What Ethical Hackers Actually Do
Key Points
- The video delves into the day‑to‑day responsibilities of an ethical hacker, expanding on the role introduced in the series’ first episode.
- Ethical hacking is framed as a layered process: automated vulnerability scanning at the base, manual penetration testing in the middle, and full‑scale red‑team simulations at the top.
- While hackers “break things” for fun, their primary value to clients is delivering detailed reports and recommendations that improve security, emphasizing strict ethical standards and extensive documentation.
- A core engagement type is adversarial simulation, which requires careful pre‑engagement planning and definition of scope, objectives, and rules of engagement before any testing begins.
Sections
- Ethical Hacking Job Deep Dive - The segment introduces the second video of the series, featuring a live ethical hacker who explains the core responsibilities—vulnerability scanning, penetration testing, and red teaming—while recapping the ethical hacking pyramid.
- Scenario‑Based Security Testing Planning - The speaker explains how to craft realistic threat‑actor scenarios and define goals, rules of engagement, and budget constraints to shape effective client security testing.
- Architect vs Ethical Hacker - A security architect contrasts his internal, design‑focused approach—using business and system context diagrams—to that of an ethical hacker, explaining how each role contributes to strengthening a client’s cyber environment.
- From Recon to Exploitation: Using MITRE ATT&CK - The speaker outlines the hacker mindset of finding entry points, establishing a foothold, and then employing TTPs—referencing the MITRE ATT&CK framework—as a guide for ethical hacking engagements.
- Beyond Exploits: Reporting Tools - The segment explains how a foothold leads to system damage, underscores command‑and‑control as essential in red teaming, and highlights the unexpected but critical role of tools like PowerPoint and Word for documenting and communicating findings to clients and oversight teams.
Full Transcript
# What Ethical Hackers Actually Do **Source:** [https://www.youtube.com/watch?v=bSVGrA1_gYw](https://www.youtube.com/watch?v=bSVGrA1_gYw) **Duration:** 00:17:27 ## Summary - The video delves into the day‑to‑day responsibilities of an ethical hacker, expanding on the role introduced in the series’ first episode. - Ethical hacking is framed as a layered process: automated vulnerability scanning at the base, manual penetration testing in the middle, and full‑scale red‑team simulations at the top. - While hackers “break things” for fun, their primary value to clients is delivering detailed reports and recommendations that improve security, emphasizing strict ethical standards and extensive documentation. - A core engagement type is adversarial simulation, which requires careful pre‑engagement planning and definition of scope, objectives, and rules of engagement before any testing begins. ## Sections - [00:00:00](https://www.youtube.com/watch?v=bSVGrA1_gYw&t=0s) **Ethical Hacking Job Deep Dive** - The segment introduces the second video of the series, featuring a live ethical hacker who explains the core responsibilities—vulnerability scanning, penetration testing, and red teaming—while recapping the ethical hacking pyramid. - [00:03:11](https://www.youtube.com/watch?v=bSVGrA1_gYw&t=191s) **Scenario‑Based Security Testing Planning** - The speaker explains how to craft realistic threat‑actor scenarios and define goals, rules of engagement, and budget constraints to shape effective client security testing. - [00:07:57](https://www.youtube.com/watch?v=bSVGrA1_gYw&t=477s) **Architect vs Ethical Hacker** - A security architect contrasts his internal, design‑focused approach—using business and system context diagrams—to that of an ethical hacker, explaining how each role contributes to strengthening a client’s cyber environment. - [00:11:15](https://www.youtube.com/watch?v=bSVGrA1_gYw&t=675s) **From Recon to Exploitation: Using MITRE ATT&CK** - The speaker outlines the hacker mindset of finding entry points, establishing a foothold, and then employing TTPs—referencing the MITRE ATT&CK framework—as a guide for ethical hacking engagements. - [00:15:42](https://www.youtube.com/watch?v=bSVGrA1_gYw&t=942s) **Beyond Exploits: Reporting Tools** - The segment explains how a foothold leads to system damage, underscores command‑and‑control as essential in red teaming, and highlights the unexpected but critical role of tools like PowerPoint and Word for documenting and communicating findings to clients and oversight teams. ## Full Transcript
Welcome back to the second video in our series on ethical hacking. In the first video, we
took a look at the role of the ethical hacker in general. In this video, we're going to do a little
bit deeper dive into what the job involves, the actual tasks and considerations that an ethical
hacker has to do. And in the final video, we'll take a look at how you can potentially go about
getting a job in this space. So, in order to talk about this, I thought I'd bring along a real live
ethical hacker. We took him out of his native environment and brought him here into the studio.
