A Passion for Pen Testing

July 22, 2019 • Zane Pokorny

Our guest is Jason Bernier. He’s a penetration tester, working to help organizations ensure their systems are secure, and helping them understand where their weaknesses may be. He’s got some insightful stories to share from his work, along with practical advice for folks looking to find their place in the industry. To be sure, it’s serious work, but there’s no question Jason is passionate about his job, and he has a good time doing it.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 117 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest today is Jason Bernier. He’s a penetration tester, working to help organizations ensure their systems are secure, and helping them understand where their weaknesses may be. He’s got some insightful stories to share from his work, along with practical advice for folks looking to find their place in the industry. To be sure, it is serious work, but there’s no question Jason is passionate about his job and he has a good time doing it. Stay with us.

Jason Bernier:

I started getting into security about 20 years ago now. I started with the military. Got my roots, foundations doing a lot of IT work, a lot of grunt work on the help desk, and then working my way up to being the sysadmin. And eventually, at some point, I got recognized and I was sent to a security school where they ended up having me doing a lot of vulnerability assessments. Just kind of plugging things and making everything … Just patching everything. Viewing reports and just sending them out to our higher up. Once I got out, I just continued down that path and eventually got to where I’m at now where I’m doing pen testing and red teaming full time.

Dave Bittner:

Now when you headed into the military initially, was this what you had your sights set on?

Jason Bernier:

No, I had no idea what I wanted to do. When I joined the military, it was on a whim, honestly. I had gotten a postcard in the mail one day and it was from the Navy and it said, you can go on submarines, you can be a Navy SEAL, you can do this, you can do that. So I filled out what I liked and the recruiter called me like two days later and I think two days after that I joined and I was supposed to be doing radio communications.

Dave Bittner:

But I suppose, it worked out you, you did find something that was interesting to you and you’ve been able to continue that career?

Jason Bernier:

Oh definitely. I enjoyed it a lot. I got to learn all kinds of different things and I’ve got to do radio, I got to do IT, and then I got to do security. And it gave me a solid pathway for where I’m at now and gave me clearance and everything else I needed to make my way into pen testing.

Dave Bittner:

Now how do you contrast the work that you’re doing now versus the work you were doing in the military? Is it still the same sort of stuff, but you don’t have to wear a uniform every day?

Jason Bernier:

Well, yeah. Well in the military I didn’t do pen testing, it was just vulnerability assessments.

Dave Bittner:

I see.

Jason Bernier:

And it’s come a long way. I mean this is 20 years ago, so security’s not, it’s not today what it was back then.

Dave Bittner:

How is it different?

Jason Bernier:

Nobody took it seriously back then. Back then I wasn’t very good at it, either. So it’s not like I was this expert at it. I just was running tools and then running reports, but it gave me a solid foundation.

Dave Bittner:

So what sort of stuff are you doing these days when it comes to penetration testing? I mean to the degree that you can describe it to us, what’s your day to day like?

Jason Bernier:

My day to day is pretty hectic for the most part. I didn’t realize how much work I was going to be getting into. This client has thousands, thousands of systems and they all have to be done every year. So at any given time I’m doing five to 10 different pen tests. And it’s everything from scoping everything out to contacting the system owners and getting scheduled to actually doing it and then performing the pen test and reporting.

Dave Bittner:

Now for folks who may not be familiar with what really goes into penetration testing, I mean how do you describe it?

Jason Bernier:

How would I describe it? Well, it’s just doing a lot of scanning enumerations of the systems and seeing what’s vulnerable and then trying to actually exploit that. And if you can, record your steps so that they can be reproduced when the customer receives it and then they can have an idea of how to fix it. And in addition we give them suggested mitigation techniques and what we think they should do to fix it to prevent it from happening in the future.

Dave Bittner:

Now are you doing anything on the social engineering side of things as well?

Jason Bernier:

Occasionally we could do some phishing. We’re not authorized to do any phone calls or anything like that. I’d be interested to see how many people would actually fall for that these days, but we’re not authorized to.

Dave Bittner:

What is your assessment in terms of overall when you look at the vulnerabilities that you encounter, how much are our folks keeping up on things like patching and making sure their systems are secure?

Jason Bernier:

It really depends on the customer. I’m doing a pen test today that I actually started yesterday. I did the same client a year ago, and lo and behold, there’s still the same vulnerabilities there. They really haven’t mitigated much, and in addition they opened up some additional holes because I found something else and I got shells from a different avenue.

