The Hacker's Cache

#2 Transition From Pentester to Senior Pentester ft. Adolfo (Val) Vask

Kyser Clark - Cybersecurity Episode 3

Adolfo (Val) Vask, a seasoned cybersecurity professional, shares insights on his journey from intelligence analysis to penetration testing and red teaming. He discusses certifications, the MetaSploit Pro Specialist, the relevance of education in cybersecurity, and the transition from penetration tester to senior penetration tester. He also provides valuable advice on training, note-taking, and maintaining technical skills as a leader in cybersecurity.

Connect with Val Vask on LinkedIn: https://www.linkedin.com/in/adolfo-vask/

Takeaways

  • Val Vask's transition from intelligence analysis to cybersecurity showcases the diverse paths available in the field.
  • Certifications and the relevance of education in cybersecurity play a significant role in career development.
  • Val Vask emphasizes the importance of maintaining technical skills and continuous learning, even in leadership positions.
  • Training to improve job performance rather than to obtain certifications is a valuable approach in cybersecurity.
  • Effective note-taking and note-taking apps are essential for cybersecurity professionals to document and retain valuable information.

Connect
---------------------------------------------------
https://www.KyserClark.com
https://www.KyserClark.com/Newsletter
https://youtube.com/KyserClark
https://www.linkedin.com/in/KyserClark
https://www.twitter.com/KyserClark
https://www.instagram/KyserClark
https://facebook.com/CyberKyser
https://twitch.tv/KyserClark_Cybersecurity
https://www.tiktok.com/@kyserclark
https://discord.gg/ZPQYdBV9YY


Music by Karl Casey @ White Bat Audio

Attention viewers/Listeners: This content is strictly for educational purposes, emphasizing ETHICAL and LEGAL hacking only. I do not, and will NEVER, condone the act of illegally hacking into computer systems and networks for any reason. My goal is to foster cybersecurity awareness and responsible digital behavior. Please behave responsibly and adhere to legal and ethical standards in your use of this information.

The postings on this site are my own and may not represent the positions of ...

[Val Vask] (0:00 - 0:27)  
Another thing that would help transition a penetration tester to senior status would be to have years of experience doing different types of penetration tests, whether it's network penetration testing, web application penetration testing, API penetration testing, or ICS SCADA or IoT penetration testing. Someone that has well-rounded skills would help them transition from a regular penetration tester role to a senior penetration tester role.

[Kyser Clark] (0:27 - 1:51)  
Hi, I'm Kyser Clark, and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security one byte at a time. Every week, I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.  
Hello, hello. Welcome to The Hacker's Cache. My name is Kyser Clark, the host of the show. If you don't know who I am, I have six years experience in the field. I have multiple certifications, a bachelor's degree in cybersecurity. I'm currently working on my master's degree in cybersecurity, and I am a full-time penetration tester. Today, I have Val Vask, who has spent 18 years as an intelligence analyst. Ten of those years were active duty, so thank you for your service, Val.  
I really do appreciate your service to this country. You spent two years in cyber defense. You spent two years as a part-time college professor, and you have spent about five years now as a senior penetration tester, team lead, and program manager for penetration testing and red teaming. So go ahead and unpack some of that experience that I just mentioned and introduce yourself to the audience.

[Val Vask] (1:54 - 4:04)  
So yes, thank you, Kyser. So yeah, I've been around for like 20 years. Nine of those years were close to ten years were in the Navy active duty, where I was an intelligence analyst and language analyst, doing initially a lot of signals intelligence, and then I moved on to cyber threat intelligence doing offensive operations, which is what got me into offensive security.  
From there, I kind of moved on to cybersecurity in general, and then in counterintelligence, and I moved into cyber threat intelligence doing incident response. And at that point, I actually had an opportunity to be a red teamer because of my certifications, and this was for a government agency, and that's what got me really into red teaming and penetration testing. It was kind of like really like going into the fire immediately.  
It was a lot of reading, a lot of practice. I have to say I used Hack the Box a lot. That helped me out a lot, but ultimately, there were courses that were out there. They're out there now that I didn't have access to back in 2013, and so I had to do a lot of reading at that time. I was a lead for several years doing penetration testing and red teaming for both the private sector and the government sector, and I also did a stint as a VCISO for another organization, and ultimately, I reverted back to penetration testing and red teaming, which is what I really like, and right now, I'm in a government organization as the lead and managing a team of penetration testers and red teamers.