Patrick, it's good to have you with us. Thanks so much, Jeff. Yeah. So, in our first video,
we took a look at this. Maybe just review that real quickly. The this pyramid of ethical hacking,
the activities that are involved. Sure. Yeah. This is just a couple of the primary components
you might put into the bucket of ethical hacking. The bottom we have vulnerability scanning. This
is our more automated type of of of testing where we're looking at the big picture and
understanding what are all the vulnerabilities. Then we got our penetration testing where we're
bringing in a a talented tester to sit behind the tools and do actual exploits and understand the
impact of those. And on top of that, we have our red teaming where we're trying to replicate the
perspective of a real world threat actor. Okay. So basically what I heard you say is you get
paid to joy ride on the internet all day long. Just type stuff really fast, break everything,
and then you get paid, right? That that's what you do, right? Not exactly. Uh, as fun as that sounds,
what we actually like to say around the industry is we hack for fun. We get paid to deliver a
report. And you know, that's because we want to make sure that the people who are doing this work
are people who can think like a hacker, have the mind of a hacker, but in the end, we want to be
able to work with our clients to help them become more secure by understanding, you know, what
should we do when we find these vulnerabilities. Sure. And a big part of that is the ethical part
of this hacking. A lot of people I think just want to lean into the what they think is the video game
fun part of this and that's breaking a whole bunch of stuff. So here's a reality check. It involves
ethics and it involves also having to do a lot of documentation, other work like that. That's right.
Yeah. So tell me, let's break this down into a little more. If you were going to do and and
what you do is appear in this space, right? You do adversarial simulation. That's right. And so
if you were going to be involved in an engagement like for instance an engagement that that involves
adversarial simulation, what goes into it? What what kind of things do you have to define when you
start with this? So there's two primary buckets you could probably put these things into. The
first one would be our goals and the other one would probably be our our rules of engagement.
Gotcha. And under the roles uh under the goals, what kind of things fit there? So there's there's
two ways you could break this down. From a a you know a macro standpoint, from the big picture,
we really want to always uh for every engagement help a client understand um what's their ability
to detect and prevent a bad guy from breaking in. Yeah. Yeah. Exactly. So you've got to go through
these scenarios to make sure you know what what in general is involved. What what would someone do
at the big level? Now, if you've got a macro, I'm sure you're going to also tell me there's a micro.
Sure. So, we're thinking about goals and we're speaking with a client, we always want to say,
how do we design the scenario so that we give you the the most effective type of test? We think of
a scenario. It might be something like, imagine you're a bank. Uh we want to be the the threat
actor, the bad guy who breaks in. What are the types of things that they're going to do? Well,
they're going to, you know, maybe try to steal money, get to an account, move move dollars from
one account to another. And that scenario helps us define how we actually do the testing. So this
is now down more at the use case and up here you started kind of in general I'm assuming talking
about here are the kinds of things that a bad guy would want. You know these are the goals that they
might have. So therefore what are our goals needing to be in order to guard against that?
That's right. Okay. So rules of engagement. Uh you mean you have to follow rules. You don't just get
to do whatever you want. Uh, as much fun as that might be, uh, we do have to have rules and maybe
starting with something like a statement of work. Yeah, exactly. I think this is really important.
Uh, I' I've heard ethical hackers say that if given enough time, they could probably break
into any system, but nobody has unlimited time. Nobody's going to pay you an unlimited budget
in order to do that work. So, how much time if we consider these kinds of engagements, how much time
are they generally allotted that a client will pay for somebody to do this kind of work? Well, we'd
love it if they gave us unlimited time uh because hacking is a lot of fun. However, you're right. We
do always want to to make sure that we're spending our time wisely. And so, we think about, you know,
these these three categories up here. If we look at vulnerability scanning, that could be maybe 20
to 40 hours of work. Um, a penetration test could be maybe 40 to 80. and an adversary simulation or
a red team could be something like two to four months or maybe even longer depending on you
know what type of testing we're doing. Yeah. So you start with just maybe a single week all the
way up to multiple months depending on the level of engagement that the client wants to do here.