Dave Bittner:

Now is there a standard suite of tools and techniques that you use as a starting point when you’re going to do your testing?

Jason Bernier:

I just start with Nmap or things that are built into Kali. Being with the government, they don’t put a lot of money into certain things like that. We do get some software that’s the pro version, like Burp Suite or something, but there’s not a whole lot that we get. So everything’s pretty much open sourced.

Dave Bittner:

Do you ever run into stuff that that surprises you that you didn’t really expect?

Jason Bernier:

Yeah, I remember doing an assessment a couple months ago and it was a pretty well known vulnerability. And when I got in, all I had to do was see what permissions I had and lo and behold I had root. So I was just surprised that somebody would just allow that user that was running, that should have been running in a low context user but as root instead.

Dave Bittner:

Wow, that’s interesting. Now you mentioned that with some of your clients, you get to go back, it’s an annual thing. You’re revisiting systems that you’ve visited before. Do you find yourself saying, “Oh, I remember these folks,” and, “Oh good, they’ve patched up this,” or, “Shame on them. They still have to take care of these things”?

Jason Bernier:

Yeah, I keep all our reports, so before I go back and do something, I review them all and then that’s the first thing I’m going to try is something I did before and see if they bothered to patch it.

Dave Bittner:

Now you have a number of certifications as well, to your credit. What do you see the benefit there is for investing the time and getting those?

Jason Bernier:

The biggest one that I got was the OSCP, and that’s definitely opened some doors for me. It got me noticed and got me interviews, but it didn’t get me the job. The experience and my frame of mind and just passion for what I do is what got me the job. At least that’s what I think.

Dave Bittner:

And what’s your strategy when you go into an interview?

Jason Bernier:

I just try and be myself and answer as best I can. I don’t like to lie and I don’t like to pretend like I know something. If I don’t know something, then I’ll be up front about it. But I’ll try and come up with an educated guess from what I know and then see if I can come up with an answer or at least have a conversation so that the person I’m interviewing with has an idea of what my skill set is.

Dave Bittner:

Yeah. Now in terms of of your own team and team building and working with the folks around you, do you have a particular style with those sorts of interactions?

Jason Bernier:

Well, I have one other team member. It’s just two of us doing all these pen tests, but we are pretty … We have the same type of personality. We get along pretty well. Both down to earth and grounded I think. And neither of us have an attitude or we don’t think anybody is better than anybody else. We’re just trying to help the customer and stay passionate and prevent anybody else from getting in who shouldn’t be there.

Dave Bittner:

I want to switch gears a little bit and talk about threat intelligence, which as you know is a topic that we cover here on this podcast. What part do you think threat intelligence plays in organizations’ ability to defend themselves?

Jason Bernier:

So we have a team that does that, that does a lot of research and I think it’s pretty good because they send out emails several times a day when new things come out. And it can help the users on our networks to see what’s going on. They may not know that there’s some sort of phishing campaign going on and they may click on a link, but if they had seen that, maybe they wouldn’t. So I think it’s a pretty good idea to have them do their research and send things out and so that everybody is aware and just has a general idea. And maybe that 1% will stop something else from happening in the future.

Dave Bittner:
How much of the work that you do, or I guess your approach to advising people for how to defend themselves, I mean obviously there’s the technical side of it, but there’s that human side as well where people need to be trained?

Jason Bernier:

Oh, most definitely. I think that’s probably the biggest part of what you see today is most people are falling for some sort of phishing scam. I can’t even tell you many times in the past I have sent out emails to trick users into clicking on things. And I remember doing an assessment three years ago and I sent out an email that was preying on the user’s fears knowing that if they didn’t do their training, they would lose their internet access in the network. So I sent out about 50 emails. I think I got 40 something shells back.

Dave Bittner:

Wow. Wow. Yeah. I heard, one conversation I was having with someone who was … He was tasked with sending a message out to some folks in the military and he said all he had to do was bring up the specter of them having trouble with their retirement or that sort of thing. And everyone responded.

Jason Bernier:

Oh yeah, nobody wants that retirement … When it comes to money, nobody wants to mess with it, so people will click on it.

Dave Bittner:

Yeah, that’s fascinating. What sort of advice do you have for people who are looking to pursue a career similar to what you’re doing now? Do you think that education is important, or the time in the military, getting the certifications? What sort of words of wisdom do you have?

Jason Bernier:

For me, I really thought that my military time helped me out because it gave me the clearance and it just opened doors for me as far as meeting people. But education is always a good thing. It’s not going to get you the job, it’s not going to give you experience, but it’ll show that you can do something and stick with it for the long term.

