EC-Council invested heavily in research on penetration testing requirements, standards, and skills with the aim to create a new, hands-on penetration testing program and certification that would represent real world skills demanded by enterprises today.
The expectation was to create a penetration testing certification like no other – a 100% hands-on, proctored certification exam that would require candidates to demonstrate skills that are in-demand in the global landscape today. What we uncovered in this process is that many of these skills, which are deemed to be fundamental in nature given the rapidly advanced and evolving tech landscape, are worryingly missing in many penetration testers today. Skills such as advanced Windows attacks, accessing hidden networks with pivoting, attacking IOT systems, double pivoting, evading defense mechanisms, bypassing a filtered network, attacking automation with scripts, weaponizing exploits, pentesting operational technology (OT), and writing professional reports, etc. seemed to be the exception rather than the norm.
We identified these gaps during the recent CPENT Challenge, where we invited industry practitioners that had the requisite qualifications (at least, on paper) to take the CPENT exam. Unfortunately, they could not even get through the initial stage. This underlines the alarming inability of the testers to deal with a commercial grade, industry specific, filtered environment as opposed to a “capture the flag” type of an exam.
Let’s discuss the skills gaps that we discovered in the penetration testers who helped beta test our CPENT exam. Most of them are certified with what they claim to be “hands on industry certifications in penetration testing.” CPENT was built to go beyond the basics and as such, we built challenges that are actually based on real world engagements. These are the skills that every organization should look for when they hire team members.
6 CORE SKILLS THAT
BACKGROUND OF THE CPENT EXAM
The initial planning started in March 2020. The EC-Council team created a draft of skills the industry would want in someone they hire for an engagement, and then while this plan was under review, we built a network design based on one of the real-world assessments that my team and I had completed in the past of a large company. This assessment was unique because it required knowledge and skills across a wide variety of topics. We set out to creating a program with never-before-seen components including the industry-first of binary analysis and exploitation, IoT firmware analysis, SCADA, and OT as well as single and double pivoting.
We understand that this is different and hard, but that is how we designed it. For us, the key to a great tester is someone who can analyze what the network shows them. This is a required industry skill. Professionals analyze the network and determine what is present. Once you have done that you can go deeper. The CPENT exam is not a CTF-style exam. Trying to anticipate what the CTF designer did will not get you anywhere, as this is not how things are in the real world.
So, what do we mean by this Go Deeper? In the CPENT exam guide, we have provided tips that help you take what the packets show you to help you design your strategy. In industry testing, we have to analyze the network and look for the attack surface. The CPENT exam also requires this at a deep level.
THE BASICS BEFORE YOU TEST
We know methodology gets a bad name, but every professional tester who is successful will have a systematic approach for testing. To be successful in the CPENT exam, here is a high-level abstract may help you: