A primer for OSCP training: 5 essential skill areas to cover before starting
As with any widely recognized industry certification, OSCP training takes time and effort, but choosing suitable course materials can make all the difference.
Summary: The journey to becoming an Offensive Security Certified Professional (OSCP) is long and difficult, going far beyond simply passing an exam. Those who demonstrate competence in proactive security and penetration testing are highly sought after. Here is an overview of what it takes to get there.
The Offensive Security Certified Professional (OSCP) is a certification program that focuses on ethical hacking and penetration testing. To earn the certification, candidates must pass the exam within 24 hours and provide their documentation reports within 24 hours after that. A minimum of 70 points out of 100 is required to pass the exam. The exam takes place under online proctoring and takes a hands-on approach with simulated environments.
Candidates need to complete Offensive Security’s mandatory Penetration Testing with Kali (PEN-200) course to become eligible to enter the OSCP exam. However, the course does not cover everything and is intended for those who already have a thorough grounding in areas like network administration and information security.
Here are some of the most important skill areas candidates should cover before starting the course:
#1. Linux and Windows administration
Since most enterprise computing systems run either Windows Server or one of the many Linux distros, it stands to reason that would-be penetration testers must be familiar with both. As most people already have a fair bit of experience with Windows, learning how to use Linux in an administrative environment will likely be the more challenging part. Candidates need to have a solid grounding in administration fundamentals, such as user account management and privilege escalation.
Most penetration testers also use the specialized distro Kali Linux to carry out their operations. Kali Linux is developed and maintained by Offensive Security. The Debian-based distro includes a curated set of tools tailored to the needs of ethical hackers. These include network protocol analyzers, port scanners, and exploit engines. While these tools are covered in depth in the PEN-200 course, candidates should at least have a grounding in Debian-based Linux distros. The entire OSCP exam takes place in a Kali Linux-based virtual machine.
#2. Basic scripting and programming
While the course covers scripting and basic programming in considerable depth, candidates will need foundational knowledge beforehand. Scripting plays a crucial role in penetration testing for automating redundant tasks. Thus, candidates will need to write scripts in short order to complete the exam within the time limit. Familiarity with the Bash command language and the Python programming language is strongly recommended.
Fortunately, entry-level penetration testers are typically not expected to write advanced scripts from scratch, but they will need to be comfortable reading and modifying them. Familiarizing oneself with the basic commands before taking the PEN-200 course will help speed up the process. On the other hand, having no prior knowledge of coding before starting the course will end up being a complete roadblock.
#3. Networking concepts and protocols
Before getting into the highly specialized field of penetration testing, candidates must have a thorough knowledge of network administration, networking concepts, and protocols. Pursuing the CompTIA Network+ or similar certification will provide a solid grounding in the area before specializing in ethical hacking and other areas of cybersecurity. Furthermore, earning such a certification is an important entry point into any career in information security.
Candidates should be familiar with networking protocols including SMB, NFS, SMTP, SNMP, FTP, and SSH. After all, one of the everyday tasks of a penetration tester is scanning ports for potential vulnerabilities before exploiting them. Before taking the PEN-200 course, it is also good to acquire an introductory knowledge of the popular port-scanning tools included in Kali Linux and other distros.
#4. Information security fundamentals
Information security is a highly expansive area with substantial crossover into business risk management, regulatory compliance, and digital transformation. This crossover makes it a vital and integral component of any business technology strategy. As such, it is practically impossible to cover every area of cybersecurity in great depth. Acquiring a foundational knowledge of the broader areas is strongly recommended before specializing in any highly technical discipline like penetration testing.
Earning the CompTIA Security+ or equivalent certification, either in place of or in addition to the CompTIA Network+, is a great way to jumpstart a career in cybersecurity. The certification covers information security fundamentals, such as risk management, network security, cryptography, operational security, and identity and access management. The OSCP course assumes expert knowledge in all these areas.
#5. Report writing and other soft skills
One of the most important soft skills for penetration testers is report writing, also tested in the OSCP exam. After carrying out their operations, testers need to compile a comprehensive report of their findings. Vulnerabilities identified must be detailed thoroughly and tallied by their risk ratings. They must be summarized and explained so that non-technical people can understand, but there must also be accompanying documentation to support the findings. Finally, customers typically expect penetration testers to provide remediation advice.
Becoming an OSCP requires more than technical prowess alone. Penetration testers typically work as full-time employees or independent specialists invited to hack into a corporate network to identify vulnerabilities needing remediation. Naturally, this requires a great deal of trust, hence the need for transparency, professionalism, and solid communication skills.
Cybrary for Teams is an all-in-one workforce development platform that helps organizations develop stronger cybersecurity skills, prepare for new certifications, and track team progress.
