Thomas Wilhelm Interview: Nanos Gigantium Humeris Insidentes
“Everyone is a pentester these days…”
In a new age of computer security the above is a cynical statement I hear all the time. It is
also incorrect. Although compliance and our own security hype may have made
pentesting an every-mans job, not everyone is a skilled pentester. Thomas Wilhelm
breaks into systems and documents their security holes for Verizon and he does one of
the things I think differentiates pentesters from the masses, he contributes back to the
scene.
Thomas runs three projects that are geared towards teaching pentesting from start to
finish with practical exercises. In addition he holds MSCS, MSM ISSMP, CISSP
SCSECA, SCNA, SCSA, NSA-IEM, and NSA-IAM certs. Two of his projects are
completely free ( De-ICE cd’s and Hackerdemia) and the third is so competitively cheap
it makes for a “best value” in the training space (Heorot.net pentest video training). I
wanted to pick Thomas’s brain about his vision, opinions, and projects in offensive
security. Here’s what he had to say:
Security Aegis: Thanks for joining us Thomas; can you tell us a little about who you are
and what your history is in the security field?
Thomas Wilhelm: I began my career in information security as a Signals Intelligence
Analyst in the U.S. Army back in 1990. During that time I was trained as a Russian
linguist and Cryptanalyst. After eight years in the Army, I transitioned into the
commercial world working as an ISSO for a secure communication platform sold by
General Dynamics (later purchased by a company called Ezenia) to three-letter agencies.
During my work at Ezenia, I was employed as an ISSO. I currently am a Senior Network
and Information System Security Engineer for Verizon, where I do penetration testing
and risk assessments, as well as project management.
I am also an Adjunct Professor at Colorado Technical University, where I teach both
Masters and Undergraduate courses in IA. I am also working towards a PhD in IT, with a
concentration in Information Security, at Capella University, which has been designated
with the National Center of Academic Excellence in IA Education designation.
SA: What can you tell us about your past projects and how they helped your security
career?
TW: Most of the projects I worked on in the past were under the watchful eyes of the
U.S. Army, so I can’t really talk about it.
SA: Can you give us high level overview of your current projects such as De-ICE,
Hackerdemia, and the online Heorot training? How did you come up the names de-ice,
and heorot?
TW: The De-ICE project was the result of my assignment as a penetration tester for
Verizon Business (formally, MCI). I had plenty of experience working from a defensive
posture while protecting data, but never from a red-team perspective. I knew about how
to conduct attacks at a high level, but I didn’t have much hands-on experience. I naturally
went out onto the Internet and bookstores to find out how to do things from the other side
of the “fence,” but I found that other than some web-based tutorials, there were no targets
I could practice against. The Hacme series was the only thing around at the time, which
focuses primarily on web-based attacks – not very useful in learning how to attack other
protocols or services. My only option at that time was simply to bang my head and learn.
To prevent others from having to repeat the difficult steps I needed to take to become
proficient in my job, I decided to create LiveCDs that mimicked real-world examples of
vulnerable corporate systems. I intentionally avoided creating LiveCDs with known
exploits, since real-world penetration testing is rarely about clicking a couple buttons and
rooting a system. The De-ICE disks focus on improper procedures or misconfiguration of
servers, which is often how administrative access is obtained in PenTest projects.
The Hackerdemia project came about because of my teaching at the college. My students
needed a platform in which to learn about the different hacker tools in a safe
environment. I teach a course in penetration testing within a college lab, and the
Hackerdemia disk provides a great target in which the students can attack and abuse
without fear of damaging a lab system. As part of their team project, they also write their
own tutorials on different hacker tools, which is then incorporated into a LiveCD
distributed at the end of the class to the students. Even though it’s primarily intended for
my class, I decided to also release it to the public so they can learn and contribute if they
felt so inclined.
The Heorot training courses are used to teach students how to conduct a penetration test.
Unfortunately, most courses simply teach about how to use different hacking tools, and
do not incorporate methodology or reporting in their lectures. The Heorot Fundamental
Penetration Testing course is intended to introduce students to the world or real-world
penetration test projects, using the ISSAF testing framework. Once completed, they are
encouraged to take the Heorot Intermediate Penetration Testing course, which uses the
OSSTMM testing methodology, and requires documentation of the student’s penetration
test, which is then peer-reviewed and returned for corrections. At the end of the course,
the student has a deep understanding of what is required to conduct a professional
penetration test – not just how to use hacker tools.
The De-ICE name was a nod of respect to William Gibson, who described intrusion prevention systems as “ICE,” or “intrusion countermeasures electronics.” The
Hackerdemia name was created to reflect the academic role the project grew up in, and
Heorot comes from the Beowulf poem, of which I am a huge fan.
SA: What are your thoughts on similar projects to De-ICE? (Hacme bank/books/casino,
damn Vulernable linux, etc)
TW: All those projects have a place, and I use them in my college undergrad courses. I
would also inject WebGoat into the list, since my students seem to really enjoy learning
SQL injections. None of them should be excluded when learning penetration testing,
primarily because there are so few platforms that can teach all the different components
encountered in a professional PenTest. I hope that these are just the beginning.
SA: How would you compare your online pentest courses to other vendors such as
Offensive Security and SANS?
TW: Both of those vendors offer really great courses, and I would encourage anyone to
use them if they have the opportunity – there just aren’t enough courses available that
target penetration testing, and to avoid one vendor over another is doing a disservice to
the PenTester and their client.
The difference between the SANS/Offensive Security and the Heorot courses is the other
vendors do not look at the PenTest project as a whole. This difference has become so
pronounced, that Syngress has contracted with me to fill in that gap, and write a book
specifically on professional penetration testing – from conception to conclusion (due to be
released in late July / early August). While the book will provide information similar to
the Heorot courses, the peer-reviewed report can only be obtained through the online
course.
