Would you believe that one of the IBM X-Force Red team’s “celebrity hackers” had never physically touched a computer until he was 18 years old?

Dimitry Snezhkov grew up in Ukraine in the 1990s, and his early education didn’t include access to real computers. His “informatics” class consisted of the teacher drawing a keyboard on a whiteboard and showing the class various commands. When they were ready, they graduated to the lab where the teacher would let students watch as he used a single computer.

When Dimitry moved to the U.S. almost 20 years ago and took an English as a second language class at community college, he experienced a major culture shock. Upon handing in his first essay, his teacher rebuked the “handwritten note,” telling him to go to the lab and type it out. Dimitry had to give himself a crash course not only in Microsoft Word, but also in the basics of typing, deleting, saving and more — things we in the U.S. take for granted having grown up around technology.

“I chuckle because I have to teach my grandma the same thing now,” he said.

Today Dimitry believes that learning a system incrementally can feed your curiosity. After teaching himself the fundamentals, he started to think about how the computer itself operated, how to get online, how to chat with people and more.

“Sometimes you want to have more functionality out of that system, so you start tinkering to see how you get there,” he explained. “And this is what you face with security: restrictions, access control, things that prevent you from accomplishing your goal. This is where the true sense of security starts coming out and you’re actually tinkering with things and getting answers. We see a limitation and start lifting those limitations to try to learn more about them.”

Why Penetration Testing Is Becoming Mainstream

Dimitry takes this same approach to testing customer security as part of the X-Force Red offensive security services team. With his teammates, he is responsible for everything from initial scoping all the way to client-facing delivery of the test and resulting documentation. He enjoys bridging the gap between his customers’ limited understanding of security and what the testing entails.

“I think over the years, pen testing has become a little bit more mainstream,” he says. “Before it was maybe more esoteric, only employed by companies who had a lot to lose. Also, the attacker would usually have direct monetization interests in penetrating and compromising systems.”

Today, though, as companies move more and more to digital systems, they must protect intellectual property, customer data and more from an increasingly automated onslaught of attacks. Dimitry believes that anything his team can do to illuminate the path of least resistance to a compromise can help customers hone in on their vulnerabilities — especially when they may be dealing with legacy systems they’ve forgotten about or processes that have become second nature to those in-house.

“I think learning on your feet is a big deal,” he said. “When we’re faced with an unknown system, we don’t have any knowledge as to what production mechanism it has, who’s watching our steps, what the context may be. We use tools in our team as a litmus test on how applications or networks — or even humans, as we do a fair bit of social engineering in our testing — how those entities that we operate with respond when you probe. We probe and we get a response and we move further.”

A Delicate Dance of Offensive and Defensive Security

Dimitry spends his time probing systems to figure out how they are put together, then prodding further to see what’s wrong with them. But even with an increasing amount of automation — on both the offensive and defensive sides — he stressed that you still need to have an analyst watching and collaborating.

“Automation is something that has to be natural to a team like ours because there’s just no way we can test everything manually from the start,” he said. “We need to cast a wide net to be able to probe where the vulnerabilities are, because in today’s day and age, if you are testing a system and you have come up with a way to compromise that system, it’s almost guaranteed that somebody else on the other side of the world has already done that or is working toward doing the same thing.”

The automation helps testers keep up with attackers and put up defenses more quickly and effectively. It’s a delicate dance — a balance of push and shove, thrust and parry. Even knowing that, you may not have guessed that this logically minded, technology-driven tester is also a partner in a holistic medicine school.

“I have to balance things, and I do think that the idea of yin and yang is very powerful,” he said. “You have to be able to balance and draw on different sides of experiences in life.”

Dimitry uses meditation to help him see the bigger picture, reflect and remain calm in a very demanding role where he’s constantly thinking on his feet.

“I would like people to be open to an alternative mindset,” he said, “be open to looking under the hood, be open to collaboration and be open to full-scope testing.”

To Dimitry, a little mindfulness can go a long way toward helping security professionals and penetration testing experts like himself stay focused on the most pressing threats and think creatively to stay one step ahead of ever-evolving attackers.

Meet Fraud Analyst Shir Levin

More from Security Services

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today