My name is Justin Fatuch, and I am currently in Rapid7’s Security Consultant Development Program. I started off at Rapid7 as a business development representative for all of Rapid7’s products, making calls to prospective customers every day. Prior to joining Rapid7, I was a sales consultant for AT&T for several years.
Even before joining Rapid7, I was interested in cybersecurity—so much so that I was even thinking of going back to school to further my studies in it. Then one day, I bumped into a guy at an AT&T store who was wearing a Metasploit shirt. I told him I knew of Metasploit and of my interest in cybersecurity, and he explained that Metasploit was owned by Rapid7, and that he worked there as a sales manager. Before I knew it, I was asking him if Rapid7 was hiring, and the rest is history.
Even though I joined Rapid7 in a sales-focused role, I knew I was much closer to where I wanted to be in my career by being in the right industry. On lunch breaks and during my free time, I was using Hack the Box and VulnHub to learn cybersecurity on my own.
My manager noticed I was doing this and mentioned that there was an opening in the Security Consultant Development Program, in which I could learn about and gain direct experience by spending six months in each of the penetration testing, incident response, and advisory services teams. I quickly applied and was thrilled to be offered the position. Just two weeks prior to the offer, I received an acceptance letter for the University of Texas’ Penetration Testing Boot Camp, a 12-week immersive experience, but I decided to move forward with Rapid7’s program instead.
Today, I’m three months into the penetration testing part of the program and have completed about 10 engagements, both external and web application penetration tests. I’ve had the opportunity to shadow senior consultants to learn about some of the more obscure attack paths adversaries can take—the things you don’t really learn about by doing Capture the Flag-type penetration testing exercises, so it has been a much more practical and realistic experience.
Once I’ve completed my six-month stint in penetration testing, I’ll move over to the incident response team. I’ve never done incident response before, so this will be entirely new to me. From my pen testing experience, I know that you can look at the source code of an exploit and match it up to a log file that may have been compromised, but that’s about the extent of my knowledge today! I’m excited to jump in headfirst and see where the next level of the program takes me.
The most interesting thing I’ve learned so far in the program is SMB egress testing. This is where we send a non-malicious email to a client or employee with a broken image tag. If a recipient opens the email, the embedded image tag causes the email client to automatically attempt an SMB connection to Rapid7's external listener. Whenever a connection is made, it gives us a password hash. Once we have a hash, we can typically crack it, and from there, we’re inside. I was really surprised by how many people don't know that this is an attack path.
If you are considering a career in cybersecurity and are unsure where to start, I recommend beginning to learn the operating systems of Linux, Windows, and Mac to fully understand the commands and where file shares and password directories are located. Then, check out Metasploitable, which is essentially a penetration testing lab in a box that contains several intentional vulnerabilities for you to exploit.
Rapid7’s Security Consultant Development Program has been such a great way to start my cybersecurity consulting career. I’ve learned so much in just the past three months, and all the practical experience I’ve gone through is coming together, which is really exciting.