“Being a pentester is not about the accumulation of all knowledge of cybersecurity. It’s really a question of, how passionate are you about cybersecurity? Do you want to break into systems? Do you want to solve challenging problems? Do you enjoy looking at things from different perspectives?
And it’s not just about breaking things. It’s about bringing business value to a company or organization, reducing their risk, and helping them to remediate their vulnerabilities and decrease their attack surface. Are you passionate about truly helping your organization?” —E-z Ear
Ekzhin “E-z” Ear is an Ethical Hacking instructor at Divergence Academy who is dedicated to lifelong learning. With a Master of Science in Cybersecurity and currently holding Offensive Security and GIAC’s expert pentesting certifications (OSCE; GXPN), he has spent nearly two decades serving in the military, starting as a reconnaissance pilot and culminating as an Offensive Cyberspace Operations Analyst.
I’ve been in the Army for about 19 years now, doing a lot of different things. I started out as an aviator and then transitioned to information systems. I’ve got a Bachelor’s in Computer Science and a Master’s in Cybersecurity.
I did a lot of Network Admin, System Admin, Server Admin-type roles for the past decade, before transitioning into pentesting with some assignments related to cyberspace operations.
The most prominent is probably my work at the NATO Cybersecurity Center, with the pentest and red team there. I conducted daily penetration testing engagements, some red teaming activities, and 0day research. I worked with an all-star team there; together the team discovered over 200 0days in major commercial applications. Now, I’m at Space Command doing offensive cyberspace analyst-planning-type work.
A lot of Googling around. I would say from my past decade of experience that it’s a common thing for maybe 50% of guys and gals who want to enter into IT will want to become pentesters once they hear about it, because it sounds cool and exciting. You’re breaking things and hacking into systems. That’s how I started.
I saw a message from LinkedIn about Divergence in May of 2020, tagged up and had a great conversation with Sravan about his vision and their Cybersecurity Professional Penetration Tester immersive program. It sounded really interesting. I voluntarily took the CompTIA Pentest+ exam at Sravan’s request, passed it, and subsequently started teaching in June. I’ve taught 3 Pentest courses so far.
Prior to Divergence, I didn’t have any formal teaching experience, aside from conducting briefs for the Army and accruing some management experience. I’m just a technical person by nature and Divergence liked that. Coming to teach here, I really tried to think about what it was like entering the field for the first time, so coming from the perspective of when I first started learning pentesting.
My teaching approach is informed by my own learning experiences: here’s what I would do and here’s how I’ve learned pentesting, which has been completely hands-on.
It’s helpful to begin with an overall understanding of cybersecurity. Break the myths around what pentesting is. From there, you can get into the nuts and bolts—a more realistic perspective of the difficulties of getting into the pentesting world is that it comes with immense technical and industry challenges.
It isn’t so much about following a curriculum. I had a supervisor ask me as I was leaving NATO: “Can you put together an SOP on everything that a pen tester needs to know to be successful?” And the whole of that SOP would be something like, "Google.com".
At the end of the day, you could spend your whole career really studying and researching, for example, .NET, Java, or Silverlight. Next thing, you know, Silverlight becomes obsolete and deprecated.
Half of my engagements at NATO involved a lot of researching, Googling, and trying to understand new technology, at least new to me. I would talk with the blue team—if it’s a white box engagement—and try to understand their environment. From there, we would apply the foundational cybersecurity principles concerning the CIA triad (confidentiality, integrity, and availability) and the ideas of hardening and security to that technology.
All this to say, a pentester’s biggest attribute is being able to assimilate a lot of data and a lot of new technologies as rapidly as possible. Then, applying the security principles when you’re actively on the keyboard, simulating an attack, researching and exploiting those vulnerabilities.
In the pentesting world, it’s not about the accumulation of data—it’s about a shift in mentality. When you’re learning pentesting, you need to think like an Offensive Security Practitioner.
So it’s about this obsessive persistence... this self-learner, “challenge-accepted” mentality.
The Cybersecurity Professional Penetration Tester program is 10 weeks long with six major courses: Server+, Cloud+, Linux+, Network+, Security+, and PenTest+.
