Pentester Spotlight: Andreea Druga

Andreea Druga is a pentester with over six years of experience in the security arena with a master's degree in IT&C Security. She has expertise in both defensive (blue team) and offensive (red team) areas. She has worked with various tools such as SIEM, IDS, IPS, Web Filtering, antivirus, and various endpoint protection tools. Currently, she dedicates her time to the offensive side, performing various security assessments ranging from pentests to full company-level IT security audits.

Andreea joined the Cobalt Core, our highly-experienced, geographically-diverse community of pentesters, in 2018. She is one of the 250+ pentester worldwide who has helped Cobalt secure over 2000 assets.

We had a chance to hear from her to learn more about her pentester origin story and what she enjoys about being a part of Cobalt’s pentest community.

Pentester Origin Story: How did you get into security?

AD: Growing up, I always wanted to understand how things were built, how they function, and how they can be broken to uncover flaws and learn how they can be fixed.

In 2013, I joined the IT&C Security Master's program in Bucharest and quickly afterward started an internship in a security operation center. During this time, I got hands-on experience with incident response and analyzing information from various sources (network and endpoint-level tools). After gaining knowledge of how security threats are being prevented and mitigated, I made the switch to the offensive side. After learning how defense in depth is being implemented, I really wanted to change sides and get an attacker mindset, with the ultimate goal of better perfectioning the overall security of any company. In my first offensive security role, I was performing various security assessments, such as network, web and API pentests, as well as game pentesting, on PC, mobile and consoles.

What motivates you when it comes to pentesting?

AD: The most motivating part about security– not just pentesting– is that security is a fast-evolving domain. Everything changes at a rapid pace and it’s really important for us as security professionals to not only adapt but also contribute as much as we can to technological progress. I think it is really important to increase your job expertise, to be on top of your game, and always up to speed with the latest changes.

Another motivating factor is that tasks are not repetitive. Applications and technologies always differ, which results in new issues for us to find, report, and mitigate.

Technology is evolving, the world is more and more connected, and I truly believe it’s up to us to make it a safer place for everyone.

In general, you could say I am motivated by the speed, variety, and ability to do good in the security industry.

What does a good pentest engagement look like?

AD: A good pentest engagement is achieved when all the pre-established objectives have been met by applying all the necessary pentest methodologies according to the target type.

I believe it is truly important to understand the customer’s requirements and have the scope clearly established from the beginning. Having a common channel that brings together the pentest team and the product team to discuss in real-time, helps a lot.

I cannot emphasize enough how important it is for each pentester to keep the product team constantly updated with their testing progress.

A good pentest engagement has to end with a very comprehensive report, where all the identified vulnerabilities have been detailed, their root cause and remediation steps explained. Moreover, I truly believe it is important to mention the target’s strengths as well.

What are the top 3 traits that a pentester should possess to be successful on Cobalt?

AD: From my point of view a good pentester needs to have:

1. Advanced technical skills
2. A thirst for knowledge– should always be eager to learn and grow
3. Good communication skills

How do you organize yourself during a pentest? How do you manage your time and avoid burnout?

AD: I always try to be very organized during an engagement. When I begin an assessment, I note everything that needs to be done, and then I break down each day based on those tasks noted. To avoid burnout, I plan both my working and free time ahead.

What kind of targets excite you the most? Do you have a favorite vulnerability type?

AD: It’s difficult for me to choose a favorite type of target, I just love performing pentests, so whether we’re talking about web, networks, or mobile, I thoroughly enjoy testing them all. As for my favorite vulnerability types, I really like performing injections and checking for broken authorizations.

How do you learn about different security concepts? Where do you go?

AD: I like to keep myself up-to-date with the latest vulnerabilities and ideas from the cybersecurity space. Whether we’re talking about system administration, networking, source code reviews, reverse engineering - you name it, they all intersect and are part of this huge security space, where I always realize that the learning path never really ends, and that’s a good thing!

I am constantly keeping an eye on what new courses appear to see where I can improve myself. For each new study, I consider it is important to start with the fundamentals and afterward head into the more advanced techniques. I also think it is really important to understand the theoretical side of things before going onto the more practical side.

Moreover, having the possibility to work with different cybersecurity experts helps a lot because you can see how they approach different techniques and we can all learn from one another. Cobalt has definitely offered me a platform for growth as well, it’s an extremely good opportunity for me to learn from my peers.

How do you conduct research and recon for a pentest?

AD: I always start by going over the documentation and information given to us to see if everything is clear and we have all that is required to start the assessment. After making sure that everything needed to start is there, I try to understand the applications from a business logic and technical perspective, in order to have the full picture of what I am going to need to do for the test.

To perform testing, I am using a combination of both automated and manual testing (active approach) as well as gaining open source intelligence from various sources (passive approach).

Another thing I usually do is check for leaked breached credentials, that are simply out there on the internet, and if there is a match for our domain then I would inform the client and recommend taking action. Recommending that their users change the credentials or ensure that they are not being re-used.

Do you leverage any tools? What are your go-to tools?

AD: I believe that a successful pentest can be achieved with a combination of manual and automated efforts. Tools are definitely helpful and pentesters should leverage some of them in each of their assessments.

My machine of choice when performing pentests is always Kali. It comes packed with a great set of pre-installed tools.

As for my go-to tools, it depends on the type of assessment. If we’re talking about external and internal networks, then we have to talk about scanners. The most popular one is Nmap, and I am using it quite a lot. Subdomain enumeration tools are also quite important, there are many sources for open intelligence, and there are also tools that are combining those results, such as Sudomy.

If we’re talking about web, then Burp Suite Pro is my weapon of choice. For mobile platforms, besides Burp Suite Pro for traffic interception, I am also using tools such as Objection and Frida. If we’re talking exploitation, then the Metasploit Framework is a great choice. And when scripting is necessary, I like to go with Python.

What do you enjoy the most about being a part of the Cobalt Core?

AD: I am truly grateful to be a part of the Cobalt Core team as I am able to work alongside so many highly-skilled security professionals. Each project is different, and this gives me an opportunity to work with different technologies and industries. Being able to work closely with the product teams allows great communication and collaboration. Giving us an outlet to ask questions, get them answered right away, get feedback in real-time, understand what areas are more critical to follow, and the customer is constantly updated with our progress, as well.

One other thing that needs to be mentioned is the fact that the Cobalt Core team is united and supportive. Personally, it feels like a family to me, and we constantly share updates from the security space. For example, if a member has a technical question they pose to the community, then in 5 minutes he or she will already have several answers from members of the community from all over the world.

What advice would you offer to someone who is interested in getting into pentesting?

AD: Go for it! The only warning here is that it is very addictive and will likely turn into your main hobby quickly. I’d recommend starting with various courses– there are plenty of resources on the internet, such as PortSwigger WebSecurity Academy. Get yourself familiar with pentesting methodologies, such as OWASP and you can practice on their various vulnerable applications such as JuiceShop. I would also recommend participating in Capture-the-Flag (CTF) competitions– they are fun and will offer you a glimpse into the hacker mindset. Though keep in mind that CTFs and true pentest engagements are two different activities and require different approaches. A great resource for CTF related challenges and vulnerable machines is HacktheBox.

If you are still in high school, I strongly recommend studying IT for university, and if there are other areas of study closer to security then that’s even better.

What do you wish every customer knew before starting a pentest?

AD: I think it’s truly important for each company to establish the pentest scope and the dedicated environment - development, staging, production etc. Moreover, if the application is being hosted on an external provider, then I would recommend to check first if an approval is needed to perform the security tests.

If we’re talking about a grey-box type of assessment, then it is recommended for the customer to prepare a few sets of credentials before the start date. Additionally, having a clear documentation can also help the pentest team and provide the answers to many questions that they might have during the assessment. If the documentation is not ready, that is not an issue, the customer can also opt for a presentation kick-off call with the security team. However, most of the time, the pentesters will quickly find their way around a target and have it fully mapped within the first day. Any other granular questions can quickly be addressed afterwards.

What do you like to do outside of hacking?

AD: Besides security, I also have an interest in anthropology and psychology. I am passionate about learning more about us, humans, about the world around us, how we’ve got to where we are today, and how we can work to make our world better in the future. I enjoy traveling and learning more about other countries, their culture, and history. In addition, I am a huge animal lover and I am always trying to help local shelters as much as I can. I also have rescue pets of my own who I absolutely love spending time with.

What are your short term and long term personal or career goals?

AD: In this area, it is extremely important to keep yourself up to date with the latest technologies and have a constant learning path. My short-term goals consist of finishing certain courses with a focus on hardware pentest and IoT. In the long run, I would like to constantly improve my knowledge and skills, this is my main plan. For my personal goals, I want to travel a bit more in the future and get a pilot’s license. I absolutely love skydiving and I am thinking of pursuing this passion of mine some more in the next few years.

Read about more pentester experiences with an overview of The Cobalt Core's first pentester, Shashank.