Opinion: It’s Time to Move on from Offensive Security Certifications

12 comments

Introduction

For years, Offensive Security (OffSec) certifications have been held as one of the gold standards in the ethical hacking/penetration testing community.  Their certification exams have been praised for their difficulty and their “real-world” feel as testers are required to hack to gain their certification instead of the traditional multiple choice test.  Having an OffSec certification meant you had a good baseline of hacking knowledge and were well-prepared to handle a real-world job.  However, in my opinion (and having two OffSec certifications), the certifications just aren’t worth the money any more.  Let me explain why.

The major flaw with OffSec certifications, at this point in time, is a severe lack of updates to their certification material.  As I dig deeper into several of the certifications later on, you will begin to see this claim as factual.  At a high level, OffSec is still offering certifications such as the OSWP, where the training focuses on wireless network hacking techniques, but the protocols taught are mainly a decade old and no longer used in most households or production environments.  Outdated material such as this is hindering OffSec from being the elite training company they once were.

Certifications, in my opinion, are meant to show that an individual has met a baseline of knowledge regarding a specific topic.  From a hiring manager perspective, I would want to know that a certification on the resume holds some merit.  Moving forward, it will be hard to trust OffSec certifications on a resume as anything other than a person having the ability to persevere through a tough environment.  Is that a desirable trait? Yes.  However, just because the certification is hard to obtain and shows some good personality traits by obtaining it, it does not mean that the certification provides the baseline of knowledge needed to work in a particular field.  This is where OffSec is beginning to fail.

Let’s briefly dig into each of the main online OffSec training offerings.

OSCP

Starting with the OSCP certification, which is a certification I have myself.  What the certification training does well is teach you common hacking tools as well as give you a good run down on the hacking methodology.  It also teaches an individual to have a tough mindset when it comes to overcoming difficult situations.  OffSec also provides a robust set of labs that give students 50 or so unique machines to attack.  Yet, the labs rarely get updated, nor does the training material.

For example, you encounter operating systems as old as Windows XP in their lab environment and exploits that are so old, they aren’t even relevant anymore.  Now, am I saying that there are not Windows XP machines running out there?  No, of course not.  However, if you’re being prepped for a realistic environment, OffSec’s labs just are not going to cut it.

The majority of corporate environments today are running Windows 7 or later and are using some sort of Active Directory internally.  Additionally, it is highly unlikely (though, not improbable), that you are going to use any of the privilege escalation tactics that you learn in the labs on any machine in the real world.  It’s also highly unlikely that you’ll ever be crafting manual exploits and modifying shellcode on an assessment either.

What’s more likely is that you will be using AD privilege escalation tactics that are not taught by OffSec.  You’ll be using Metasploit and other “auto pwn” tools.  No, this does not make you a script kiddie.  This makes you a penetration tester.  It would not be difficult to create a testing environment that emulated a difficult real-world corporate environment, but that would require OffSec to perform updates, which they just don’t do.

Having gone through the interview gauntlet not that long ago, I can assure you that companies are moving towards simulated penetration tests as a feature of their hiring process.  On top of this, technical questions dive deep into AD environments as those are 90% of what a penetration tester will see on an engagement.  The OSCP will not prepare you for these types of interviews.  Yes, you will have a foundation of understanding in terms of methodology with the OSCP, but you will get rocked by these types of assessments.

In my opinion, one would gain equal value by strictly working on simulation sites such as Hack The Box.  The machines can be pretty complicated, but you will still learn the hacking process.  You’ll still learn to scan, enumerate, and eventually, own boxes.  You’ll be allowed to use whatever tools you desire.  Hell, looking back, Hack The Box has helped me become a better penetration tester than the OffSec labs ever came close to.  It’s $100 for a year vs $1200 for 90 days of labs with OffSec.

Another benefit of Hack The Box is their recent addition of pro labs.  The pro labs, at the time of this writing, are currently Offshore and RastaLabs.  Both labs focus heavily on realistic AD environments and from what I have heard (I’ve yet to take the labs personally), prepare students for real-world internal penetration tests.  Right now, the labs run about 90 Euros a month, with a better deal if you purchase multiple months.

We will touch more on this topic in a bit.

OSWP

Another certification that really disappointed me was the OSWP.  If you want a certification that will literally prepare you to hack wireless routers from ten years ago, then this is the certification for you. Why do I say this? Probably because 90% of the material covers the very deprecated WEP protocol.

If you aren’t aware, WEP was replaced by WPA2 over a decade ago.  Yes, there is a period of time where people and even businesses are slow to switch over to a new protocol.  It makes sense to teach multiple protocols while the protocols are both in use and that’s exactly what OffSec did many years ago.  It’s just that they haven’t bothered to update the material since, but have no issue with taking your money and leading you to believe that you’re going to be certified in hacking wireless networks.