[Kyser Clark] (4:06 - 4:44)  
Nice. Yeah, your background is super impressive. Yeah, it's quite amazing.  
One thing I did forget to mention in your introduction was, so you do have a handful of certifications. I do like to highlight people's certifications on the show, so you have the CISSP, CEH, Pentest Plus, CySA Plus, Security Plus, and you have a Metasploit Pro Specialist. I guess, quickly, can you talk about the Metasploit Pro Specialist? Because I've never heard of that. I'm actually just kind of curious on what that is and what your take is on that.

[Val Vask] (4:47 - 6:55)  
So, we wanted to, with one of the organizations I worked for in the private sector, they originally had core impact by HelpSystems or Fortra, and they, I'll be honest with you, I wasn't a big fan of core impact, but we wanted to move on to a better automation, penetration automation process, and we decided on Metasploit Pro after a lot of demos and a lot of, you know, just reading. And so, what they did was they offered Metasploit Pro, and they offered a course on Metasploit Pro on how to use Metasploit Pro to dump hashes, to do privilege escalation, to do lateral movement. Metasploit Pro has quite a few modules that are different and that are distinct from Metasploit.  
So, they offer a lot more functionality. And so, the course was like a two-week course, and they basically go through every single step of Metasploit and give you ideas of how to use Metasploit and especially Metasploit Pro, obviously, and I got certification along with my team to, and how to use Metasploit Pro to basically help find the, for me, it was automating the low-hanging fruit, or finding or discovering the low-hanging fruit, and that was helpful for me to do that, and then once we found some vectors to exploit, we used Metasploit Pro, we used other tools like, at that time, CrackMapExec, or Cobalt Strike, other tools. We used other tools to further exploit those vectors, and that's how we got the certification for Metasploit Pro.

[Kyser Clark] (6:57 - 7:24)  
Okay, nice. Yeah, so I didn't know there were certifications for it, because obviously, well, I guess it's not obvious, but I use Metasploit all the time as a penetration tester. I just didn't know there were any certifications for it, so that's good to know. Do you think that's like worth something to pursue, or do you have to like purchase Metasploit Pro to be a specialist in it, or can anybody just like, is it like an exam, or is it training, like how does that look?

[Val Vask] (7:29 - 8:27)  
It's an exam, and there's training for it, and you can, I believe you can actually sign up for the exam, I think it's like $200. I'm not, I don't know, I don't remember anymore, it was a long time ago, many years ago, but basically, you sign up for the exam, you sign up for the course, you go through the course, and you learn the intricacies of Metasploit Pro, and how to use it. You learn all about the modules, and how to modify, or supplement those modules with other features from Metasploit Pro, and basically you take the exam, and you have to, you know, obviously pass it before you get the certification, and the exam was fairly easy, I think, but it was a practical exam, somewhat, so part practical, part multiple choice.

[Kyser Clark] (8:29 - 9:46)  
Okay, nice, nice. I mean, I was so excited to have this conversation that I actually forgot to highlight your education background too, so you have a Master's in Information Assurance, and you also have a Bachelor's Degree in Information Technology, so that's nice. I think education, I mean, there's definitely a debate on whether college degrees are worth it in cybersecurity.  
I'm, like I said, I'm going through my Bachelor's Degree as well, and I think it's nice to have a good education background, although I understand why it wouldn't be for everybody. So, now I want to direct your attention to our rapid-fire session, so what I'm going to do is I'm going to ask you five questions related to cybersecurity. I'm going to give you 30 seconds to answer them, so when you answer these, just say the first thing that comes to your mind, you know, one, maybe a few words for each response, and don't provide any explanation to them, because we got to get through them, and if you get through all five questions in 30 seconds, I'm going to ask you a bonus question that is actually unrelated to cybersecurity.  
So, let me pull my stopwatch here, and so your time will start when I finish speaking on the first question. Are you ready?

[Val Vask] (9:47 - 9:48)  
Okay, I'm ready.

