Why penetration testers need presentation skills

When Coalfire’s director of offensive cybersecurity, Pete Deros, starts a job, the first steps seem almost cinematic, like scenes from a thriller.

The work begins with “scraping” the internet, social media, and the dark web to build profiles on CEOs, execs, and IT managers. Maybe an admin is posting about a brand-new authentication technology that Deros can tinker with. Maybe a CEO is on vacation and the team can use that detail in a help-desk call that results in some high-profile credentials.

The efforts are all part of the penetration test—a practice many security experts recommend annually and one that demonstrates an organization’s risks and exposures. Companies pen-test for multiple reasons, including to prioritize fixes, support a vulnerability management program, and meet compliance standards.

But at some point the movie ends, and the job goes from penetration to presentation.

While hired hackers require creativity and technical skills to find security flaws, pen testers who spoke with IT Brew also praised the importance of communicating findings clearly to execs with a range of technical knowledge. Presenting the risk is as valuable to an organization as finding a crafty way in.

“It’s not just finding the vulnerability,” said Alberto Rodriguez, managing security consultant at GuidePoint Security. “It’s really showcasing the impact.”

Reporting for duty. Deros creates two reports: a description of vulnerabilities found and exploited (geared toward the IT teams and CISOs who understand them) and an executive summary that’s more anecdotal than technical—i.e., Here’s what we found, and here’s how it can affect your company.

The latter presentation calls for effective communication:

• Show your work. Don’t lead with the highly technical details of a flaw—show the loot. “Instead of saying, ‘Hey, we found an open port with an XYZ vulnerability; we got domain admin; I can tell them, ‘Hey, we exploited XYZ vulnerability on this port. Not only did we get domain admin, but we were able to exfiltrate copies of your secret recipe and get employee W2s. Now we’re communicating risk efficiently,” said Jonathan Broche, director of penetration testing at MorganFranklin Consulting. It’s not about communicating the details of the bug, but articulating the broken business process that enabled the bug, Rodriguez said.
• Stay organized. Broche uses a spreadsheet that contains a finding, an IP address tied to that finding, and a recommendation, like replacing the hackable web-traffic encryption standard SSL 3.0 with TLS 1.2.
• Practice. Even in front of a mirror, Rodriguez said, to effectively articulate risks to a large group with varying technical levels.

While none of the pen-test pros said they experienced blowups from clients, findings can occasionally lead to defensiveness and disbelief from execs. Ultimately, a pen tester needs to have a skill that’s not easily acquired: customer service.

“We’re ethical hackers, but we’re consultants first,” Broche told IT Brew.

Hacking, after all, isn’t like the movies.