10 essential skills and traits of ethical hackers

What if you could spend your days trying to gain access to other people’s networks and computer systems—and not get in trouble for it? Of course, that’s every spy and cybercriminal’s dream, but only ethical hackers, also known as white hat hackers or penetration testers, can feel sure that they’ll get away with their break-ins. These security pros are hired to probe systems for vulnerabilities, so that their targets can figure out where their security needs beefing up.

At one time there was some doubt in the industry as to whether hacking could ever be ethical, but today this is an accepted practice. Industry certifications are available for those looking to prove their talents, and companies put together so-called “red teams” of pen testers in order to constantly maintain their security posture. It’s a job that requires a very particular set of skills, both hard and soft. We spoke to a number of ethical hackers and those who work with them to find out just what it takes to snag this demanding and rewarding job.

Hard skills

While some penetration testers specialize in particular areas of technology, most are broad generalists: after all, there’s no telling what aspect of a target system or network will provide a means to force a breach. So, anyone with plans to enter this field needs a broad range of knowledge about technology, though don’t fret if you don’t have a master’s degree or deep book knowledge: hands-on knowledge gained from tinkering and experimentation will be your most valuable resource. That said, our experts provided a good list of technologies you should be comfortable with when starting your journey as an ethical hacker. 

System and database administration. A penetration tester needs to know everything about the systems they’re trying to breach, and many ethical hackers emerge from the sysadmin world. Jim O’Gorman, president of Offensive Security, says pen testers should be familiar with general Unix, Linux, and Windows administration, as well as SQL and database interaction.

Scripting. “The ability to automate parts of your workflow or attack infrastructure is crucial,” says Jordan LaRose, Director at F-Secure. “Many attack techniques rely on floods of requests or very repetitive writes to a file, so automating that can save you a ton of time and sanity.” Scripting skills “are especially useful in the Windows world,” says Andrew Useckas, CTO at ThreatX. “PowerShell scripts are a good way to circumvent endpoint security tools.”

Coding and software development. Understanding how to write application code—and the processes by which that code is written—can be the key to finding its weaknesses. “Many of the top white hatters cut their teeth in the world of software development and it makes a lot of sense,” says Elad Luz, Head of Research at CyberMDX. “Being on the development side provides insight into building a product and exposes the developer to a variety of different tools and software. Perhaps most importantly, he or she can enter the mind of the developer and understand what challenges they faced.”

Networking. If you plan to breach a target network, you need to know how networks work and the trickiest ways to navigate around them. “Have a basic understanding of the different types of protocols and the network layers and operating systems,” urges Colin Gillingham, Director of Professional Services at NCC Group. Yaroslav Babin, head of web application security at the Positive Technologies SWARM Team, says that in particular you should focus on “internal networks and principles and features of the Active Directory service, since most corporate infrastructures are built on Microsoft Windows.”

Web application design and vulnerabilities. Web apps provide a common means of entry into target infrastructure, and Babin says pen testers should “have a solid background in looking for web vulnerabilities. This includes not only knowledge of the most popular vulnerabilities, but also experience in their exploitation, and understanding of what each of the methods of exploitation can allow—for example, SQL injection can provide not only access to the database but can also allow you at times to remotely execute commands on a node.”

Hacking tools. There is a huge range of tools and utilities out there for pen testers to use, many of them free and open source. They can be deceptively simple to get started with—but an expert pen tester will understand their nuances. “New people in the industry often get lost and run automatic analyses without setting up a proper configuration and reporting false positives,” says independent cybersecurity specialist Daniel Kirchenberg. “It is necessary to test the results as well before wasting time. Understanding how your tools work might end up saving hours and even days of work.”

Soft skills

You probably would’ve guessed that an ethical hacker needs a wide range of technical skills to properly run penetration tests against target systems. But the pen testing pros we spoke to emphasized the wide range of soft skills and personality traits that they thought were essential for the life of an ethical hacker. Most tech skills can be taught, but many of these traits are more a question of how you think rather than what you know.