Seriously, you could watch a random course on Udemy or read a blog on WPA2 hacking and it would cover more information than the entire OSWP course does.  This is truly disappointing and OffSec should be ashamed.  If you’re a leading certification provider and a true gold standard of the industry, then you should be better than this.  It’s a slap in the face of the students who pay you hard-earned money and entrust your company to provide them with a good training foundation.  OffSec simply cannot provide that anymore.

OSCE

Moving on to a certification course I almost purchased: the OSCE.  The OSCE was once the gold standard of hacking certifications.  Back in the day, if I saw someone with the OSCE, it made me instantly appreciate them.  The course was difficult, the exam was 48 hours, and the certification was incredibly hard to obtain.  The information was also incredibly relevant.  Until it wasn’t.

Let’s paint a picture of what the OSCE course teaches you.  First, you learn 32-bit assembly code.  Okay, that’s a good start.  Then it goes into 64-bit right?  Nope, that would require updating.  Oh, and the whole course is done on a Windows Vista machine.  Let me repeat: a Windows Vista machine.  On top of all of this, you’re taught dated concepts such as egg hunting, which really doesn’t exist anymore in exploit development.

The entire course is completely archaic and yet, they still charge over $1,000 for it.  Over a grand for a course that will prepare you to understand outdated exploit development tactics.  Again, a rip off and just not relevant.  OffSec, you should be ashamed.

My Recommendations

As of right now, I can no longer advocate for OffSec certifications.  There needs to be heavy improvement to the certifications if OffSec wants to remain an industry standard.  I will add a positive: I have noticed that OffSec is hiring Content Developers on their website.  Giving the benefit of the doubt, my hopes is that this is to improve their content moving forward and take care of their updating issues ASAP.  I would be happy to update this post if changes are made and I would be happy to advise OffSec on how their courses could improve.

Until then, I must strongly advocate against the OSWP and OSCE per reasons stated earlier.  In terms of the OSCP, I will provide this opinion if you are seeking the certification:

The OSCP is outdated and will not prepare you well for a job interview.  However, besides the benefits mentioned earlier (teaches methodology, rigor, etc.), it is still a massive HR filter.  At this point in time, a resume with an OSCP on it easily has a chance of being put at the top of a pile simply because HR loves the certification.  This is a massive benefit that I cannot overlook.  In relations to having a better chance of your resume landing on a hiring manager’s desk, the OSCP is still top of the line because there’s nothing out there to compete quite yet.

With that being said, if you want to be a better pentester with an up-to-date skillset, I would advocate for completing some Hack The Box machines and then moving directly into internal AD training.  Hack The Box will give you a solid foundation for external penetration tests as the process is very similar (scan, enumerate, exploit).  However, it is important to know an AD environment well as this is a topic that a lot of interviews dive deep into.  As stated before, I have heard nothing but good things about Offshore and RastaLabs through Hack The Box for AD training, but I must repeat: I have not taken the training myself.

Let’s Do Something About It

This is my call to the community.  Let’s call on OffSec to improve the quality of their training and move on until they do.  It is near inexcusable to be offering certifications that teach decade old material and do not prepare students for the real-world anymore.  For now, let’s start talking about training that actually stays up to date and providers that actually care about preparing a student for their future.  If we’re going to spend a lot of money, it should be on training that actually provides quality and content to its students.

As this is an opinion piece, I welcome feedback from the community.  What I would truly love is input on security training you received and loved, so that I can share that on this blog.  I will update this blog post with content providers that are referred to me so that the community can become aware of these providers.  So, if there is fantastic training out there that you really enjoyed, please don’t hesitate to let me know!

I’ll start:

PWAPT:
I have been fortunate enough to take the Practical Web Application Penetration Testing (PWAPT) course offered by Tim Tomes (@lanmaster53).  It was the best hands-on experience I have ever received in terms of web application penetration testing.  I can honestly say that I have never learned more on the topic in a shorter period of time than I did with Tim in the course.  To top it off, it was my first hands on experience with Burp Suite Pro as most courses have you use ZAP or a free edition of Burp (I’m looking at you SANS).  If you’re looking for good web application training, feel free to hit him up on Twitter and see when his next course offering is!

As suggested by others:

@IsmaelVazquezRE wrote:

I’m really enjoying VirtualHackingLabs which from what I hear is similar to pwk but at a fraction of the cost. Pentesterlab is pretty awesome and Louis is one of the greatest dudes ever.

