diaries, we were thrilled to bring Heath Adams onto the podcast! We wanted to chat about an all too familiar topic, certifications. Heath recently started a company that is facilitating the hands-on approach to certifications.

So, we wanted to pick his brain. On entrepreneurship, on certifications, and on his views of the educational landscape of training others.

Watch the video here:

Below are timestamps for some of our questions, but let’s get into some of the highlights!

00:56 Who is Heath Adams? 02:33 Current state of certifications 07:18 Comparison to other certifications 10:50 Which courses are people taking? 17:20 How do we recognize certification worth? 21:28 Who/How to mentor 23:35 Benefits for senior pentesters 27:08 Closing statements

Why start TCM Security?

We started out the conversation by asking Heath when he realized he should make TCM Security a thing?

Heath responded, “I was working as a pentester for another company and we continuously were getting people/clients coming over there saying ‘Hey, we heard of Heath. We saw him on youtube - or social media, and we want him to do our pentesting.’ The company I was working at provided no kickback for that, no commission, nothing - so, the wheel started spinning as, ‘Hey, if they’re getting all this money and I am just over here doing all this work - why can’t I get some money out here for doing the same thing?’”

This was a great illustration of the importance of caring for your workers. The acclaim that one person has is their own, and should always be taken into consideration. Heath utilized his own following to then create a support for others, when he himself wasn’t being supported.

Certification Standards

To continue, we decided to dip into Heath’s feelings on the current standards for certifications. Cybersecurity certifications can be both a method for individual growth and a barrier for someone’s career path.

Heath brought up his own path into pentesting stating, “I went the really traditional route of getting some IT experience, get your OSCP, go interview, and get the job. I realized very quickly after getting my OSCP, that I did not know the majority of the questions they were asking me during these interviews. They were asking me about how to hack Active Directory, or do internal pentesting - which wasn’t covered at all, at the time. (Also) How to do web application pentesting, which was lightly covered. …And some of the methodology which even for external pentesting - it’s not scan, find vulnerability exploit, it’s very much do open source intelligence gathering, gather information about the company, and use that intelligence against the company.”

This points out the sort of static teaching that certifications bring to the market. We are currently in need of testers with dynamic skill sets, but fail to give them that critical edge. A certification shouldn’t represent a person’s ability to memorize vocabulary, but actively engage in the process.

Heath believed that the ROI on most certifications is getting your foot into the interview, not necessarily preparing you for it.

Providing Dynamic Training

I wanted to know what TCM courses provide that deviates from other counterparts. Training for previous certifications made me aware of how much organizations try to pack into their course schedules.

Heath answered, “The courses that I put together were meant to be all the things I wish I knew, prior to going into the industry. So, teaching Active Directory pentesting - that was one of the initiatives I went out there and found, like I was looking at the top selling courses on Udemy…none of it was teaching Active Directory. I literally learned how to hack Active Directory off a blog post and slapping that together, and throwing it out into the wild just to see what I could do.”

As of 2020, Microsoft is still a leader in identity management within the Gartner Magic Quadrant, and is said to be used by 90% of the fortune 1000 companies. The ability to have hands-on experience with testing one of the world’s most widely used domain management and authentication services is pivotal - but is lacking.

What Makes a Good Certification?

The question is, “How do you make a certification that engages participants in the proper discourse, but also develop skills needed for these technical interviews?” The goal shouldn’t be providing a test to pass, but a test that can emulate the functions you will utilize in your role.

When discussing this subject Heath explained, “You go through the whole process as-if it were a pentest. The engagement models an external and internal pentest from a network perspective, so there is that open source intelligence gathering. We have to go out and research the employees of the company you are attacking, and use that against them to break into their network - and from there, pivot and go against what is a fully patched Active Directory network.”

By comparison, there are certifications that take a hands-on approach. The unique element TCM’s PNTP (Practical Network Penetration Tester) certification adds is an exposure to an engagement that throws you into the wild yourself. This is conceptually different from what I’ve experienced or heard of before.

Heath also added, “Once you do that, you write your report - you go through the reporting phase to perform a debrief in front of someone from my team - usually me, but some from the team - and tell us what you found, what recommendations you have for us. Like, we are your client and what you would be doing through the full experience of a consulting role.”

The debrief is the real winner for me here. It is one thing to write a report with remediations, it is an entirely different approach to added client interactions into your testing methods.

Pivoting into Pentesting

It is important to contextualize who is taking these tests. You could say, “Anyone trying to get a job pentesting.” However, that skews how these tests should be performed and who they are marketed to. People are coming from a multitude of backgrounds that don’t include IT.

Heath stated, “When I talk to people, I almost don’t expect them to come from an IT background, always. It’s always, ‘Hey, what were you before you were a pentester / what were you before you were in IT?’...Half the time, the person never started in IT. They were doing another career before they wound up over here.”

Having a foundational knowledge of underlying technologies is important. What is impressive is being able to create training and certification from the ground up, in respects to a pentesting frameworks.

Creating and believing these in-depth skills are not so far out of reach for junior enthusiasts.

That isn’t to say the information that security practitioners learn is not inherently difficult, but paths towards actively enaging these skills need to be fostered. More time in terminals, and less time in indexes.

For Those Without Certs

A lack of certification does not mean you lack skill. It means you haven’t proven it to anyone, yet. Skill still remains an ambiguous concept to different places that are hiring for general pentesting. Which leads users learning the ins-and-outs in a desperate search for focused material.

“It comes down to how we evaluate the individual. With the bigger companies, especially, you are getting put through a filter. If you don’t meet ‘X, Y, Z criteria’, then your resume gets tossed out. …What it comes down to is the ability to have soft-skills. …If you have the ability, building a home lab, having a blog, going to conferences/volunteering at conferences. Really, what it comes down to is you’re planting seeds. You’re planting awareness about yourself and your networking."

For more information about TCM Security or Heath Adams, please refer to the following link.

Thank you for joining us again!