Passion. Perhaps the most common response we got from all the experts we spoke to is that an ethical hacker must be intensely curious about how systems work and love hacking for its own sake. “People in these roles have to have the DNA to want to break things apart and find out all the different ways they can do things,” says Tammy Kahn, CEO and co-founder of blockchain consultancy BTblock. “More importantly, they have to do it because they love the breaking, not for monetary gain.”

That passion can be tested on particularly tricky assignments, so an ability to persevere in the face of setbacks is a must. “Penetration testing is definitely not an exact science, and it will often take many tries and iterations before you manage to break into something,” says F-Secure’s LaRose. “You need to be persistent and not afraid to try crazy ideas.”

That said, pen testers also need to be able to (in the wise words of Kenny Rogers) know when to fold ’em and walk away. “Hackers need to maintain an attitude of confidence to push forward in a seemingly futile effort, but must also periodically ask themselves whether they are going in the right direction and not let ego get in the way,” says CyberMDX’s Luz. “It’s a good thing to not be intimidated by failure, but you should also be willing to discard research that you have already invested a significant amount of time in if you aren’t seeing progress. Knowing when to stop is as important as perseverance in some scenarios.”

And an ethical hacker’s passion and curiosity should mean that they’re always learning about new developments in the industry and improving their skillset. “You’ll often hit a brick wall and need to learn a new technique, or you’ll need to research the person or company you’re targeting thoroughly to determine the best way to attack them,” says LaRose. “Much of the time on a penetration test is actually spent on developing these new skills or performing intelligence gathering on your target.”

“Code practices change, new languages arrive, new frameworks get released, some get updated, apps as well get updated, and this means only one thing: you have to continue learning to continue performing your job,” adds Kirchenberg.

Cleverness. Another thing most of our experts agreed on: pen testers need to “think different,” going beyond book smarts about computers and instead using lateral thinking to approach the problems they face in breaking into target networks. “At the core of the ‘soft skills’ is the ability to think off script,” says Doug Britton, CEO of Haystack Solutions. “You need to be nimble, audacious, and creative.”

Ethical hackers “need the ability to think outside the box to be able to find a system’s edge cases—loopholes in specifications or simply unexpected usage,” adds Diego Sor, Director of Consulting Services at Core Security by HelpSystems.

F-Secure’s LaRose emphasizes two qualities that characterize a good pen tester’s thought process. The first is deduction ability, often based on limited information. “Oftentimes the effects of what you’re doing as a pen tester happen behind the scenes, and you need to be able to guess whether what you’re doing will or has worked,” he says. The second is the ability to think of hacking as a human problem, not just a technical one. “During any type of test with a social engineering component, such as phishing, it’s crucial to be able to put yourself in the shoes of your target audience in order to craft a more believable pretext,” he explains.

Ethical hackers don’t just need to get into the minds of their targets: they also need to understand real attackers, whose techniques they’re trying to emulate in the service of helping the good guys understand what they’re up against. “It used to be that a red team just had to ‘break in’ to show value,” says Ron Gula, president of Gula Tech Adventures. “Now red teams need to actively emulate the threat actors, which means knowing the techniques of specific threats. This manifests in certain types of Mitre ATT&CK tools and simulating long-term malware command-and-control campaigns.”

Communication and collaboration. A stereotypical image of a hacker, ethical or otherwise, is of a lone wolf, perched behind a keyboard in a darkened room probing for weaknesses in a target. In fact, the ability to work as a team and communicate with coworkers and clients is one of the most important qualities a pen tester can have, says Gabby DeMercurio, director red team, social engineering, and physical penetration testing at Coalfire. “You can be the greatest hacker in the world, but if you can’t translate that into a readable, coherent report on what you did and how you did it so a customer can follow along, copy your attack, and then fix it, then it doesn’t really matter at the end of the day,” she says.

