Light Dark
November 1, 2018 By Security Intelligence Staff 4 min read
Security Services
Software Vulnerabilities
Application Security

Would you believe that one of the IBM X-Force Red team’s “celebrity hackers” had never physically touched a computer until he was 18 years old?

Dimitry Snezhkov grew up in Ukraine in the 1990s, and his early education didn’t include access to real computers. His “informatics” class consisted of the teacher drawing a keyboard on a whiteboard and showing the class various commands. When they were ready, they graduated to the lab where the teacher would let students watch as he used a single computer.

When Dimitry moved to the U.S. almost 20 years ago and took an English as a second language class at community college, he experienced a major culture shock. Upon handing in his first essay, his teacher rebuked the “handwritten note,” telling him to go to the lab and type it out. Dimitry had to give himself a crash course not only in Microsoft Word, but also in the basics of typing, deleting, saving and more — things we in the U.S. take for granted having grown up around technology.

“I chuckle because I have to teach my grandma the same thing now,” he said.

Today Dimitry believes that learning a system incrementally can feed your curiosity. After teaching himself the fundamentals, he started to think about how the computer itself operated, how to get online, how to chat with people and more.

“Sometimes you want to have more functionality out of that system, so you start tinkering to see how you get there,” he explained. “And this is what you face with security: restrictions, access control, things that prevent you from accomplishing your goal. This is where the true sense of security starts coming out and you’re actually tinkering with things and getting answers. We see a limitation and start lifting those limitations to try to learn more about them.”

Why Penetration Testing Is Becoming Mainstream

Dimitry takes this same approach to testing customer security as part of the X-Force Red offensive security services team. With his teammates, he is responsible for everything from initial scoping all the way to client-facing delivery of the test and resulting documentation. He enjoys bridging the gap between his customers’ limited understanding of security and what the testing entails.

“I think over the years, pen testing has become a little bit more mainstream,” he says. “Before it was maybe more esoteric, only employed by companies who had a lot to lose. Also, the attacker would usually have direct monetization interests in penetrating and compromising systems.”

Today, though, as companies move more and more to digital systems, they must protect intellectual property, customer data and more from an increasingly automated onslaught of attacks. Dimitry believes that anything his team can do to illuminate the path of least resistance to a compromise can help customers hone in on their vulnerabilities — especially when they may be dealing with legacy systems they’ve forgotten about or processes that have become second nature to those in-house.

More on Pen Testing

“I think learning on your feet is a big deal,” he said. “When we’re faced with an unknown system, we don’t have any knowledge as to what production mechanism it has, who’s watching our steps, what the context may be. We use tools in our team as a litmus test on how applications or networks — or even humans, as we do a fair bit of social engineering in our testing — how those entities that we operate with respond when you probe. We probe and we get a response and we move further.”

A Delicate Dance of Offensive and Defensive Security

Dimitry spends his time probing systems to figure out how they are put together, then prodding further to see what’s wrong with them. But even with an increasing amount of automation — on both the offensive and defensive sides — he stressed that you still need to have an analyst watching and collaborating.

“Automation is something that has to be natural to a team like ours because there’s just no way we can test everything manually from the start,” he said. “We need to cast a wide net to be able to probe where the vulnerabilities are, because in today’s day and age, if you are testing a system and you have come up with a way to compromise that system, it’s almost guaranteed that somebody else on the other side of the world has already done that or is working toward doing the same thing.”

The automation helps testers keep up with attackers and put up defenses more quickly and effectively. It’s a delicate dance — a balance of push and shove, thrust and parry. Even knowing that, you may not have guessed that this logically minded, technology-driven tester is also a partner in a holistic medicine school.

“I have to balance things, and I do think that the idea of yin and yang is very powerful,” he said. “You have to be able to balance and draw on different sides of experiences in life.”

Dimitry uses meditation to help him see the bigger picture, reflect and remain calm in a very demanding role where he’s constantly thinking on his feet.

“I would like people to be open to an alternative mindset,” he said, “be open to looking under the hood, be open to collaboration and be open to full-scope testing.”

To Dimitry, a little mindfulness can go a long way toward helping security professionals and penetration testing experts like himself stay focused on the most pressing threats and think creatively to stay one step ahead of ever-evolving attackers.

Meet Fraud Analyst Shir Levin

 |  |  |  |  |  |  | 
Security Intelligence Staff
Security Intelligence Staff

More from Security Services
July 11, 2024

39% of MSPs report major setbacks when adapting to advanced security technologies

4 min read - SOPHOS, a leading global provider of managed security solutions, has recently released its annual MSP Perspectives report for 2024. This most recent report provides insights from 350 different managed service providers (MSPs) across the United States, United Kingdom, Germany and Australia on modern cybersecurity tools solutions. It also documents newly discovered risks and challenges in the industry.Among the many findings of this most recent report, one of the most concerning trends is the difficulties MSPs face when adapting their service…

July 9, 2024

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

May 17, 2024

How a new wave of deepfake-driven cyber crime targets businesses

5 min read - As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit. Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries. Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature