On 2024-01-08
Cybersecurity

Cyber insights: Pentest and Incident Response

Pentest and incident reponse interview

Today, we asked Felix, Penetration Tester and Philipp, Cyber Security Incident Responder, to talk about their job and how they interact in their day-to-day jobs.

Read Felix and Philipp's insights on their jobs at Airbus Protect.

Summary

Today, we asked Felix, Penetration Tester and Philipp, Cyber Security Incident Responder, to talk about their job and how they interact in their day-to-day jobs.

Being cyber experts at Airbus Protect.

Can you explain your Job to us?

Felix: As a penetration tester, my job is to simulate cyber attacks on systems, networks, or applications in a controlled environment to uncover vulnerabilities before others do. Therefore, techniques used by real attackers are performed to first identify and then exploit vulnerabilities. However, since it is our main focus to strengthen an organisation’s security, there are rules for every mission to prevent disruptions of systems. At the end of each penetration test, identified vulnerabilities are analysed and a report with recommendations for their mitigation is created and handed over to our customers.

Philipp: With Felix simulating an adversary, my job is to defend against attackers. I am a Cyber Security Incident Responder, meaning my role can be explained as a firefighter for cyber attacks, called incidents. This includes containing ongoing breaches, analysing the extent of an attack, including the tools used, and restoring operational status for customers as fast as possible. As a result of this, there are quite a lot of overlapping topics for penetration testers and incident responders to converse about. In times where there are no incidents, us incident responders focus on maintaining our toolset, keeping up to date with recent events in the cyber world and training as well as consulting clients on measures focused on the hardening of their systems.

 

How do you stay up to date with the latest vulnerabilities?

To keep up to date we follow various security experts (@vxunderground, @\_RastaMouse, @cyb3rops, etc.) on Twitter, now X. There are also various blogs that are focused on cybersecurity news and the Airbus CERT newsletter which we are subscribed to. Researching the latest developments is usually our first activity of the day while having coffee.

 

What motivated you to work in pentesting/IR?

Felix: At some point during my computer science studies, I discovered Capture the Flags, which is probably the entry point for almost every penetration tester. Here you try to compromise vulnerable machines in a legal environment in order to capture flags and score points. You quickly realise how much knowledge is required to be successful and lose yourself in hours of research until you have identified and exploited a vulnerability. The fact that you’re always coming across new technologies and you have to constantly develop yourself further made me decide that I wanted to also do this professionally.

Philipp: I must agree, the fact that the whole field of IT security is ever changing and evolving was the selling factor for me as well when I decided what I want to do in life. Furthermore, a thought similar to what Felix had got me interested in malware. The urge to know how to overcome systems and security measures, but with the twist that I like to learn first hand from the tools of attackers used in the wild. Eventually, during my time at university, I started working as a malware analyst for a small company. After finishing my master’s degree, I learned that incident response teams require this capability in order to properly resolve incidents. This meant that converting to incident response offered the opportunity to enlarge my skills, while being able to hone what I had been doing beforehand.

 

How do pentesters and incident responders work together?

Felix: There are many touchpoints between Penetration Testing and Incident Response. For example, in order to obfuscate custom self-made malware, our pentesters are using different techniques to hide suspicious behaviour from AV (antivirus)/EDR (endpoint detection and response) softwares.

Philipp: Some of our incident responders like me are specialised in malware analysis, meaning I can analyse the custom malware. This supports the penetration testers in order to make their malware more stealthy, and thus more successful. And in return, this is a great training opportunity for both parties involved.

Felix: In addition, we are creating a dedicated infrastructure where we deploy both offensive and defensive tools. For example in terms of offensive tools, Command & Control Servers for Red Teaming to manage operations are used.

Philipp: On the defensive side of things, custom sandboxes as a standardised environment to safely execute malware are needed for example. But in the end, both teams are using this infrastructure to host file shares and communication services to be used if sensitive customer data is not allowed to be in contact with the Airbus cloud infrastructure. Due to the highly confidential nature of our work, this is more often the case than one might think.

Felix: Coincidentally, the both of us are administrators of this infrastructure, increasing cooperation between us by a large amount. Generally speaking, we can learn much from each other since the red team (PT) is always trying to get around defence mechanisms and the blue team (IR & SOC) always looks for new techniques used by attackers to detect and prevent them.

 

What OS do you prefer working on the most? Why?

Felix: That highly depends on what I am working on. For penetration tests, I am usually using Kali Linux, since this distribution brings most of the common penetration testing tools with it and the setup phase for a penetration test is fast. For the development of custom malware, which we are using for customer projects to evade defence systems, I am using Windows since it must also run there in the end. Also for daily organisational work, I mainly use Windows. In the end, both operating systems are essential for my daily work.

Philipp: In general I would prefer a Linux-based OS for my day-to-day work but so far, and also due to the airbus work environment, I have found Windows to be the better fit for the tasks at hand. There are some great tools available for Linux that are inevitable for analysis purposes that are only available for Linux though. On the other hand, most customer systems as Felix has pointed out are Windows-based. The result is that I am using a Windows PC that hosts an intertwined network of virtual machines running both operating systems.

 

Why Airbus Protect?

Felix: What I appreciate most about Airbus Protect is the team spirit and the really good working atmosphere. The projects, which currently mostly take place within the Airbus Group, are also exciting and challenging.

Philipp: The strong name of Airbus drove me to apply to this company initially. Yet I must agree, my coworkers are just a joy to work with, thus creating a smooth setting in the office.

 

Interested in our services? Find out more about them here.

  • Share

Read more

3 questions, 2 experts : SOC Edition Cybersecurity

3 questions, 2 experts: SOC analyst edition

To outsiders, the security operations centre (SOC) can seem like an impenetrable black box. To lift the lid on what really goes on inside Airbus Protect’s SOC, we interviewed Pauline and Valentin, two of our analysts.

Read more
Man working on cybersecurity Cybersecurity

Inside the CSIRT: What does an incident responder do?

Working in cybersecurity, we’ve all heard of the computer security incident response team (CSIRT). But do you know exactly what this often-enigmatic team does on a day-to-day basis? We sat down with Julien Houry, an incident responder at Airbus Protect, to find out. What’s your exact role in the CSIRT? I’m an incident responder. This […]

Read more