[Kyser Clark] (9:50 - 9:52)  
Favorite programming language?

[Val Vask] (9:55 - 10:13)  
Python. I prefer Python because it's a language that I've been using since 2014, and I've used it for many different features that Python offers, and it's the easiest language for me. That's my favorite programming language.

[Kyser Clark] (10:13 - 10:22)  
Biggest misconception about hackers? You can skip if you want to.

[Val Vask] (10:22 - 11:05)  
Biggest misconception about hackers is that, no, that's all right. Biggest misconception is that we are cowboys in the wild west, and we basically do anything that we want to do when we want to do it, and we don't follow a refined approach to penetration testing or red teaming, and that's nothing to be further from the truth. We do a lot of due diligence in terms of what we do and how we do it, and so that will be the biggest misconception

 that I think.  
There are some cowboys out there or cowgirls, but really, I think more often than not, that's not the case.

[Kyser Clark] (11:07 - 11:09)  
Best career advice you received in cybersecurity?

[Val Vask] (11:13 - 11:47)  
Best career advice I received in cybersecurity, that's a hard one. I would say to keep on learning. You've got to keep on learning, and you've got to make learning a lifelong event and lifelong process, and to, more than anything else, just keep on learning and practice even on your off time.  
You've got to remain relevant in this industry to be on top of it, and so learning is the top way to do that.

[Kyser Clark] (11:49 - 11:51)  
Most overused cybersecurity buzzword?

[Val Vask] (11:55 - 12:23)  
I would say Zero Trust. Zero Trust is being used a lot, and it's a great concept, but it's very difficult to employ and to implement.

[Kyser Clark] (12:24 - 12:26)  
Favorite training platform?

[Val Vask] (12:28 - 12:29)  
Hack the Box, 100%. There's a few other ones, but Hack the Box is my favorite one.

[Kyser Clark] (12:26 - 13:10)  
We did not do that in 30 seconds. That was actually two minutes, 32 seconds, but that's okay. Your explanations were very insightful, so I do appreciate your responses to all those questions.  
I guess what I want to talk about is, yes, let's dive into the most overused cybersecurity buzzword. Why do you think Zero Trust is a cybersecurity buzzword, and why do you think, I guess, why does no one know what Zero Trust is, and why is it used inappropriately when it comes up in conversations?

[Val Vask] (13:13 - 14:58)  
Zero Trust is somewhat nebulous in terms of how to implement Zero Trust and what Zero Trust really is. Zero Trust basically is to deny everything, deny but verify, or verify that someone has actual access or an account has actual access to a specific platform or device or application. Zero Trust is really very integral to today's operations.  
I saw it become a buzzword back in the 2000s, not 2000, 2020, sorry. Around 2020 is when I saw it gain a lot of prominence in the cybersecurity industry. And so then everybody started saying, Zero Trust this, Zero Trust that, and they started going to Zero Trust and forgetting the other concepts of cybersecurity, saying that Zero Trust has to be implemented in the organization or the enterprise, without really fully understanding how Zero Trust is implemented in the first place, and without talking about regarding the other concepts of cybersecurity, like defense in depth, or penetration testing, for that matter, because penetration testing actually does help validate your Zero Trust concept, make sure that it actually does work, because if you can actually get passed through Zero Trust architecture on a specific infrastructure, you are actually bypassing that Zero Trust concept.

[Kyser Clark] (15:01 - 15:43)  
Good response. Yeah, I totally agree. Zero Trust, that's the buzzword I think of when I see that question.  
I'm like, what is Zero Trust and how do you implement it? It sounds good in theory, but at the same time, it's like, how is this implemented practically? And no one really has a good answer to that.  
So yeah, totally agree with you there. So I'm going to rewind our attention back to your background a little bit, because I'm actually really curious on what advantage has your intelligence background given you during your cybersecurity career? And how does that compare to someone who is in cybersecurity, who doesn't have an intelligence background?