Typically, it’s a different instructor per module. It would be about a week with an instructor for the first three courses starting with Server+. And then starting with Network+, you get two weeks with an instructor.
So these students are cycling through different instructors, which I think benefits the students by providing them a buffet of different perspectives from seasoned working practitioners in the cybersecurity space.
Each instructor is a subject matter expert of that particular module, so the students are receiving insights from those who are and have been actively utilizing those skill sets in their day-to-day.
Week one of Pentest+ is really where the majority of the content is, as far as terminology, jargon, processes, the business behind pentesting, but getting after these topics via hands-on activities. On day one, I like to open up with technical wake-up questions, such as: “Can you open up a PowerShell console and write me a script for alerting you every 20 minutes to do pushups?”
That first week is a lot of trying to interact with the students. I tell them: “I want you to get the most out of this course, so let me know if I can help with anything or if there are any life issues happening as well.” I want to be aware of things like that.
Earlier I mentioned “wake up questions”. So, we start with some kind of exercise or question to open up the day—students either break into groups, or they do it on their own.
If a student is able to accomplish that wake up exercise, they share their screen and demonstrate it. If not, I talk the class through how to do it and include best practices.
From there we’ll jump into the CompTIA PowerPoint slides to lay out the topic. I touch on major topics and major areas of interest, and then drive them to look at some other resources via Google or YouTube and tell them to get different perspectives on these topics and areas of interests—typically through some team competitions. And then after I walk through a couple of steps, I’ll ask for a volunteer to drive through the rest of the lab as I discuss the “why’s” of each step.
It’s been hit and miss with different classes. Some classes, you get three or four who are really willing to do that. Other classes, maybe just one. In those classes, I would encourage specific students to share their screen because it will increase their learning.
Additionally, I’ve developed my own labs. A small environment where there are virtual machines that they can go through in a way that I think, as a pentester, you would actually be doing without such concrete step-by-step guidance.
So, to kind of summarize a typical day: we have the PowerPoint presentation from CompTIA, we go into the labs. If it’s one of those major topics for pentesting, we’ll go into one of my labs and I’ll group the class into different teams and there will be a challenge where they can earn points.
Can you expound a little on these “challenges” and why there’s a point system?
The challenges are about trying to motivate them through the point system. Sometimes, I’ll leave my challenges overnight or throughout the week for them to solve. They’ll take screenshots and, you know, brag and boast about it.
For the first week, a lot of it is maybe two hour blocks of topics, with a break in between, and challenges throughout. Some of those challenges present themselves as Capture the Flag (CTF) types similar to Root-Me or Hack the Box as a method that lets you gamify and instill whatever we’re trying to teach.
And really, what we’re trying to teach is not specific data points on vulnerabilities and exploits, but a viable methodology and a creative way of thinking.
So using virtualization, the cloud, and my own servers, I built some virtual machines that have some known vulnerabilities in it, which the students will have to discover and exploit.
They do their recon and enumeration to identify those vulnerabilities. As it goes: “Okay, here’s challenge number one, here’s the goal. Go break into your groups, and let me know if you need any help.” And then I hover amongst the groups looking for proper times to interject.
In Week Two, we do less of PowerPoint, and more of diving right into things as each day is broken down into a different domain. We attack Linux systems one day, Windows systems the next, and then web applications on another day.
You could take a whole semester on just attacking web applications, and then that will be your specialty. But in this course, we’re providing more of a primer for general pentesting and going through the process of how you would exploit various targets.
How do you keep students engaged in a virtual classroom environment?
I’ve been chewing on this for a bit. As far as the team interaction and using the challenges, I’ve really enjoyed that. Egging them on to participate via the point system, that’s been a lot of fun.
I don’t want to be too hard on the students. But their level of involvement in the class is really hard to gauge from a virtual classroom perspective, where no one’s sharing their screen, and everyone’s on mute, right?