That's right. And then I think you also have to consider it's not just the hacking part that we're
doing. If they give you a week or they give you two months, you've also got to they're going to
expect some deliverables at the end of all of this. They want you to document your findings
and your recommendations and things like that. So, it's not 40 hours of joying the internet. As
I said before, uh you got to split some of that up and figure out how you're going to explain back to
them what you just did and what your learnings were. Quite a bit of that time actually. It's
reporting is the most important part of the the whole process. Yeah. Yeah. Exactly. Okay. So,
but uh how about in terms of uh anything else we need to consider here? Definitely. So, uh,
in any test, there's always going to be some sort of limitations. That could be anything from, you
know, specific people or geographies or particular types of systems that that we're going to want to
understand, you know, do we want to test against those or not and how that might affect the the
overall engagement process. Yeah, I can imagine, for instance, an e-commerce company, if it's right
around the holiday buying season, really doesn't want you taking their systems down right when all
their customers are supposed to be there, even though you might be able to. So they might put
some limits and say, "Okay, you can do this, but you can't do that." And by the way, that's
a big difference between an ethical hacker and an unethical hacker. You've got to work within these
constraints, these constraints of time and money and resources and and some rules and and things
like that. So your job actually is significantly harder, I would say. Yeah. And it's really
important that we think about this entire picture when we're designing the engagement to make sure
that you, as you said, a real bad guy doesn't have these rules. So, how do we do the testing where we
get the same effectiveness without putting things at risk? Sure. And then within the organization,
so you're basically doing the red teaming for them. They would have a blue team that's on the
defense side. And what is the blue team doing in this case? Well, depending on exactly what type
of testing you're doing, you know, they may be involved and be very aware and they would be on,
you know, things like status calls and updates. Uh but in a lots of the red teaming, we'd actually
want them to be unaware because we want to we want to test them as part of this engagement. Yeah. So
they may be completely in the dark about this and that adds a different element of realism to the
ethical hacking exercise that you're doing. You would be testing not only if the systems stand up,
but do they have the processes to detect and to prevent and to respond. That's right. We call
that the people processes and technology. Yeah. Yeah. This is really important. People, process,
and technology. All of those going together are what allow you to actually implement security. And
then how do you decide if you were successful or not? Sure. So, one other key element, particularly
in a a red team type test, uh, is our referee team. And there's lots of names you might use
here, but essentially these are the people who are aware of the fact that the testing is happening.
They're in charge of of socializing, disseminating information, controlling the flow between,
you know, the red team and the blue team as needed, making sure that things happen in a safe
and effective way. So, there's a lot of moving parts in this whole thing. I would say it's very
complex. So, I'm a cyber security architect and here Patrick is an ethical hacker. So,
I thought it might be interesting to sort of compare and contrast how we both go about trying
to make a client's environment more secure. So from my perspective uh the security architect is
often kind of looking at this more from an inside out perspective. So I'm trying to look at what the
system is, what the desired state is and probe it and figure out where might the weak points be. A
lot of this is work from a whiteboard rather than a keyboard. And some of the inputs that I need are
things like a business context diagram. That's going to tell me what are the major components
of the business of the organization that need to interact with each other. And understanding those
interactions is key. I also need to see something like a system context diagram where now it's not
only the elements of the business, but it's the elements of the system, the major system uh pieces
that are out there and how they might interact. And then each one of these drills down a little
more a reference architecture where the reference architecture breaks down and shows me some of the
components of these major systems. I can then look at all of that kind of stuff and start to figure
if I was a bad guy, where do I think this thing might fail? That's my kind of premortem uh type
of of thinking. So where might the weaknesses be? Well, now for an ethical hacker, I think Patrick,
you tend to take more of the opposite, more of an outside in approach. That's right. And you know,
one of the things you said was where might the weaknesses be. When you think about it
from the ethical hacking standpoint and um you know, understanding where those weaknesses are.
We're going to start from look at what all the possibilities are. So, you know, we might work
with a client and they say here's the scope. Here's the the the left and right bounds of what
we want to define as part of our test. And from there, we're going to start our reconnaissance.
So, we're going to see what's all the information we can possibly gather, whether that's looking
directly at the system or maybe a little bit bigger picture, looking at um you know, employee
social media accounts. What have they posted on places like Glass Door so we can learn about any
information we can get is good information. Um, even as far as potentially looking at at the dark
web, you'd be surprised how many passwords end up on on the dark web that are very useful to,
you know, uh, real bad guys and pretend bad guys alike. No doubt. All of that information makes you
smarter about what what an outsider would also have access to. A lot of this kind of stuff as
well. They might not have access to this, but this you're starting as an outsider and you're going to
do that kind of reconnaissance. If you're going to break into a place, you want to figure out,
you want to kind of case the joint first, and that's what that's involving. I think that's
exactly the the key is gaining the perspective of what does it look like from the outside and
and how might someone go about that process so we understand better how to defend ourselves. Yeah,
sure. What else is involved here? So, uh, once you have all the information and the scope,
you're going to maybe want to move to a more active phase where we're actually doing probing.