SA: How do you feel about alphabet soup these days (CISSP, CEH, OSCP, GPEN,
CPTS, NSA IAM/IEM, etc)? Which credentials do you think hold up?
TW: They are a necessity, in order to get past the human resource filters. They cannot get
you the job, however. Personal knowledge and experience play a critical role in landing a
position in the information assurance field.
The CISSP will undoubtedly be the certification with staying power, primarily because of
DoD 8570.1. The government has a lot of influence in IA, and I expect the certs listed in
8570.1 will become the de facto certs in the commercial world very soon.
SA: What advice would you give to a newbie security engineer turned pentester?
TW: Working behind the system is entirely different than attacking the system. Working
as a professional penetration tester requires a shift in thinking, and requires the PenTester
to think maliciously. The quickest way to shift mentality is to begin practicing social
engineering.
SA: What are your top 5 tools you use in pentesting and what are some up-and-coming
on that list?
TW:
1) CORE IMPACT is by far one of our most-used tools. Although it is very a point-
click-root type of tool, it saves us so much time in identifying the known exploits.
2) Nessus is a no-brainer as well. The real power behind Nessus is the ability to
create plugins, which can be used to tailor scans that match an organization’s
unique situations and business objectives.
3) Scapy. I love scapy – there has been a huge shift recently, that is migrating away
from system PenTests to network PenTests. Scapy is by far one of the best tools to
conduct network analysis.
4) WebInspect cannot be excluded from the list (even though I really don’t enjoy
web hacking). Again, this is another point-click type of tool, but the time saved
is tremendous.
5) Nmap/netcat/openssh/wireshark would be next (ok, so I cheated…). After tools
such as CI and WI produce their findings, it is absolutely necessary to follow up
with more hands-on tools; not only to verify the findings, but to find things that
might have been missed (which are an inevitability).
It would be hard to identify upcoming tools, but I think the topic of RFID research
will be bigger in the near future. Despite the proven flaws, organizations are
proceeding with deployment of RFIDs for inventory tracking (I include people as
inventory as well). The ability to sniff RFID data and spoof or DOS the signals will
seriously impact these corporations.
SA: Can you give us one of your back pocket pentesting tricks? Some Thomas-fu
perhaps?
TW: Its funny when I get asked these questions. Everything that can be done in a
penetration test has been disclosed, either on a web site somewhere or a book. All the
“fu” used today is simply a variance of something that came before – we are finally at the
point where PenTest engineers can stand on the shoulders of giants: nanos gigantium
humeris insidentes.
The thing that separates on PenTester from another is practice and exposure. So, as a
“trick,” I would suggest the following – I always tell my students that they need to learn
all there is to know about a hacker tool, and not just the defaults. I equate those who only
use the default settings as a mechanic using a wrench as a hammer. It works, but I would
never hire a mechanic who didn’t know how to use their tools effectively.
SA: What is there in store for the De-ICE, Hackerdemia, and Heorot projects?
TW: More LiveCDs, for sure. Currently, the toughest De-ICE disk is at a difficulty level
of 2 (out of 4). We have a level 3 in the works, which will really challenge the audience.
Starting this quarter, I will be asking the students who create tutorials if they want to
include their work in the Hackerdemia disk. Hopefully, we’ll get additional material for
the general public. I would also like to encourage others to share the knowledge, and
contribute as well.
The Heorot courses will be expanding as well. There has been a high demand for online
training, so we will be converting some of out local-training-only courses to online as
well. These are more advanced techniques, and may require us shipping out hardware to
the students. We will also be including some 8570 training online as well, simply because
of the need. Our focus is primarily penetration testing, but many of the 8570-required
certs provide PenTest engineers a better understanding of the ethics and high-level
overview of Information Security, which is critical to the profession.
SA: Is there anything on the backburner like books and such that you could give our
readers a heads up on?
TW: I mentioned that I’ll be publishing “Professional Penetration Testing” through
Syngress in the coming months. It is a solo project, and is geared towards both PenTest
engineers and managers who are responsible for the successful conclusion of a PenTest
project. A description of the book can be found at:
http://www.elsevier.com/wps/find/bookdescription.cws_home/718483/description#descri
ption
SA: What are your thoughts on other projects to further security training such as dojosec,
learn security online, The academy pro, ethicalhacker.net, etc?
TW: We need them – we need them all. There is a growing demand for *skilled*
penetration testers, and the industry does not have the educational foundation necessary
to fulfill the demand. The problem is that the PenTests still need to be done – its just that
they are being performed by engineers untrained in the nuances of penetration testing.
SA: Anything you’d like to get of your chest or promote? Now’s the time!
TW: I’d love to pump the book and the Heorot courses, but my strongest urge is to
encourage contributions to the Hackerdemia and De-ICE Open Source projects. The days
of hording information about hacking techniques and methodologies should be past us -
we need to share knowledge at a rapid pace, so that we can better protect our employers
and clients.
Another point I would like to make is that we (as a profession), need to work on
methodology. Our “Capability Maturity Model” is undoubtedly at an ad hoc level, which
means we are simply way too chaotic in our execution of PenTest projects. We are smart
people, and should have well-defined methodologies by now.
Ok, I’m off my soap box for now. Thank you for the opportunity to share some of my
thoughts.
As an added bonus Thomas has given all Security Aegis Readers a discount link for his pentest courses which are already well affordable even on the most meager budget.
http://heorot.net/discounts/
Thanks you Thomas! We hope to see the projects all over the security space.