Q and A: Courtney Evans, Cybersecurity University Student and Aspiring Pentester/Exploit Developer

Courtney Evans is currently enrolled in a BSc Cybersecurity and Networks course at Teeside University, and is an aspiring penetration tester and exploit developer. She's a hell of a lot better at programming than I'll ever be - and I'm sure will be a terrifying adversary for whoever's poor web application gets her first! Courtney can be found on LinkedIn here.

What were you doing before you decided to go into cybersecurity?

"Before I decided to go into Cyber Security I was working as an Apprentice Product Specialist at ATEB IT Solutions (basically front-end development minus the direct use of code).

The first few months were great when I was learning how to use the Intelledox software and basic HTML; once I was introduced to the concept of code -and how easy it is for me- I was very intrigued to learn what else was available in the I.T industry.

This is when I randomly googled something like ‘professional hacker’ and it occurred to me how at home I’d probably feel in this industry."

Dive into some of the cool jobs and projects you got involved in!

"A lot of the jobs and projects I’ve done so far have been based on boot2root challenges from platforms such as HackTheBox and Vulnhub; I always have the same rule to never look at walkthroughs related directly to the machine I’m working on.

So far I’ve rooted Craft (HTB), Brainpan 1 (VulnHub), Fowsniff (VulnHub) and Mr Robot 1 (VulnHub), in addition to completing several challenges on Hack The Box.

My favourite machine thus far is probably a tie between Brainpan 1 (a buffer overflow exploit) and Mr Robot 1 (brute forcing access): I love getting the opportunity to incorporate programming with a challenge!

I enjoyed the experience of the Python code injection while rooting Craft but I didn’t feel it was very realistic, and Fowsniff was the first machine I looked at so I can barely remember it!"

Technical experience you had before you started your cybersecurity studies?

"Before I decided to pursue a position as a Penetration Tester, I made sure to cover the basics:

1. Using a Linux operating system

2. Having a basic understanding of reading and writing scripts in different popular programming languages (C,Ruby,Python etc.)

3. Awareness of how to use different scanning tools

4. Network basics such as the OSI model and different protocols

Other than my self education, however, I had none - other than that I.T apprenticeship!"

Why did you decide on cyber specifically?

"For me, Cyber Security is probably the first industry that’s really captivated my interest.

While I enjoyed the first few months of my Apprenticeship, I found myself getting very bored after that period and wanting to do something more technical and challenging.

I also feel like my personality and my mindset suit cyber security well as I’ve always had an interest in criminal behaviour (I even took Criminology for a short period in college) and the idea of being capable of infiltrating and destroying a network really excites me (even if it’s just virtual machines!)

Once you’re in, you’re in - I tried pursuing Development for a short period after a level 4 Cyber Security Apprenticeship in Pentesting ended badly, I just couldn’t get into it at all."

Courses, resources and the providers of them - if they were good, say so, if not, say so.

"For learning, Udemy is really good for covering the basics (Network fundamentals | Kali Linux | Programming basics) - I’d recommend some courses - but it’s been over 2 years since I last used it and I can’t remember which ones were useful!

I also use HackTheBox and Vulnhub for Boot2Root challenges more specific to improving your hacking skills; if you’re unsure there’s also sites such as hackthissite that host very basic web hacking challenges.

In terms of actually landing a job as a Penetester, I’m currently enrolled at Teesside Univesity on a Cyber Security and Networks Bsc course due to end in 2022.

I’m also planning on (hopefully) gaining my OSCP certification in the next 2 years."

What is/was your job search/interview process like?

"When being interviewed for my Level 4 as a Penetration Tester, I was asked to tell them what pentesting tools, and I was familiar and about where my knowledge on networks etc is at the moment. I was also asked about what I’ve done in my spare time towards being a Pentester.

The university interview I had was a lot more casual- as long as you display a desire to be there, you’re likely going to get a placement.

Job searching can be very frustrating in this industry: if you haven’t got any form of certification or experience you’re going to be stereotyped as a newbie - unless you’ve got proof of work you’ve done independently (bug bounties, boot2roots etc)

And even then, you might come across problems due to not having a Driving License or any formal certification.

At times it can be disheartening: you’ve put all your time and effort into learning a particular skill just to be patronized by the more experienced and told that you need to do more in your own time even though you’ve done all you can on your income."

What is your course/job actually like? Good AND bad points.

"The course I’m enrolled on at Teesside University is definitely aimed more towards complete I.T noobs, it’s a bit of a waste of time if you’ve already covered the basics like SQL, networking fundamentals etc.

The work you have to produce is also very unrealistic and basic in nature.

It is giving me time to focus on my own personal work, however."

Advice you wish you'd have had before you started?

"I wish I’d known about boot2root platforms earlier as I only really learned about these in my level 4 apprenticeship and I’ve found these challenges are where I’ve learnt the most.

Also the importance of recording what you’ve done- if you complete a challenge, do a write up on it and post it somewhere, anywhere!

Then when you’re being asked for proof of your ability, you have evidence ready."

Editor's Note: This is a brilliant idea - easily produced proof of your ability through writeups and blog posts is your ace in the hole at an interview.

What are you working on right now?

"Right now I’m looking into exploit development (just basic Buffer Overflow exploits, nothing fancy yet)

I was working on Brainpan2 but it’s currently making a massive noob of me - so I’m going to return to it after Stack Overflows for Beginners and attacking some applications known for B/O vulnerability."

What's the end goal? Or, where would you like to be in a few years?

"My endgoal is to make something of myself in exploit and virus development (and maybe discovery if I’m lucky!),

I’d love to end up doing this as a career but I’d be quite content with being a Pentester and pursuing that knowledge in my own time."

Courtney is a hell of a CTF player, it seems - and has a solid code background that will no doubt make her a hell of an exploit developer and pentester too. Her LinkedIn is here for the inevitable feeding frenzy that occurs when she graduates!