So looking for vulnerabilities, looking for potential entry points and understanding what
might my next steps be. Okay. And then once you probe, you find a weak spot and you're able to
establish what? A foothold. That's right. So we're on the outside and we want to be on the inside. So
we need to find a way to actually access, you know, the network, the target environment. How
are we going to get in? Yeah. And then from there, you can go to all sorts of other thing and the fun
really begins. Okay, Patrick, let's take a little bit deeper dive into the ethical hacker part of
all of this. So, what would your engagements look like? Sure. Um, so one way you might want to think
about it is from the the perspective of TTPs or techniques, tactics, and procedures. And you know,
in practice, what that means is how do we do what we do from the hacker's perspective? Yeah. And
there's a the this is basically the recipe that describes how an attack occurs. Uh if
somebody's going to attack you, they're going to use certain ones of these different TTPs. And is
there a place where all that stuff is collected? Sure. There's there's quite a few places. Uh one
really good one I recommend people look at if they've never explored this topic before is
the MITRE attack framework. And the MITRE attack framework gives us a really good shared set of of
uh language points and ideas to talk about, hey, when we when a a hacker does a particular thing,
how do they do it and how do we think about how it was accomplished? Yeah. And the beauty of that
is if I tell you I've experienced a particular type of attack, I can reference it reference it
from this attack framework and you have a copy of it as well and you have a really good idea
of what it is. So it is kind of a common language for all of us then. That's exactly right. And it
also gives us, you know, from off of the back of that, you could think of how do we defend against
it? You know, how do we talk about it in a way make sure it doesn't happen again. Absolutely.
And I would think as an ethical hacker, you could essentially use this as a checklist.
Uh you're not going to be able to uh to look at every single version of TTPs and combinations,
but you could look at general categories and see, you know, did we consider any of this type? Did
we consider enough of those type? And that sort of thing. It it really is. And it's not that it
can always be comprehensive, but it does give a very good uh overview of what are all the ways
that these things can happen from the perspective of a threat actor or a hacker. Yeah. Okay. Now,
how about tools? Uh because you not going to do all of this just in your head. Uh there are
going to be tools and we we looked at earlier in the video different types in the the pyramid of
vulnerability testing and and pen testing and then red teaming. What are the tools that each
one of these groups would use? for instance. Yeah, definitely. So, you can imagine that, you know,
starting with something like vulnerability scanning and and moving through the types of
testing that they use very different types of tools because they have different, you know,
ways of going about what they do. Um, but starting with something like vulnerability scanning, really
popular ones might be uh things like Nessus or or Qualas. Um those are, you know, industrywide.
They're well known and they're established as, you know, effective tools in their fields.
Yeah, these are very popular uh and and automate a lot of the process for you. They sure do. And and
going back to what we said about things like MITRE attack, they also give us sort of shared language
to talk about if we see a vulnerability, what is it? How do we classify it? Sure. And then then the
next group then are the pen testers and what kind of tools do they use? Sure. Um you know, and this
is obviously could be a an infinite list. There's there's lots, but two of the the first ones that
come to my mind are tools like NMAP uh for things like network scanning or something like Burp or
you know Burp Suite. Excuse you. Thank you. Yeah, NMAP has been around for ages. I remember that
back when I was first starting decades ago. So interesting to see that some of these tools still
continue to live and show their value. Definitely. And and interestingly enough, Inmap continues to
be developed. They're still writing code for it. That's amazing. And then over here on the red side
then tell me what kind of tools are important for you. So this is kind of an interesting one because
red teaming is a little bit unique in the way that it thinks about tools uh in that they're more
conceptual than they are you know recommending something like in map but one of the ones I would
start with is command and control because this is one of the key concepts to define how you would do
a red team. And you know, if you're not familiar with the concept, it's essentially saying if I'm
inside of a network and I want to talk to a system outside of the network as a bad guy, how do I
accomplish that? I have a piece of software that's going to run and communicate for me. Yeah. Yeah.
Exactly. That's that foothold we were talking about before. And that's when the real damage
occurs. If somebody gets that foothold, then they can just move, you know, however they like within
the system and do all kinds of damage. That's a good point. And so because of what you're saying,
you can see why command and control is such a key concept and tooling idea in the field of
red teaming. Yeah. And uh I think another tool that probably most people would never guess
but I would think is really really important to a red teamer is Yeah. Believe it or not,
something like PowerPoint and Word, uh you've got to document all that you found. Yeah. In fact,
you know, one of the things we talked about uh previously was the idea of a referee team. Well,
as the red team, it's really critical that I be able to tell them on a very regular basis what am
I doing and and communicate the progress of of the testing. PowerPoint is that's the key tool there.
You have to be able to put that information in a presentable way. Yeah. People wouldn't
think about this as being something important in the toolkit for an ethical hacker, but in fact,
at the end of the day, you've got to pay the bills and you got to be able to show the client what it
is you did and what you learned. So, you're going to need some way to document all of those kind of
things. So, now we've taken a look at a high level of what goes into the job for an ethical hacker.
What are their concerns? What things do they need to look at? In the first video in the series,
we took a look at the role overview. Here we've taken a look at the job. In the next video in
this series, we're going to take a look at how you could potentially go about getting a job in
this space. So, make sure to like and subscribe so that you're aware when the next video comes out.