Interview - Fletcher (Cybersecurity Consultant)
"Stop thinking about what something is designed to do, start thinking about what it can do, and how you can use that to make it do what it shouldn't." - Fletcher
Fletcher is another Aussie friend of mine who happens to work in IT. This interview is more focused on the job side of things. I think it's pretty informative and well worth reading. He works as a corporate cybersecurity consultant and I think he has a good perspective to pass on.
Cyrus: Alright, so the way that this will work is that i'll ask you some basic questions and we can branch out if the answers permit it. Don't worry too much about making spelling errors or wording things in a weird way, i'll fix that before I post. Before we get started, do you have any questions for me?
Fletcher: Not really.
Cyrus: Let's start at the basics as usual - What's your interests in the tech sphere?
Fletcher: I'm a jack-of-all-trades person, I'm not one to have a single specific interest. I do everything from game development, to pentesting, to malware development, and have dabbled in operating system development.
Cyrus: I'm the same way myself.
How old are you now? How old were you when you first got interested in tech? Was there any sort of inciting incident that made you go "Hmm, this is interesting. This is something I want to get into"?
Fletcher: I'm currently 21, I got interested in tech when I was around 10 years old. My grandfather gave me his old laptop when he purchased a new one. I started programming in batch (as I'm sure a lot of people did) and started getting into C# programming when I was 12. At first it was simple programming like game development and creating my own programming languages/interpreters, I only started getting interested in cyber security when I was about 16.
I initially got into programming because I like to tinker with things and figure out how they work and programming was just a way for me to understand how computers work. Then when I got bored with learning how computers work, I decided to weaponize that knowledge and learn how to make them stop working or do something they're not meant to.
I initially got into programming because I like to tinker with things and figure out how they work
Cyrus: Did you ever dip your toes into the "black hat" scene?
Fletcher: Well, that depends how you define "black hat". ;) I've definitely participated in not-so-legal activities, I don't know a single pentester who hasn't. But not for any kind of personal gain.
Cyrus: Fair enough I guess. Can you describe some "not so legal activities" you've participated in?
Fletcher: I'd love to, however I would rather not admit to anything that could get traced back to me.
Cyrus: Again, fair point. Didn't consider that haha. Can you describe what got you into those kinds of things?
Fletcher: When I was in school, I was assigned a project in IT class to create a website that utilized a MySQL database. I decided to create a mini social network that allowed for posting text and pictures, commenting, following, and messaging other users. Because my school blocked Facebook, I would have the server running on my laptop during school and my friends and I would use it for basic communication. It was a way that the teachers couldn't intercept. But being the bad programmer I was back then, it was vulnerable to SQL injection, XSS, and other attacks. I didn't even know what SQL injection and XSS were, I was just mucking around with the website when I realized I could make it run code and do things that I didn't intend.
I spent a weekend researching some basic web app pentesting techniques and I was able to upload PHP backdoors and wrote a script that could extract every private message any user had sent to each other. That was my first experience with pentesting and from there my passion for it grew.
Cyrus: How have your goals shifted over the years?
Fletcher: Initially, I learned pentesting to do CTFs. I got a couple friends interested and every now and then we'd go on Vulnhub and spend a Saturday (or possibly the entire weekend) doing CTFs. However as soon as I found out that I could make money working as a pentester, my focus went from playing CTFs to learning skills that could be applied to a work environment. That's when I started branching out into network pentesting, reverse engineering, malware development, and other fields of study.
Cyrus: How much of what you know now is stuff you've learned from self study? Have you taken any official classes? If so, what were they and what were they like?
Fletcher: I learned a lot from YouTube, forums, and CTF write-ups. A lot of what I do today for work I learnt years ago. However when I graduated school and started looking for a job as a pentester, I realised that I would have to do invest in a certification. I started with the OSCP however I found it too difficult for me at the time, so I took a step back and did my eJPT and was offered a job once I finished that. I've also started my eCPPT and am still technically doing my OSCP, however I am not qualified in either because I haven't taken the exams. I no longer feel the need to take the exams because the experience and knowledge I've obtained from my job far outweighs anything I would learn in those courses. There are better ways I could spend my time.
Cyrus: Are there any particular YouTube series/videos, forums, or CTF write ups you can recommend to people?
What does the eJPT consist of and was there any particular study material that you used to help you pass it? Do you have any advice for anyone considering getting a cert?
Fletcher: I can't remember any YouTube series of specific forums, becoming a master Googler is a skill I highly recommend, however Vulnhub and HTB are my two favorite places when I want to do a CTF.
The eJPT consists of basic network pentesting (Metasploit and nmap) and basic web app pentesting (Burp Suite, XSS, SQL injection). There wasn't a study material that helped me, I think I studied for a total of 4-5 hours before starting the exam because I already knew all of the content. I wouldn't recommend the certification for those who are just starting, it's a waste of money since everything taught can be found for free. However, it's hard to communicate your skills to employers without certifications. The only reason I did it was to have something on my resume.
If you want to get into pentesting, there are many, many free resources at your disposal these days. Don't bother paying for a certification like eJPT or OSCP if it's only for learning purposes, you can find all that information online for free. But certifications are required when searching for jobs unfortunately.
Cyrus: So you mentioned you're working professionally now. What's your work and what does it consist of? What sort of tools do you use in a day to day basis?
I know from our personal conversations that there's some things you can't mention, but I'd appreciate it if you could go into as much depth as possible.
