Under technical direction conducts vulnerability assessments penetration tests and social engineering campaigns. As a member of CNA's Ethical Hacking team this position is responsible for identifying evaluating and providing remediation guidance for potential weaknesses in CNA's infrastructure and processes. This position also performs 'objective-based' assessments replicating a known threat actor with known TTPs and motivations to help the organization understand whether an actual actor using similar techniques would be able to accomplish a specific objective.
Essential Duties & Responsibilities
Performs a combination of duties in accordance with departmental guidelines:
- Participates in technical testing against CNA's infrastructure and network assets from operational planning initiation and remediation to reporting
- Communicates findings attack paths and recommendations to technical non-technical and senior leadership through written reports and verbal presentations.
- Develops scripts tools techniques and methodologies to improve the overall ability of the team to deliver high-quality tests.
- Employs advanced internal networks wireless networks mobile applications thick-client applications embedded applications or hardware penetration testing techniques.
- Acts as a primary technical contact for IT and development teams to remediate findings.
- Develops and contributes to Red-Team's Tactics Techniques and Procedures (TTPs) knowledge base
- Demonstrates an understanding of penetration testing techniques and methodologies.
- Develops and customizes payloads specific to the environment software version or for evasion of defensive technologies related to mobile applications.
May perform additional duties as assigned.
Typically Manager or above
Skills Knowledge & Abilities
- Must be very proficient with the common tools associated with penetration testing (Metasploit Burp Suite Cobalt Strike etc.)
- Ability to effectively code in a scripting language (Python Perl etc)Insert text here
Education & Experience
- Bachelor's Degree in Computer Science Information Technology or related discipline or equivalent work experience.
- Typically a minimum of four years of related work experience in Information Security preferably with Infrastructure Penetration testing experience
- Applicable certifications preferred (e.g. OSCP GPEN OSCE)