Pentesting OT environments
Ahmad Abbes is specialized in penetration testing in the industrial sector.
Did you always want to become a pentester?
Not really. I graduated with an Information Science and Technology degree. At the time, I had no idea what I wanted to do for a living. I decided to go to an engineering school and gradually specialized in computer science. Thanks to my circle of friends, fellow students who had just returned from internships or former students, I discovered cybersecurity and, more specifically, pentesting.
In their stories, what appealed to you?
I was fascinated by the very idea of penetration testing. Reproducing the behavior of a hacker, but legally, it’s an original concept. I also liked the idea of helping a company, of bringing technical expertise while keeping the initial approach of ethical hacking.
You joined Orange Cyberdefense* in 2016 as a graduate intern. What were your missions at the time?
The first two months were dedicated to training. Then, I worked on intrusion tests in an industrial environment. This was the subject of my thesis. I helped the team to create methodologies and identify precise control points. Finally, I accompanied senior pentesters in their missions. This last phase allowed me to practice the knowledge acquired during this internship in a professional context.
Why did you specialize in industrial cybersecurity?
I already had some knowledge about automatons from my bachelor’s degree. Also, industrial cybersecurity requires a particular approach: most of the equipment is aging and not very resistant to attacks and, therefore, intrusion tests. Our technical audits are capable of putting the machines out of order, which is not an option. In any case, production must continue. So we have to innovate, find other ways of doing things.
The industry sector is currently very dynamic: more and more industrial groups want to improve their security level and call on companies like Orange Cyberdefense to help them in this process. The stakes involved in securing industrial assets are crucial: a “real” attack on a nuclear power plant or a hydraulic dam can have devastating consequences.
Did the image you had of the pentester’s job at the time correspond to what you experience today?
The stories I was told about the job were very similar to what I experience today, especially on the technical side. What I hadn’t anticipated were the other tasks: pre-sales meetings, sales proposals, etc. We take care of everything that happens before and after the intrusion test. Our expertise has to go hand in hand with each client’s needs so that we can be available at the right time. So part of our job is also project management. Today, I appreciate this cross-functional approach to all the stages of a penetration test, from the qualification of the needs to the final report.
Today, what is your daily life like?
No two weeks are alike. My missions are very diversified. It can be a penetration test on a mobile application, a commercial website, the internal network of a customer, and more original services like educational phishing campaigns or intrusion attempts in the premises of a customer.
I am also a trainer in intrusion testing. I accompany young profiles in their rise in skills on technical subjects. I also lead dedicated training sessions for our customers to introduce them, through practice, to the joys of penetration testing.
What do you like most about your job?
There isn’t any mission that I like more than another. I especially like the fact that I can vary and go from one to the other. My weeks are not the same, and I am attached to this plurality.
I particularly enjoy sharing knowledge: whether it’s at a customer’s site after helping them improve their security level or coaching the younger members of my department, I love discussing and passing on technical subjects.
If you had to describe the culture in your department, what would you say?
The culture is relatively young: most of us are between 25 and 30 years old. There is an excellent understanding, which is important because we work very much together. Sharing knowledge is very important: this is one thing that struck me the most when I arrived. Every time a pentester returns from an assignment, he or she passes on what they have learned, the new techniques they have discovered. The missions are often done in pairs, allowing us to increase our skills on unique subjects. Recently, one of them allowed me to learn about code auditing.
What advice would you give to someone who wants to become a pentester?
You have to be persistent, not afraid to spend time investigating, looking without getting discouraged. Recently, it took me three days to exploit a vulnerability. I knew I would find a way; I didn’t give up. Motivation is essential because pentesting is, above all, a job for enthusiasts.
Also, you should not be afraid to start with a modest technical level. Internships allow you to increase your skills quickly, you are immersed in pentesting. Even without realizing it, you learn just by being in contact with others.
Following the acquisition of Lexsi by Orange Cyberdefense in 2016