[Val Vask] (15:46 - 18:42)  
My intelligence career in the beginning didn't really help me out that much, although I was actually deploying signals intelligence platforms out at sea. So we were using those for signals interception. And for that, I had to learn a lot of system administration, especially a lot of trace route.  
So basically to manage the hops on a system to see where we can do the actual configuration management and to do the troubleshooting. So we did a lot of that type of stuff, or I did a lot of that type of stuff before in my early career. And then in my latter part of the career, I actually started doing more cyber threat intelligence and doing offensive security with a specific three-letter agency.  
And that's where I really got involved. I had to have certifications. I had to have the CEH.  
I had to have the CISSP for that program. And that was at that time. That was in 2005.  
So back then, OSCP wasn't a big deal. All these other certifications, there was no CPTS. There was no PMPT.  
There was nothing like that. And the GIAC courses weren't really prominent as they are now. So I had to get the CISSP and the CEH.  
I'm not a big fan of CEH, but those were the two certifications that were required. And they got me involved in actual APT hunting, advanced persistent threats. And that's how I got involved in learning about vectors, how to exploit those vectors, how to extract intelligence information about TTPs, tactics, techniques, and procedures of an APT, of an advanced persistent threat, and try to manipulate and exploit those specific TTPs to our advantage, to what we were doing at that time.  
That really got me involved, you know, getting the certifications and getting that experience got me involved in penetration testing and red teaming, where ultimately those certifications over at 20, around 2013, got me a red team lead position based on my experience and my certifications with another government agency.

[Kyser Clark] (18:46 - 19:01)  
Nice. So you mentioned that your intelligence background didn't help a lot towards the beginning of your response. So quickly, on a scale from one to 10, how similar is intelligence and cybersecurity to each other?

[Val Vask] (19:05 - 20:12)  
That's a hard question to answer, but I would say that it depends on what kind of intelligence you're pursuing or you're addressing or focused on. Initially, you know, we were, back in my active duty days, we pursued different types of intelligence, including terrorism-related intelligence, but mostly for my job, I was more focused on cybersecurity, specific incidents and specific intelligence. And so based on that experience, I would say that was very, I would say on a scale of one to 10, that was like about a five or six of relevance to what I'm doing now, because I learned a lot about cyber threat intelligence or CTI and how to employ that specific intelligence or that specific information to work on these topics, you know, TTPs, APTs, stuff like that.

[Kyser Clark] (20:15 - 20:31)  
Okay. So I want to direct your attention to what you're doing more today, and that's being a red team leader. So what is the biggest difference between a penetration tester and a senior penetration tester?

[Val Vask] (20:33 - 22:27)  
So usually, I thought you were going with what's the difference between a penetration tester and a red team leader, but I will answer that question too. A penetration tester, a regular penetration tester knows basic vectors for exploitation. They may have specific knowledge about how to address or how to exploit specific vectors that are out there.  
Many of them are CVEs or Microsoft specific vulnerabilities, like MS17-010 or MS17-012 or other ones that are out there. So you would know how to exploit those. You would know basic Nmap commands.  
A senior penetration tester would know more about how to use exploit code, how to leverage programming, like Python languages or other languages that are out there. They will be more familiar with scripting, you know, whether it's PowerShell or Bash, and they would know more advanced concepts of penetration testing. It gets kind of murky when we start talking about how to bypass AV and EDR, endpoint detection and response, but that goes more to red team, and using C2 is more red team type of capability. A senior penetration tester may not know those specific functionalities, but they would know programming concepts and would know how to create programs specific to the environment that they are attacking.

[Kyser Clark] (22:28 - 22:54)  
This is actually a question that I'm curious on, because I am right now working as a penetration tester, and I'm kind of curious on your take on career progression to the senior penetration tester level. So to someone who wants to jump from a penetration tester to a senior penetration tester, what's the most important factor in a promotion or switching to a different organization with more responsibilities? Is it time and experience, leadership management skills, or is it technical skills?