Fletcher: I work as a full-time Cyber Security Consultant. It's not strictly just pentesting, I do a range of things, however pentesting is what I do the most. My work also includes configuration reviews, code audits, software development, anything that's cyber security related.
In terms of pentesting, the tools I use the most would have to be Burp Suite, nmap, and OpenVAS. The majority of my pentests are web applications which I only use Burp Suite. I also do a lot of corporate network pentesting which involves OpenVAS, nmap, Mimikatz, lots of PowerShell knowledge, and writing my own malware. When it comes to corporate pentesting, there's only so much you can do with pre-made code. If you want to get anywhere and be undetected, you have to learn how to write your own or at least modify malware.
When it comes to corporate pentesting, there's only so much you can do with pre-made code. If you want to get anywhere and be undetected, you have to learn how to write your own or at least modify malware.
Cyrus: What sort of things do you find yourself programming? What languages do you use the most?
Fletcher: I unfortunately can't give away too much information because a lot of my software development is for confidential projects. However the languages I work with the most are Python, Go, and PowerShell. Python is my go-to, it's such a beautiful language and it can do just about anything I need it to. However, being interpreted, it has its limitations. If I need a compiled language, I'll turn to Go. For a compiled language it has a really friendly syntax and is great for cross-platform applications. And PowerShell is only used for writing malware during corporate pentests.
Cyrus: What does an average day for you look like?
Fletcher: I wake up at 5:30am to get ready. Leave home at 7am to be at work by 7:40am. Although my work doesn't start until 9am, I like to get there early. I then work for the day (I don't have an "average day" as a consultant, I'm always working on new projects with different clients). Leave work at about 6:30pm even though my work technically ends at 5pm, I like to stay back to avoid traffic. I'm home by about 7pm to lounge around eating and watching Netflix until bed time around 9:30pm.
Cyrus: Are there any misconceptions about your job? Is there anything you wish you knew earlier or things you were overly concerned about?
Fletcher: A big part of my job is being prepared for anything. I could walk into work one day and be assigned to start a new pentest that day, or be told that a pentest was cancelled. My job is too unpredictable to plan more than a couple days ahead, I just have to walk into the office prepared to do whatever is required.
Cyrus: Clearly, someone needs to be able to be adaptable in order to do that job. What other skills might someone need that isn't all that obvious?
Fletcher: You need good English skills. This is something that a lot of people overlook, however it's a critical part of my work. Pentesting is only half the job, you then have to write a detailed report. You could be the greatest pentester in the world, but if you're unable to effectively communicate your results to your client, you've failed. You need to make sure that your English skills (or whatever language you're working in) are the best they can possibly be. This is something that I've struggled with in my professional career, I'm even taking private English tutoring to help with that.
You could be the greatest pentester in the world, but if you're unable to effectively communicate your results to your client, you've failed.
Cyrus: How important are social skills in your job?
Fletcher: They are very important. Knowing how to communicate with clients and work in teams is a critical part of my job. Sure you could work as a solo contractor and create your own company, but you can only get so far alone. Knowing how to work well in teams and having good communication skills is how you build a career.
Cyrus: Do you have any advice to someone who might struggle with their social skills or might have social anxiety?
Fletcher: Find some way to manage it. Maybe that involves seeing a psychologist once a month, or playing sports, or even some gaming. Everyone is different so there's no solution I can give that will work for everyone, but if you are truly dedicated to become a pentester, you'll find your own way.
Cyrus: Do you have any general advice to anyone getting into this field? Any protips or anything?
Fletcher: Learn as much as you can in as many different fields of study as possible. In the past someone could get away with just being a web app pentester, or a network pentester, however these days there's a shift towards general consultants. You need to have the skills to adapt to whatever challenges are thrown your way.
Learn as much as you can in as many different fields of study as possible.
Cyrus: Where do you see yourself 5 years from now? How do you picture the job landscape changing in that time period?
Fletcher: I have no clue what the future holds for me. I don't even know what I'm eating for lunch next week let alone my professional career in 5 years. Maybe I'll still be working at my current company, maybe I'll go solo, maybe I won't be living in Australia anymore. The flexibility of this job is one of the things that attracted me to this line of work. However, with the way things are going, there'll definitely be more and more work for those interested in cyber security. I think the job landscape will definitely be looking for those who have a wide range of skills. As I've already said, in the past you could get away with being specialized, however with the increasing amount of different technologies, I'd recommend learning as much as possible and to keep learning. IT is such a fast-changing area that the skills learnt 5 years ago may not be applicable now, and the skills you learn now you may not use in 5 years time. You just have to keep learning and adapting with whichever direction IT goes in.
Cyrus: What sort of skills and mindset someone wanting to go into this field have?
Fletcher: Stop thinking about what something is designed to do, start thinking about what it can do, and how you can use that to make it do what it shouldn't. To work in pentesting, you definitely need to have a "hackers mindset". You need to be able to look past the documentation of what something is designed to do, and start thinking about how it does that and how you can weaponize what it does to your advantage.
You definitely need to have a "hackers mindset". You need to be able to look past the documentation of what something is designed to do, and start thinking about how it does that and how you can weaponize what it does to your advantage.
Cyrus: I believe that concludes all the questions I have for you. Do you have any closing statements, anything you'd like to mention, or anything you would like to say to anyone who is reading this?
Fletcher: Don't be a skid or prepare to get yote. [Inside joke]
All jokes aside, don't get cocky about being a pentester. There's always more to learn, there's always someone better than you. Understand your limits and work to expand them.