Elizabeth J | Senior Advanced Intrusion Testing Specialist | Finance Sector | London
Tell us about your journey into the Cyber Security industry
After taking my A Levels, I studied English Literature and Philosophy at university (nothing at all to do with computing or cyber security)! Outside of my studies I gained a strong interest in ethical hacking and computing after becoming increasingly aware of the extent to which so much of our daily lives are online, from bank account access to the supply chains that keep us fed, clothed and healthy which are all managed through information technology. This led me to pursue a career in cyber security after leaving university. My first job after university was as a junior software tester at a software development company. I then moved into the finance sector, where I have held a variety of security-focused roles including Cyber Security Engineer, Cyber Security Strategy Manager and my current role in a red team which I have been in for three and a half years.
Tell us about your current role
I work in a red team, where our objective is to run realistic cyber-attack scenarios to test the defences of the company. We run controlled ‘ethical hacking’ exercises that simulate the approaches that real attackers would use when targeting companies.
The objectives of our tests are shaped by intelligence about real world attacks and tests incorporate the entirety of the organisation’s infrastructure and security controls. We don’t only look at the technical controls, we also actively test the company’s physical controls, their people and their processes. At the end of the exercise, a report is produced detailing the findings and advising about how to fix any weaknesses.
Red team exercises are typically unannounced. The company gives formal authorisation for each red team exercise that is carried out, but to ensure that the test is as realistic as possible only a small handful of people in the company will know that the test is taking place. We also run what are called purple team exercises. These are announced tests where the red team performs attacks while the defensive team is actively watching which elements are and are not detected.
What does a typical day look like?
Whilst exercises do tend to follow a similar pattern – gathering threat intelligence, planning the exercise, carrying out the exercise, then closing the exercise and writing a report – no two days in this job are exactly the same. The cyber security threat landscape is continually changing. New research, testing methodology and tools are continually being released. This means that things don’t ever get boring.
My team has a diverse range of skills. On an average day, some testers may be at their keyboards building and configuring the testing infrastructure. Some testers may be out and about, looking for any potential points of entry into the company’s buildings. Other team members may be in the office speaking to stakeholders to communicate the test results and give them advice about how to fix any weaknesses that were found.
What would you say are the 3 most important skills you use in your role?
I would say communication, teamwork and curiosity.
Communication – you need to be able to articulate what you’ve found and explain why people should care about your findings and potentially spend their money to fix them. I’ve found that written and verbal communication skills are very important. Teamwork – solving security problems doesn’t happen in a vacuum. The ability to collaborate and value everyone’s views makes for a great red team. Curiosity – curiosity about every aspect of technology and the ability to look at a system or a problem in an unusual or creative way is invaluable as a member of a red team.
Hak5 tools that are used in testing. Hak5 is a specialist vendor of testing equipment which produces a range of tools that we use, including the USB Rubber Ducky which made an appearance on the TV series Mr. Robot.
What is the best thing about working in the cyber security industry?
For me, the best thing about working in the cyber security industry is the opportunity to continually learn new things. No two days are the same and there are always new challenges to overcome and new things to learn and try out. In addition to this, it’s very rewarding to work in a team that helps to keep data safe and secure.
What are your longer term plans aims/goals within the Cyber Security sector?
I love what I’m doing and my plan for the future is to continually build my skills and further diversify my skill set.
I will also continue to encourage more people to consider a career in cyber security. I’m passionate about sharing my interest in red team testing with others, for example through this initiative led by the UK Cyber Security Council, to ensure that we have a diverse cyber security talent pipeline of people entering the industry.
What advice would you give to others thinking about pursuing a career in cyber security?
There are a lot of free resources available that can help you get started on the path to understanding more about cyber security and which area of cyber security you might be interested in pursuing as a career.
As a first port of call, The Open University developed an eight-week course called ‘Introduction to Cyber Security’ which is available on the platform Future Learn. This is a great course covering the essentials of cyber security and I would recommend it as a good starting point to learn more about the field.
If you’re interested in learning more about security testing specifically, I recommend checking out some of the following free resources: Hack The Box (virtual hacking labs), TryHackMe (hands-on cyber security training), MITRE ATT&CK framework (a knowledge base of adversary tactics, techniques and procedures based on real-world observations) and YouTube resources for example IppSec’s training videos.
These are just a starter for ten – there’s a wealth of information out there!
Recent holiday photos: Ibiza & Venice
What do you like to do in your spare time?
In my spare time, I love travelling, reading and taking part in capture the flag competitions (CTFs). CTFs come in several different flavours but typically involve ‘capturing flags’ by solving various security challenges. The flags are usually random strings embedded in the challenges. They’re lots of fun and there are some good prizes to be won!