They’re the good guys: ethical hackers work for companies to expose vulnerabilities in web applications, networks and systems before illegal hackers get the chance to. One of these ethical hackers is Philipp Rohrbach, who works in the red team in IT Security at PostFinance. In the interview, he explains his work in detail and how he goes about it.

You work in the red team in IT Security at PostFinance. What does red as the team colour mean?

As the red team, our job is to take on the role of attacker within IT Security at PostFinance. We make use of the technologies or attack scenarios as they are applied in “real” attacks to specifically target our own systems. For example,  we try to use our services and systems for a purpose for which they were not intended, with the aim of exposing vulnerabilities before anyone else can. When you operate a service in IT that’s open to the outside world, you have to assume that you will be attacked. It’s not a question of whether it will happen, but rather how often, and of how well the attacks can be detected, fended off and contained by our blue team. The colour designations are originally military terms: the red team is the offensive part of IT security, the blue team the defensive part.

How does the red team go about conducting a test?

Let’s say we’re testing an app. The first steps we take are to talk to the specialists who develop, operate or refine the app and to define the goals of our testing. One such goal can be to manipulate a financial transaction in a test environment, or to get our hands on information via an interface within the app. We then determine the approach we want to take – the black box, grey box or white box approach. In the black box approach, we’re given the app for testing without any further information about its internal structure. In the grey box approach – which is much more common – we get a little more support, for example  by being able to work with an app version in which some protective measures are switched off. This gives us an edge over potential attackers, who generally have more time on their hands than we do, and the ability to use our valuable testing time for actual testing rather than for circumventing security measures. Or you can go one step further with the white box approach, where the source code is available to us, making it easier for us testers to circumvent the protective measures. We then arrange the test setup and get to work. What we test includes for example  app authentication, the login procedure or the resetting of passwords for logical errors and deviations from standards. Or we observe how the app behaves when we feed it with information for which it was not actually intended. For example, if a payment from customer A to customer B runs through 10 steps in the background, we look to see what happens if we change the order of the steps. Once we’ve tested enough starting points of this kind, we draw our conclusions and document them. Where necessary, measures are then taken to eliminate vulnerabilities.

How is the red team put together?

It’s always different, depending on the scope of the test and the effort involved. For small tests, one person is sufficient, whereas several testers are required for larger ones. We make use of internal staff, but we also use external people. It’s especially important to ensure that the same people don’t always examine the same test objects, because security testing in particular also often calls for out-of-the-box thinking, with individual experience and personal expertise playing a major role.

What do you need to bring to the table to work in a red team?

Requirements include a solid knowledge of networks, a sound understanding of how web applications work and how computers and servers interact and are structured (see also box). But one of the most important things is a sense of curiosity: ethical hackers want to understand cyberspace and see it time and again with different eyes. They want to look behind the scenes. And they possess the qualities of tenacity and perseverance: they try to keep feeding the object being tested until something unexpected happens. And then to understand why what happened came about. Our goal is to find vulnerabilities that have not been seen before, either by other people or by automated quality assurance tools.

Are there any official training courses for this?

For the area of traditionalpenetration testing,  Penetration testing is a type of testing including for example code reviews or so-called red teaming as scenario-based testing based on defined attack paths. A penetration tester looks for all vulnerabilities where possible. there are certifications that are recognized in the industry. However, there are no courses of study on offer that cover and focus on our entire area of responsibility. If you want to become an ethical hacker, a great deal of what you learn can and must be self-taught, with support from a community that is very happy to share its knowledge. Good ways to practice your skills are platforms like TryHackMe or Hack The Box, which offer challenges or public bug bounty programmes.

What fascinates you about your role as an ethical hacker?

The enormous variety. On the one hand, I get many opportunities to grapple with various technologies – such as different programming languages, applications or frameworks, while on the other I’m constantly coming into contact with different people. We are not specialists in every field, but we do have many very good people at PostFinance. When we’re preparing for a test, we can tap into their knowledge and experience. That’s very, very exciting. There’s also the fact that while we do indeed use a consistent methodology for testing, we apply it again and again to different test objects, which range from voice authentication using a normal web application to very complex systems that process financial transactions. And all else aside, this job is not just work, it’s also an attitude: I want to do my bit to keep making cyberspace a little safer all the time.

What is your personal career path leading to the red team at PostFinance?

I originally trained as an electronics technician before getting into the area of project management in plant engineering. Because I then found myself missing the technical aspect somewhat, I studied IT and systems engineering at a higher technical school, after which I was responsible for the area of new media at an agency, where I acquired a sound understanding of web applications and mobile apps in numerous projects. I then completed a degree in IT with a focus on IT security. The subject of ethical hacking has always been with me on my journey. Out of personal interest, I taught myself a great deal about it. After my studies, I ultimately switched to IT at Swiss Post as an operations specialist in the area of e-voting, where I came into contact with security screening. So when PostFinance started looking for an IT security specialist in the area of ethical hacking, I said to myself: this is my opportunity. Since then, I’ve had the chance to prove myself as part of this team.