[Val Vask] (22:57 - 26:07)  
Honestly, I think it's all three. You have to have, you can't just be, for the most part, this is based on job descriptions that are out there that I've seen over and over again, and based on my own experience. They required, these positions for senior penetration testers required for the most part CISSP.  
How relevant is CISSP for penetration testing? I don't think it's relevant at all, but this is based on what I've seen in the past and in my current situation. You have people with CISSP that are considered managers or CISM, Certified Information Security Manager certification.  
So they have

 the management skills to manage a robust team of penetration testers. So that would be number one right there, is we'll be having that specific certification and or a master's degree in cybersecurity related field. So those two right there would help transition someone from a regular penetration tester to a senior penetration tester.  
Another thing that would help transition a penetration tester to senior status would be to have years of experience doing different types of penetration tests, whether it's network penetration testing, web application penetration testing, API penetration testing, or ICS SCADA or IoT penetration testing. Someone that has well-rounded skills that they can actually talk to would help them transition from a regular penetration tester role to senior penetration tester role. Somebody who is well-rounded in all aspects of penetration testing can actually help them transition from that role to the senior status.  
And those are the two things I think you need. Once you have that in your background, once you have that experience, you can actually transition to that role and become more of a manager, which I don't know many people are wanting to be a manager of a team. They want to just pen test.  
I see that in a lot of places, including my own current situation, where I see we have a pen tester there that all he wants to do is do penetration testing. And I understand that. But you have to eventually be a manager, learn how to do reports.  
Report writing is crucial. You've got to really have that down pat and learning how to write ROEs, rules of engagement, and SOPs, standard operating procedure for all your penetration tests. So those things are annoying to do, but they are a necessity in this field.

[Kyser Clark] (26:08 - 26:20)  
Right. Yeah. Report writing, especially if you work for a client, that's the product that you're delivering. And I definitely agree with you there how important report writing is.

[Val Vask] (26:20 - 27:31)  
Especially as a consultant. I've been a consultant for several years with different companies. And it's a difficult challenge because you're with different customers with different environments every single time.  
And every single time it's a new challenge. And so the report is what is the commonality between all those different clients. The report represents who you are and what you're trying to say.  
And it represents the impact that your penetration testing is doing for the organization. I like to say personally, I like to say that I don't get paid to do penetration testing. I get paid for the report.  
I've heard that before somewhere, but I don't know who I can attribute that to. But that's something that I've maintained for many years. It's a maxim that I've used for many years.  
And I maintain that that is really the key feature that really differentiates you from other penetration testers.

[Kyser Clark] (27:34 - 28:00)  
So as a team lead of penetration testers and red teamers, I'm assuming your technical skills are like they start to deteriorate. Is that a bad thing? Is it important to keep your technical skills sharp when you're in a leadership type position?  
Or is it okay to let them deteriorate a little bit and focus more on the management aspect of pen testing and red teaming?

[Val Vask] (28:01 - 29:38)  
So you're right. They do deteriorate. My skills atrophy a little bit.  
But I maintain my skills. It's unfortunate, really, because you only have eight hours in a day to do your actual job. But in order for me to maintain my skills, I have to do extra hours and do hack the box or proving grounds from OffSec.  
And I have to maintain those skills there. But I don't think that you should let your skills atrophy too much. You need to maintain a stable relevance to your specific field.  
And it's hard to lead without having that knowledge and being able to represent your team on technical exchange meetings or any other type of executive meetings without knowing the material very well. So it's okay to let some of your skills atrophy a little bit or kind of go down a little bit. But you can't let them go down a lot.  
You got to keep those skills up. And unfortunately, when you're a manager, you rarely have time during your regular eight-hour day to maintain those skills. So you have to look at the weekends or after hours to actually maintain those skills.  
I hate to say that, but that's an unfortunate truth.

[Kyser Clark] (29:39 - 30:10)  
Yeah. I mean, it makes sense to me. And yeah, I do.  
I mean, I'm not a manager, but I do aspire to be a leader. And I do not want my technical skills to go away because that's kind of what got me in the field to begin with, was my technical skills. And the technical aspect is one of the more fun aspects, in my opinion.  
So yeah, I can see what you're saying there.

[Val Vask] (30:11 - 31:18)  
I will say that for what I do right now as a leader, as a manager, and for what I've done in the past, a big part of being a manager was actually doing training. And I was a lead adjunct instructor for University of Michigan at one point for ethical hacking. And I used my skills as a teacher to train my teams and maintain my skills by training.  
By teaching, I actually reinforce concepts that are used over and over again in penetration testing. So that really helps me out a lot. And a lot of times, you don't have a team of senior penetration testers working for you.  
You have a team of junior to mid-level penetration testers. So you have to do training. And so that really reinforces the concepts so that they don't atrophy.