As Daniel Wood, head of product security at Unqork, puts it, “it’s incredibly important that you are able to translate technical security risk into business risk. That means understanding organizations, their business use cases, and what impact a technical vulnerability would have on their ability to operate, the confidentiality of their data, and ultimately, the security of their customers.”

These communications skills are particularly important because of the delicate nature of the white hat’s business: remember, if you succeed in breaching your target system, you’ve potentially embarrassed some of your client company’s employees. “Unlike hackers trying to exploit a vulnerability, white hat hackers are working with a third party with the intent to improve the cybersecurity of a given product,” says CyberMDX’s Luz. “While you are ultimately on their side and trying to help, the challenge here is giving the bad news—reporting a vulnerability—while still maintaining a positive atmosphere in the discussion that leads to cooperative working relationships.”

Those good working relationships are important within your own team as well. “Being able to work with your co-workers is important, as you don’t know everything,” says Coalfire’s DeMercurio. “Being able to learn and help each other grow is what we mean by ‘it takes a village.’ Lone rangers quickly fall behind those that work well together.”

And your allies should go beyond just the folks employed by your company. “One of the most important parts of penetration testing to understand is the community that surrounds it,” says F-Secure’s LaRose. “The offensive security community is one of the most close-knit in the world, and almost everything we do is built upon the work of countless other members of our community. Being able to engage with, learn from, and contribute to the community are all skills that every pen tester needs to succeed.”

Ethics. OK, maybe this seems obvious, since the word “ethical” is right there in the job description. But the truth is that a pen tester is given a lot of responsibility and power, and it’s important to feel sure that they won’t abuse it.

Heather Neumeister is director of people operations at NetSPI, which specializes in penetration testing and attack surface management. “Assessing a candidate’s ethics is based on both background and personal assessment,” she explains. “When part of the criteria being considered for a new hire is ethics and morals, there is always going to be an element of gut instinct. But it’s also important to ask questions around why someone chose to get into pen testing, as you can usually quickly identify a person’s intent during initial conversations. To find people with strong ethics and morals, it can be helpful to look at the activities a candidate does in the greater community. Extracurriculars like non-profit work, public research, and open-source contributions can be useful indicators of a higher ethical standard, as it’s often the case that those who choose to positively benefit the security industry without personal gain are those who are truly committed to ethical behavior.”

Of course, ethics and the law aren’t quite the same thing—and no matter how much you hew to your code of ethics, you need to make sure you stay on the right side of the law. That’s especially true in the pen testing world, where legalities can be blurry and customer egos can be bruised, says Michael Jeffcoat, founder of The Jeffcoat Firm. Jeffcoat is an insurance attorney who has worked closely with several white hat hackers over the years. “The lack of a universally recognized legal framework leaves ethical hackers prone to lawsuits,” he explains. “While ethical hackers might have a contract stating that their employers specifically asked them to infiltrate their systems, the employer may still file a lawsuit if they deem that the hacker performed ‘unsolicited attacks.'”

To head off that sort of trouble, he advises that pen testers have a good grounding in the relevant law, a good attorney, or both. “Ethical hackers must extensively read their project contracts,” he urges. “All agreements should explicitly state the scope and limitation of the penetration testing services ordered. Remember: explicit details prevent subject contract interpretations.”

The few, the proud, the hackers

The qualities we’ve described here, combining technical savvy, out-of-the-box thinking, and “soft” communications and collaboration skills, may sound like a tall order. But it also explains  why ethical hackers seem to loom larger than life within security circles.

“A personable hacker, one that people like, trust and like to talk to, is the most dangerous and in demand of them all,” explains DeMercurio. “Why? Because that is the person that talks their way into a building, has someone hand them the keys to the data closet, and then leaves them alone because they were trustworthy. That is who you should aspire to be and that is the very person companies should be terrified of. Lucky for them, we’re white hat hackers.”