The certifications, that makes you study a certain topic, again, it’s not going to get you the job. What’s going to get you the job, I think, is having a passion and doing things that you’re not expected to. Like behind me is my lab. So when a new exploit comes out, a new vulnerability, I’ll load it up and I’ll start learning how to do it. And nobody tells me to do this. It’s not something that I’ve been tasked to do. It’s just something I do because I want to learn. I want to know more.

So I’m always downloading new VMs or I’m on Hack the Box and trying to exploit those VMs and things like that. So the biggest part is just having a passion, just wanting to learn more, just getting it done and getting into it and showing that.

Dave Bittner:

Yeah. Staying current and being able to keep up with everything.

Jason Bernier:

Oh, definitely. Being current and just knowing the latest exploits. It’s happened to me plenty of times where something new came out while I was in the middle of an assessment and it was all I needed to get past what I was doing.

Dave Bittner:

Do you have any stories, any particular incidents that stand out that you found particularly interesting or entertaining?

Jason Bernier:

Yeah, that same assessment where I sent out all those emails, got a bunch of access back. One of them happened to be an enterprise administrator. They were smart enough to have separate accounts for their admin, but this admin user, we were able to get his credentials. And so it just amazed me that an enterprise admin was doing this.

And then they had known that a red team was coming because we were watching his chat and he was chatting with one of the other admins saying, “Weren’t those red team jerks coming?” And so he started writing a script to try and deco one of our scripts that was going on. And every time he was writing the script I was entering keys in there to prevent him from doing it. As long as he was, trying to delay them. Because as soon as he figured it out, we got blocked.

Dave Bittner:

Ah, interesting. Interesting. So you’re playing a little cat and mouse with him.

Jason Bernier:

Yeah. Yeah. At that point it was already too late. I was just trying to get my team more time to download some things. I mean we already had enterprise admin and had the golden ticket and everything.

Dave Bittner:

You bring up an interesting point. How many folks know that you’re coming?

Jason Bernier:

They’re not supposed to know. Sometimes it gets leaked when it comes to red teams. Pen testing, I don’t care that you know. I mean we’ll have a sit down with the client and their technical people and then I don’t care if they patch. That’s fine. But when it comes to red teaming, there’s maybe a handful of people that should know, but sometimes it gets leaked out.

Dave Bittner:

Yeah. It really sounds to me like on top of keeping up with your technical chops and keeping people safe, it sounds to me like you’re having a lot of fun. Like you enjoy the work you do.

Jason Bernier:

Oh, I definitely enjoy it. I’m learning something and I’m doing something that you’re not supposed to be typically doing. And knowing that if you were, if it wasn’t my position, if I was just some random guy and I could get caught, it’s just that kind of thrill. And ultimately I am helping and I’m making a difference as far as trying to keep people out.

Dave Bittner:

Yeah. It’s interesting to me, too, because with the work you do, you have that get out of jail free card. But it must be fun knowing that, like you say, it’s fun to sneak around. It’s fun to know that you could, even though you’re not going to, but you could use those powers to get in and poke around, even though you think better of it.

Jason Bernier:

Oh definitely. It’s a thrill and there aren’t … When I was with the red team before, there were some assessments where some of the cops on base didn’t even know that we were supposed to be there. So there’s always that element that you could get arrested and taken into jail. And I mean you had your to get out of jail free card, but it’s always that you don’t know what these people know and you just had to go along with what they say. And then once you’re reprimanded, they take your credentials, they’ll see that you’re actually supposed to be there, verify your authenticity.

Dave Bittner:

Our thanks to Jason Bernier for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Zane Pokorny, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

Related Posts

Threat Hunting, Mentoring, and Having a Presence

Threat Hunting, Mentoring, and Having a Presence

December 2, 2019 • Monica Todros

Our guest today is O’Shea Bowens He’s CEO of Null Hat Security and a SOC manager for Toast, a...

From Infamous Myspace Wormer to Open Source Advocate

From Infamous Myspace Wormer to Open Source Advocate

November 25, 2019 • Monica Todros

If you are of a certain age — an age where you may have spent a good bit of your time online...

Solving the Business Challenges of Governance, Risk, and Compliance

Solving the Business Challenges of Governance, Risk, and Compliance

November 18, 2019 • Monica Todros

Our guest today is Syra Arif, a senior advisory solutions architect in the security and risk...