[Kyser Clark] (31:21 - 31:33)  
Okay. So we're running out of time. So I'm going to direct your attention to our final question. Do you have any cybersecurity hot takes or hidden wisdom you'd like to share?

[Val Vask] (31:37 - 33:57)  
Hot takes or hidden wisdom. I would say there's several things that I'm thinking about. But one of them is when you're learning and when you're training, you should train to learn new techniques and to become better at your job rather than training to complete or certify in a specific course.  
You want to ultimately certify. You ultimately want to get a certification. CRTO, OSCP, those are the big ones, I think, for me.  
I like CPTS as well. But you ultimately want to learn new techniques and become better at your job. And then through that process, you can actually certify in the end.  
Because if you're just learning to pass an exam, you're not really retaining that information and you're not really using the logic behind the attacks that you're trying to employ on your penetration test or your red team engagement. So I would say learn, keep on learning, and learn to become better at your job. Because in the end, that is what you're trying to do is be a better penetration tester, red teamer.  
And if you do that, the other certifications will come by. I mean, you'll get those certifications. And the other thing I want to mention is be a good note taker.  
Use a note-taking app. There's several apps out there. There's Obsidian.  
There's Notion. And there's another one called Capacities. I started out, when I started out, I used CherryTree.  
But not many people remember CherryTree and not many people are fond of CherryTree. But I did start out with that. I have so many notes on CherryTree, I'm still converting them to Obsidian and Notion and Capacities for different reasons.  
I use different apps. But be a good note taker. And try to write down your techniques in a logical manner so you can refer back to them in the future when you're actually doing a penetration test.

[Kyser Clark] (33:59 - 34:49)  
Wow, that was actually really good advice. Because, you know, I heard you said, like, don't train to get the certification. Train to get better at your job.  
And I think that's really powerful. Because honestly, like, admittedly, like, I think I fall in that trap sometimes, too. I'm getting this next cert.  
And then, you know, you train to get the certification. And then, I guess, from my perspective, it's like, oh, I train to get the certification. And then I figure out how to apply that to my job.  
And, you know, maybe I look at it the wrong way. Maybe I need to get better at my job and then apply that to the certification. So I'm definitely going to rope that advice right into my training and into my job.  
So I really do appreciate you for that. So, yeah, that was the final question. So, man, what a good hidden wisdom.  
I appreciate that. So if the audience would like to get a hold of you, what's the best way to do that?

[Val Vask] (34:55 - 36:08)
If the audience, you're asking me if the audience wants to get a hold of me? Yeah, if they want to connect with you. Oh, they can connect with me through LinkedIn.
I don't know my LinkedIn offhand, but I'm sure you can post it in there somewhere. But it's Val Vask. And you can find me. I think I'm the only Vask on LinkedIn.
And LinkedIn will be the best way to get a hold of me. And I'm more than happy to connect with anybody and talk about penetration testing and red teaming. I connect with a lot of my peers already through LinkedIn and through hacker associations.
I actually belong to Fredericksburg Hackers over in Virginia. And that's a really, you know, becoming part of an organization, of an association of penetration testers and hackers. It's a really good thing to do. But ultimately, either get a hold of me through LinkedIn or through Discord.
I'm Cracker Jacks. And you can look up Cracker Jacks with lead spelling. And you can find me there as well.

[Kyser Clark] (36:10 - 37:04)
Awesome. Yeah, so for me, for the audience, as I close out here, so the best way to get a hold of me is also LinkedIn and my website, kaiserclark.com. Val, thank you so much for your time today.
I really do appreciate it. It was a great conversation. Unfortunately, we are out of time.
I really do appreciate you taking the time and doing this discussion with me. And I'm confident that the audience will appreciate this conversation as well. So yeah, audience, definitely connect with me on LinkedIn and check out my website, kaiserclark.com.
And whatever platform you are consuming this episode on, do me a favor, leave a review. I really value constructive criticism and feedback. So let me know what you want to see on the show going forward.
And hopefully, I'll see you on the next episode. Until then, peace out, take care, have a good one. Kyser, out.

People on this episode