@_Kiewicz wrote:

you forgot to mention certs which are awesome

@eLearnSecurity wrote:

Thanks for mentioning us!  To learn more about us, is currently giving away one of our course (PTS) for free to all its new members. Check it out if you’re interested.  https://www.ethicalhacker.net/register/?sp_source=Social&sp_term=TWregEHNET

 

12 comments on “Opinion: It’s Time to Move on from Offensive Security Certifications”

  1. This is a little too salty to be constructive. Did you ask OffSec if they plan to update their material and/or why they haven’t? I appreciate that you want them to update their material, but snide remarks (“I’ll update this blog post, unlike OffSec”) just make you appear bitter. As for OffSec training being a “poor value” – go ask SANS what a single course costs that doesn’t provide you any labs or even a certificate at the end. Hint: It’s 10x as much. What the OSCP provides is a solid foundation to build upon, it’s not supposed to teach you how to immediately go be a “super-leet” penetration tester.

    Like

    1. Hey, thanks for the input. The article has been reworded since your original comment. I invite you to reread it again. While I disagree with your opinion, I can understand where you’re coming from.

      I have reached out to OffSec and received no response. I made a second attempt by submitting my resume to their content developer posting (they are well aware of who I am) and got insta-rejected. So, I hope they do improve moving forward. I will not be a part of that process, which is understandable. Not a lot of companies hire their critics.

      Like

    1. Thanks for the great article! It’s interesting to hear feedback about the LPT directly compared to the OSCP. EC-Council doesn’t get a lot of respect due to the C|EH, but it sounds like the LPT can really prepare you for a real-world environment.

      Like

  2. Very insightful article. Quite a few years back, I certainly considered the OSCP the creme de la creme. However, as more of my direct reports have been going through the course, I realize that my advice and recommendations still apply (which should be an obvious red-flag). Because of this, totally agree with the sentiment here.

    Like

  3. very great article, but it is lot more to write. The Advanced Web course awae is mentioning as being coming soon since 2013! look on twitter, reddit, web archiv. No answer! update? Nethunter for Android project has died totally! no new update and developer gone! Community tools and forums is very old, website is old too! help asked on twitter say go to email or forum, but forum not help much!

    KALI release 2018.4 have 1 new tool since 2018.3? why this? There lots more to mention here like exploit archive site! I am been using hackthebox.eu far better and new update often! i was once try to get my oscp, but no more!!!!!! security community need more! we always change, why not they?

    pls add more to article as there is more!

    Like

    1. Hi,

      Thank you for the feedback. I do not have extensive knowledge on AWAE or the Android project, so I could not comment on those comfortably. I do know that AWAE has been in talks to move online for a few years now, but am unsure if/when that will happen. As I mention in the article, I am giving OffSec the benefit of the doubt that they are working towards improving content in the future, but that remains to be seen.

      I appreciate your input here and bringing to light some of the other flaws that may be out there.

      Thanks!

      Like

  4. I am thankful for this sir. I am living in UK, from Hyderabad at first. I want to say that most big thing for me as a security engineer is the new Proctoring Exam. Offensive Security wants to watch you in webcam for 24 hours in a day, this makes me work different than in real life. In real life I will attempt to work on penetration for a week or more, but here I must stay up very late. I do not have time to take care of my family, must take 2 days off of work to sleep! This is not safe! Why spend so many time building way to catch cheaters but not make a real solution? Many companies have safe exam inside testing centers. Can OSCP not have 3 days exam from normal work hours at center with employee at center watch you? This watch me 24 hours a day is not good for my wife either, she says it is very not secure!

    WHY WATCH 24 HOURS MY WEBCAM? I can set up monitor cable to my friend in other room and he can take test with me using screen mirroring! This easy to cheat at still, but now watch me like I’m cheater!!! You cheat us from money to not update!

    Like

    1. Hi Makhaad,

      Thanks for the response. I actually understand OffSec’s move to proctoring the exam. Many companies have done this in the past as a way to offer an exam at the convenience of your own home. OffSec did not have to worry about this for some time as their exam format was not multiple choice and the exam answers were not really leaked to the public like a lot of other exams.

      I believe that there was an influx of cheating that happened. When people cheat and earn the certification, the influx causes the value of the certification to go down for those that hold it. It also causes the integrity of the certification to be in jeopardy. So, from OffSec’s standpoint, I completely get it.

      What may be required moving forward is a shorter exam or something that is more tolerable. I can understand the concerns of a 24 hour exam and of being watched, but I don’t think it’s with bad intent. The process just needs to be refined.

      I thank you for taking the time to comment and appreciate hearing your concerns.

      Like

  5. I think it’s quite amusing how they claim to be a “hacker” company, but the only way they can detect cheating is by physically watching someone. IDS detection, randomization to exams/machines, forensic linguistics, so many more “hacker” solutions than watching a person. Hell, you could avoid the entire charade, by verifying the person (use the silly webcam verification they do now even) after they complete the exam, and have them give a realistic report out call that includes questions and specifics of their exploitation methods. If I enable screen mirroring, run a monitor in the next room, use a KVM, I’ve defeated their proctoring “solution.” They even claim that audio is not recorded. Sounds like more of a bluff to me. It’s more of a band-aid on a dying certification.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s