Friday, May 6, 2016

Professional Development Methodology

Most hackers/security analysts have been exposed to the 'Hacking Methodology.' In general, it is as follows:
  1. Perform Recon
    1. Passive
    2. Active
  2. Enumeration
  3. Exploitation
  4. Privilege Escalation
  5. Exfiltration
  6. Persistence
You can argue semantics all you like but, skilled hackers/penetration testers/security analysts will follow these steps and the more determined the attacker is...the more time they will spend in recon and enumeration. This is where most of hacking is done and to create an analogy to professional development, it is where you should spend most of your time hacking (read developing) yourself. In addition, your professional development results are directly correlated to how much time and effort you put into yourself; just like spending time researching your target before you exploit.

So, you're here, reading this post. What is it that you want to improve? Where do you envision yourself in 1, 5, 10 years? How do you do that? Recon!

Passive recon for professional development, especially when it comes to the computer security industry, is very useful. Reading blogs, reading books, listening to podcasts, and learn about the industry. Who are the big names? Why are they the big names? what are the basics of the industry? This extends outside of hacking or computer security! If you want to be a musician, you start learning how to read music. If you want to be a doctor, you start learning biology.

Active recon for professional development would be more participatory. So, in the computer security industry, it would be participating in CTFs, it would be downloading metasploitable and running some exploits. You are still honing your skills and solidifying your baseline understanding. Extending this to other industries and professional development in general it becomes the Nike slogan: Just do it. If you want to be an artist, just paint. If you want to break into the finance industry, start by budgeting your own finances.

Active and passive recon will be a permanent part of hacking and professional development and no matter what, you should always spend SOME time in this area so you can continue to learn and improve upon new skills.

Enumeration, in terms of professional development, will be listing out what you want to/need to work on in order to become a professional, IN YOUR TERMS. That's the most important part. What do YOU believe, based on your passive and active recon, that you need to accomplish to push yourself forward. Only you can make you a professional and only you can push yourself to accomplish what you want and only you know where you stand on any individual skill. So enumerate them and then perform more passive and active recon if necessary.

Now, it's time for everyone's favorite part of the hacking methodology: Exploitation. What is exploitation when it comes to professional development?? It's your first shot. Your big break. Your first painting sold. Your first taxes filed as a CPA. Your first patient as a doctor. Your first computer exploited with MS08-067 (if you don't know which exploit that is, add it to your passive and active recon). This is a very important step and also where a lot of people fail. Lots of people can't take rejection of their ideas, business plans, or pieces of art. You MUST be able to take this rejection. Something that helped me deal with rejection is understanding that I am as much of the product as what I do, which includes this blog! I am confident in my knowledge and what I've learned and I believe it is worthwhile to spread my knowledge. My first post on this blog got 10 views. Only 10, but, there were people from three different countries that viewed it! I choose to focus on those individuals across the world that may or may not have been influenced by my first post rather than the fact that only 10 people saw it. Your rejections makes excellent stepping stones to your ultimate success.

Lastly, privilege escalation, exfiltration, and persistence can all be combined, when it comes to professional development, as professional maintenance. You are the best you in the world. So be the best you and continue to be the best you the world has ever seen. Continue to do recon, continue to actively enumerate future steps in your journey, continue to step outside of your comfort zone and show the world what you can do. Every failure is something to learn from and every success is something to celebrate but, you are never done. Use the Navy SEAL 40% rule: when you think you're done, you're only 40% done.

So all you hackers out there that want to become more professional or develop yourselves, keep this analogy in mind and as Offensive Security says about their OSCP certification, Try Harder.

No comments:

Post a Comment