Would you believe that one of the IBM X-Force Red team’s “celebrity hackers” had never physically touched a computer until he was 18 years old?
Dimitry Snezhkov grew up in Ukraine in the 1990s, and his early education didn’t include access to real computers. His “informatics” class consisted of the teacher drawing a keyboard on a whiteboard and showing the class various commands. When they were ready, they graduated to the lab where the teacher would let students watch as he used a single computer.
When Dimitry moved to the U.S. almost 20 years ago and took an English as a second language class at community college, he experienced a major culture shock. Upon handing in his first essay, his teacher rebuked the “handwritten note,” telling him to go to the lab and type it out. Dimitry had to give himself a crash course not only in Microsoft Word, but also in the basics of typing, deleting, saving and more — things we in the U.S. take for granted having grown up around technology.
“I chuckle because I have to teach my grandma the same thing now,” he said.
Today Dimitry believes that learning a system incrementally can feed your curiosity. After teaching himself the fundamentals, he started to think about how the computer itself operated, how to get online, how to chat with people and more.
“Sometimes you want to have more functionality out of that system, so you start tinkering to see how you get there,” he explained. “And this is what you face with security: restrictions, access control, things that prevent you from accomplishing your goal. This is where the true sense of security starts coming out and you’re actually tinkering with things and getting answers. We see a limitation and start lifting those limitations to try to learn more about them.”
Why Penetration Testing Is Becoming Mainstream
Dimitry takes this same approach to testing customer security as part of the X-Force Red offensive security services team. With his teammates, he is responsible for everything from initial scoping all the way to client-facing delivery of the test and resulting documentation. He enjoys bridging the gap between his customers’ limited understanding of security and what the testing entails.
“I think over the years, pen testing has become a little bit more mainstream,” he says. “Before it was maybe more esoteric, only employed by companies who had a lot to lose. Also, the attacker would usually have direct monetization interests in penetrating and compromising systems.”
Today, though, as companies move more and more to digital systems, they must protect intellectual property, customer data and more from an increasingly automated onslaught of attacks. Dimitry believes that anything his team can do to illuminate the path of least resistance to a compromise can help customers hone in on their vulnerabilities — especially when they may be dealing with legacy systems they’ve forgotten about or processes that have become second nature to those in-house.
“I think learning on your feet is a big deal,” he said. “When we’re faced with an unknown system, we don’t have any knowledge as to what production mechanism it has, who’s watching our steps, what the context may be. We use tools in our team as a litmus test on how applications or networks — or even humans, as we do a fair bit of social engineering in our testing — how those entities that we operate with respond when you probe. We probe and we get a response and we move further.”
A Delicate Dance of Offensive and Defensive Security
Dimitry spends his time probing systems to figure out how they are put together, then prodding further to see what’s wrong with them. But even with an increasing amount of automation — on both the offensive and defensive sides — he stressed that you still need to have an analyst watching and collaborating.
“Automation is something that has to be natural to a team like ours because there’s just no way we can test everything manually from the start,” he said. “We need to cast a wide net to be able to probe where the vulnerabilities are, because in today’s day and age, if you are testing a system and you have come up with a way to compromise that system, it’s almost guaranteed that somebody else on the other side of the world has already done that or is working toward doing the same thing.”
The automation helps testers keep up with attackers and put up defenses more quickly and effectively. It’s a delicate dance — a balance of push and shove, thrust and parry. Even knowing that, you may not have guessed that this logically minded, technology-driven tester is also a partner in a holistic medicine school.
“I have to balance things, and I do think that the idea of yin and yang is very powerful,” he said. “You have to be able to balance and draw on different sides of experiences in life.”
Dimitry uses meditation to help him see the bigger picture, reflect and remain calm in a very demanding role where he’s constantly thinking on his feet.
“I would like people to be open to an alternative mindset,” he said, “be open to looking under the hood, be open to collaboration and be open to full-scope testing.”
To Dimitry, a little mindfulness can go a long way toward helping security professionals and penetration testing experts like himself stay focused on the most pressing threats and think creatively to stay one step ahead of ever-evolving attackers.