Classes are different. You’ll get one or two students who are really vocal—which is great for them, because they’re getting a lot out of the class. But I can get really pointed at some students and ask: “Hey, can you give me an answer to this?” While other students will want to answer, I have to emphasize: “No, I would like this student to answer.” It is disappointing when the student either doesn’t answer at all or says something like, “I’m sorry, I was on the phone."
Later, I’ll touch base individually and let them know: hopefully you guys don’t get offended, but if I don’t get an answer, I’m going to eject you from the class and you can come back in once you’re in the right mindset to engage. I want students engaged because I want them to succeed.
A bit of both I think would be very helpful. While I can’t make turning on their camera mandatory, the reality is that students are sometimes in an environment that’s not the most conducive to learning. When they turn their mics on, you can hear there's just so much happening in the background.
Side note: in these particular situations, we welcome students to utilize our Addison, TX campus facilities. The campus is open to all Divergence students, Alumni included, from 9AM - 6PM weekdays and 8AM - 6PM on weekends. Doors open 30 minutes before. Masks are required upon entry and social distancing is still observed.
Let’s get a reality check: if you’re not paying attention in class, then I would rather you just not even sign on. Because you’re fooling yourself to an extent. I feel really bad whenever I have to give that talk. You never want to be the police officer, right? But it’s about having your priorities straight. And if pentesting or getting into the IT world is not high on that priority list, then you’re not going to do well. Bottom line.
Yes. I will individually message them: “Hey, you know, I know you’ve got a lot going on in your life. Let me know what’s going on. So I can cater to that as well. I don’t want to insinuate that you’re not trying, because I know a lot of you guys are really trying hard.”
Getting into any kind of learning, it’s just really hard, and that’s the reality of it. Like I was teaching my five year old how to read. And she’s crying as she’s trying to read a simple sentence, “and the cats come in,” and she just cannot remember the word ‘come.’ And she’s crying because it’s so hard for her. But that’s just the reality of learning something new, right? It’s just hard until you learn it.
I want students to feel comfortable showing their camera so that we can engage. Because, otherwise, it’s just me talking to a bunch of machines and you’re not exactly interacting with the rest of the class.
Let’s all interact as human beings by showing ourselves on camera. Let’s go through this learning experience together as a class, and let’s help each other out, especially while we’re on MS Teams. Show your faces and let’s interact with one another.
There’s the aspect of just purely enjoying pentesting. I don’t know what it is, exactly. Maybe that “challenge-accepted” mentality of an Offensive Security Practitioner is just something I thrive on. I thoroughly enjoy breaking into a system or an application and then helping to solve its security bugs.
As an instructor, I really appreciate that there are between one to three students from each class that still correspond with me. They ask me questions that cover anything from job seeking to expounding on cybersecurity techniques.
A thing I do want to share from the last class: the environment I created ended up having some IT issues with the cloud. It completely broke, so the method that I wanted the students to exploit—an easy vector of attack—was no longer available. But one of my students was able to find an alternate way of exploitation that I didn’t even plan for.
Seeing these guys who are paying attention throughout the two weeks, who are applying the concepts and doing things that are going to surprise the class and me, that gives me a lot of satisfaction.
What is the one piece of advice you would give them?
The first, practical recommendation I typically give is to get your Offensive Security Certified Professional (OSCP) certification. This hands-on certification is the entryway to the Pentesting world. With that said, to get there is to always keep trying.
I personally don’t like Offensive Security’s “try harder” motto because as I went through trying to get my OSCP some years ago, people kept telling me to try harder and I felt like I was already trying as hard as I could. But you do need to have persistence.
Being a pentester is not about the accumulation of all knowledge of cybersecurity. It’s really a question of, how passionate are you about cybersecurity? Do you want to break into systems? Do you want to solve challenging problems? Do you enjoy looking at things from different perspectives?
And it’s not just about breaking things. It’s about bringing business value to a company or organization, reducing their risk, and helping them to remediate their vulnerabilities and decrease their attack surface. Are you passionate about truly helping your organization?
We are the leading vocational trade school for emerging technologies with industry experts as our instructors. Gain relevant skills and meet the demands of an evolving landscape by signing up for our courses today.
View our course catalogue or reach out to us and speak to a member of our team today!