I have now been playing on the pentesting platform hackthebox for more than a year. I have been in IT security / infosec for a very long time, but I was very late to the offensive party. It still amazes me why that is. Some random thoughts!
I was not really aware of the exact terminology regarding blue and red teams etc. The Public Key Infrastructures I have built are maintained by the 'networking' or 'server' or 'Active Directory' teams, so I had always considered 'security' to be one aspect of the work the architects and network administrators have to do. Maybe I do not even count as 'infosec' - I am just the administrator of all things certificate-related.
I often sided rather with the people who had to maintain the 'security infrastructures' on a daily basis, rather than with consultants (internal or external ones) who tell those administrators how to secure the infrastructure. People keeping infrastructure a the bottom layers of the network afloat are hardly noticed - until something breaks. I had my share of WHO IS RESPONSIBLE THAT THIS WAS NOT WORKING FOR [a time span very very small compared to the time the system was running well despite lots of changes].
In the book Advanced Penetration Testing a seasoned expert states:
All that is needed for an attacker to gain entry to the most secure environments is for one person to have one lapse in judgment one time. I keep driving this point home because it really is the point. As a penetration tester, I have the easy job. An attacker is always at an advantage. I would hate to have the responsibility of keeping a network safe from attack; I'd never sleep.
I think as a security consultant - red or blue, consultant as opposed to sysadmin / 'devops' - it is hard to fully acknowledge all the conflicting requirements and constraints you have to meet when you need to keep things running. I suspect I also helped implementing dumb and insecure things at times, because they were the best trade-off at that time.
Often I found myself pondering on 'opposites', as red versus blue, consulting versus doing, projects versus operations. Should I lecture and comment rather and implement and do? Is commenting and consulting just fence-sitting without skin in the game? I finally decided for more involvement in keeping things running. Actually, I once became a consultant because I feel so terribly responsible for systems and infrastructures also as an external consultant (usually without a long-term formal contract) who is touching that infrastructure once every few months. But every time I was officially responsible for systems it was hardly bearable and moved me nearly over the edge into burnout - I better erect that 'external consulting barrier' to keep me somewhat detached.
I also don' t want to say that offensive roles are 'easier' - far from this! I do not have real-live experience with pentesting, but I imagine it as consulting on steroids: Travelling a lot, chaotic deadlines, all the non-glorious aspects of consulting in general, politics,... Exactly the aspects that made me abandon the nomadic consulting life-style, by the way.
Following infosec experts on Twitter I notice that there is an old debate popping up from time to time: Should 'infosec' be an entry level role, so should you e.g. go straight into security after college, or should you have an experience in other IT and software roles before - as a programmer, system architect, or network administrator? Given my own path I should be in the latter camp, I guess. But on the other hand, again given my own path, I can imagine that you can absolutely become a security expert with dedication and without having spent grueling years, say, fixing clients' my-Outlook-does-not-work issues.
I changed my careers a few times, but I can as well present these transitions as a gradual, logical evolution. I had been a newcomer often, and I people were asking me: How long have you been doing this? It was meant as a compliment, and I avoided to reply with the truth, like: a few months only. When clients considered me a 'PKI guru' I often said that I firmly believe that a student with enough dedication can become that exact type of guru in a year, too.
My blog was originally called Theory and Practice of Trying to Combine Just Anything. I had things like 'Physics and IT' in mind, or 'I had also considered to study philosophy and want to be some sort of renaissance person'. Maybe this is how I have approached security, too: I wanted / want to combine all kinds of experiences. It has been my choice, my path, not necessarily the expression of some career advice that would apply to anybody. Playing at hackthebox always shows me how much I do not know - about IT technologies and pentesting methods and tools. Only very rarely, I can contribute something original, based on something I really know something about - like in the case of my PKI / smartcard hack.
I feel very much that I am dilettante - in a positive sense of what the word actually means.