John Jackson has been working in cybersecurity for less than five years, but already has several significant wins under his belt.
After five years as an engineer in the Marine Corps he founded white-hat hacker collective Sakura Samurai, which last year discovered git directories and credential files within United Nations infrastructure that exposed more than 100,000 private employee records.
On a roll, the group soon after publicly disclosed vulnerabilities within the Indian government that allowed them to access personal records, police reports, and other hugely sensitive data, along with session hijacking and arbitrary code execution flaws on finance-related governmental systems.
Jacksonâs other notable successes have included the discovery of a vulnerability in the Talkspace mental health app and two serious bugs in Chinese-made TCL brand televisions.
In a follow-up to the first part of our two-part feature on becoming a pen tester, we asked Jackson, now senior offensive security consultant at Trustwave, about his achievements, his love for pen testing, and the skills that would-be penetration testers need to succeed.
Daily Swig: How did you get into pen testing?
John Jackson: My storyâs a little non-traditional. I didnât grow up as a computer nerd. I was actually going to college for philosophy at CU Denver when I got a phone call from a recruiter and he asked me, hey, do you want to be a hacker?
I went through a boot camp and by the time I got to certified ethical hacker level I was actually helping class members learn, because I had done so much self-study on my own as I was just so excited.
I got recruited by TEKsystems as a contractor to go and work for Staples, initially as a cybersecurity engineer, and after the first six months there, they switched me to endpoint detection response. I went from application security engineer to senior applications security engineer for Shutterstock and after that, I went to Trustwave.
I was still hacking on my own time doing ethical hacking, and I established a group at the time called Sakura Samurai.
DONâT MISS How to become a pen tester: Part 1 â your path into offensive security testing
DS: Whatâs the best way to get into penetration testing?
JJ: Thereâs not a linear path. When I was getting into it, they [the industry] didnât have as many certifications as they do now, and they also didnât have as many materials, but nowadays they have things like Hack the Box, which can be a good way in.
I think there is no definitive skill that makes you a good hacker â itâs not so much a skill but a mindset. Itâs endless curiosity.
If youâre not the type of person that likes spending a lot of your free time learning then itâs not the best field for you, because youâre always going to have to improve, and itâs very difficult to improve if youâre not continually learning, and a lot of the time thatâs on your own time.
DS: What are your favourite things about your job?
JJ: One of my favourite things is the ability to hack so many different things. Iâve done ATM hacking, Iâve done phishing and social engineering, and then I moved into red teaming where the scope is a lot larger, and you have a lot more control over how you hack the organizations because you emulate advanced persistent threat actors.
Pen testing is amazing because Iâm always learning â it really keeps me going and keeps my brain fresh. I donât get bored because every day is new.
DS: And the worst?
JJ: A lot of non-technical people are sometimes involved in setting up and arranging pen tests and red teams, and sometimes they under-scope the assessments and take a very check-in-the-box approach to pen testing.
I think that thatâs bad for everyone involved â itâs bad for the pen testers because youâre limited to such a narrow scope of what you can and canât do, and itâs bad for security because in reality itâs just not realistic. A criminal hacker is not going to stop and say âyou know what, this domainâs out of scope, this technologyâs out of scope, Iâm not going to mess with thatâ.
Pen testers are highly technical and sometimes youâre dealing with people that are more salesy or C-level, and you have to explain why it matters â and that can be tough.
MUST READ A rough guide to launching a career in cybersecurity
DS: Whatâs the most enjoyable project youâve ever worked on?
JJ: I think my favourite project was a bank that wanted a red team with a scope of pretty much everything. That was a lot of fun, because I got to use the expertise I had to think outside of the box and use some of their own platforms to abuse their company.
They were blown away because they didnât expect to see this or that service get abused, so I felt kind of proud doing that. [It felt like] finally someone appreciates that outside of the box thinking.
DS: And the most serious?
JJ: With the UN, with my group Sakura Samurai, we found GitHub credentials. We used the GitHub credentials to download the organizationâs internal GitHub code and then, going through the code, we found over 100,000 lines of employee information. It was insane. That was definitely pretty scary.
The Indian government hack was crazy too â that was on another level. We found a lot of vulnerabilities â credentials, remote code execution, you name it. We were just going in and gave them a very extensive report, and actually coordinated it with DC3 [Department of Defense Cyber Crime Center] to help us disclose, because we were so worried about how much we found.
DS: What are your thoughts about bug bounties?
JJ: Iâve got a lot of complaints [about] bug bounty [programs], the biggest one being that you have to sign non-disclosure agreements when you submit these bugs, and sometimes thatâs a moral conflict because youâll discover things that are really bad. I was a blue teamer for half of my career, so when I find these certain types of bugs in bug bounty programs itâs unnerving because I know theyâre not going to handle this how they need to handle this, theyâre going to try and sweep this under the rug.
I moved towards vulnerability disclosure programs because you give them time to fix it and then you can disclose the bug that you found. I think that all hackers should try some vulnerability disclosure because it really just gives you a chance to get your hands on hacking a lot of things at once and then go through the process.
Read more of the latest news from the pen testing industry
DS: What are you working on now?
JJ: Right now, Iâm working on another red team engagement. Weâre on the internal phase, so the phase of just being inside the organization and looking for security vulnerabilities to see what we can and canât do, how far we can go.
Itâs always exciting. I love doing it, as this just really combines a lot of elements of hacking â network hacking, web hacking, and then the social aspects like what type of technologies do people use, and how can you abuse that internally?
A good example that I can say on record because itâs very obvious is Office 365, using Microsoft products to get more passwords or access to the organization, so thatâs what Iâm dealing with right now.
DS: What careers could pen testing lead on to?
JJ: I definitely have moved towards red teaming more, which is just a different form of pen testing. But Iâd say for me red teaming and pen testing is the end of the line.
You could spend your entire life as a pen tester, absolutely, but I think a lot of people in the different client environments have shifted into a model of wanting pen testers to do more threat emulation â specific goals like âsteal our credit card data, steal our employee accountsâ.
The reality is itâs just endless, and thereâs always something bigger you can aspire to. So if youâre a pen tester maybe [the next step is] senior pen tester, if youâre a senior pen tester maybe itâs to go to offensive security consultant, moving into red teaming. I think shifting into red teaming is the end goal for a lot of people.
Penetration Testing : Step-By-Step Guide
Infosec books | InfoSec tools | InfoSec services