Most Frequenty asked questions on How to Become Red Team Hacker & Penetration Tester answered by experts from Triber of Hackers
What is the best way to get a red team job?
It is uncommon for people to start directly into red team jobs. The best way
is to have or gain a skill such as internetworking, system administration, or
software engineering and start out in a blue team role. Getting into a blue team role will allow you gain cybersecurity experience and network with people in your dream role.
You can network internally and externally from your organization at
local events and regional cybersecurity conferences. There are a couple of
certifications tailored to red teaming that can get you noticed by red teams
looking to add some human resources.
You need to know your target audience, and then you need to impress
them. There isn’t just one type of red team job. There are quite a few subtle
differences between different companies/groups that perform this type of work.
From a high level, you’ll find that there are two major types of hackers in this
field. Both have places on different red teams, and both are really cool. The
biggest practical difference between the two will be in their clientele.
The first type of red team is the computer network operator–type team.
Their primary focus is going to be on access. They train to utilize hacking tools
and frameworks, and they aim to impress. If you want to join one of these
teams, you need to be focusing on training on breach simulation because that’s
what their world is all about. Their clients hire them to show exactly how an
attacker might gain and leverage access to a network or system. This type of
team is going to be dropped into a network, or onto a target system, with the
goal of exploiting the system to its fullest extent and building a narrative they
can present to the company’s executive team detailing how they got it done. To
join one of these teams, you almost certainly won’t need a bunch of certs, and
you probably don’t need a college degree. What you do need are the skills to do
the job and the guts to ask for it. To get there, find a team that you want to join,
train until you’re ready, and then prove yourself by competing or contributing to
the community.
The second type of team is the security engineering–type team. This type of
team is less likely to be dropped into networks with the goal of “simulating” a
literal breach. Instead, they are likely to spend their time creating and building
and auditing complex solutions to hard security-centric problems with the goal
of improving the technical sophistication and security of a given software or
hardware system. If you join one of these teams, you won’t spend your time
trying to create a narrative to describe how exactly you accessed a network via
a simulated hack. Rather, you will spend your time analyzing systems from a
multitude of perspectives and then applying your knowledge to answer tightly
scoped questions such as “If an attacker had access to this network, could they
bypass our host whitelist?”
For both team types you’ll want some combination of computer science and
information technology knowledge. You can gain these things in school or on
your own time. The type of team that you want to join will influence whether you
should be learning Metasploit and Active Directory or cryptology and software
engineering. Once you know what it is exactly that you want to do, simply learn
those skills and send in an application.
How can someone gain red team and penetration testing skills without getting in trouble
with the law?
I recommend downloading virtual machines and web applications that have
vulnerabilities on them when trying to learn at home. There are plenty out
there; just be careful and don’t put them on the internet because they will be
compromised in short order.
If you don’t have permission from the system owners to test or run tools, you
are probably violating some law. If you are trying to get into red teaming, try to
exploit only the systems that you own or systems that you have explicit written
permission to exploit.
Join the bug bounty programs and start hacking away. These companies are providing an incentive for bug hunters to find bugs, so they offer you training on their websites to get you started.
HackerOne and BugCrowd are just two of the companies, but this space I believe will be crowded in the next few years. The company that wins this race will be the company that provides the most value to its community by going above and beyond for them. They can be providing you with every tool and
training there is, but you must put the work in and type away on your keyboard to develop those skills to earn the bounties.
Coding would be one of the easy ones. And this has an almost unlimited
number of paths where you can spend time. You can write tools that do fun
security-related things that will teach you things as you go. I think everyone should
write a network port scanner at some point and make a real effort to understand
how a socket really works. You can play with other people’s code to learn how they
conquer interesting challenges in the offensive security space. Learn enough code
to understand how fantastic projects like BloodHound really work so that you can
talk about what they are really doing in depth. Pluralsight has a ton of great content
on Active Directory (AD). Set up AD in a lab and try to manage it for a few weeks.
This ties into what I think of as a classic answer to this kind of question, which
is to build a lab. I would say this is almost a must. I have several labs I use on a
regular basis. I recently purchased a laptop where I have a mini-Windows lab. I
use Hyper-V to create a domain controller with one or two joined members. It
just so happens this laptop is also great for gaming. The trick with the lab is to
make it flexible and go use it. Install EDR or AV and try to get past it. Understand
what works and what doesn’t and why.
Social engineering and physical access skills are a bit more challenging to
acquire without on-the-job training. Social engineering CTFs exist along with
organizations like TOOOL that can help guide people to be better at lockpicking
or physical access attacks. In the end, you’ll need to do the engagements with
that get-out-of-jail-free letter.
On the electronic attack side of things, copious opportunities exist, including
capture-the-flag (CTF) events, bug bounty programs, vulnerable hackable
systems (Hack The Box, VulnHub, tryhackme, and so on), and vulnerable
software repositories and local virtual machines/Docker containers. Coupled
with thousands of hours of conference videos and online training, there is more
material out there than someone could ever expect to consume. Pick a topic
that interests you and go to work.
Here are a few helpful resources you
might want to explore:
- SANS.org
- Cybrary.it
- PenTesterLabs.com
- github.com/enaqx/awesome-pentest
The key to moving from Novice toward Competent is consistent, deliberate,
hands-on practice. The resources will provide a treasure trove of guidance that
will enable you to chart a course based on your available resources.
A few guiding principles will assist in avoiding criminal and legal issues while
developing your offensive security skills: - “First do no harm.”
- Don’t break into places you don’t own/have legitimate access to.
- When in doubt, refer to the first point.
When should you introduce a formal red team into an organization’s
security program?
I believe that everyone in information technology and software engineering
should know how to build, secure, and hack anything they are in charge of. My
crazy vision is everyone always threat modeling and red teaming everything
they do. You don’t need to have red team as your title to utilize red team skills. I
always say, “Hack more. Worry less.”
How do you explain the value of red teaming to a reluctant or
nontechnical client or organization?
I believe the best way to do this is to explain that even though the red team has
an adversarial role, internal and external red team goals are aligned in the sense
that we all want to protect sensitive data and critical systems. To keep the trust
over time, red teams should always avoid showing up blue teams and internal
stakeholders. You can only do this by working closely as a team. It takes only one
bad experience to potentially ruin these relationships.
What’s the most important and easiest-to-implement cyber security controls that can
prevent you from compromising a system or network?
I’m going to go with restricting administrative privileges for end users. I’ve seen
first hand how this drastically reduces infections on a network. This simple
control applies to organizations of any size. Restricting privileges is easy to
implement and scale.
Why do you feel it is critical to stay within the rules of engagement?
The only difference between a good person and a bad person is that the good
person follows the rules. Violating the rules of engagement breaks the trust
between teams. If you violate the rules of engagement, you may be breaking the
law as well.
The combination of a strong password policy and mandatory two-factor
authentication on all critical services commonly results in major headaches on
a red team. The larger an organization, the more difficult this can be to roll out,
but for small and medium businesses this can be a quick win that grows with
the organization while being enabled with a small budget.
Passwords are the bane of information security right now.
2FA/MFA is a solution, but it is still cumbersome or impossible to incorporate
into the authentication platform a company uses. Most pentests and red team
assessments that I perform these days start with some kind of initial toehold
into the organization, and then the hunt for credentials begins—API keys, SSH
keys, passwords, anything that can get me to a higher level or more access than
that toehold. This is why I think a company should require the use of password
managers for all work-based authentication; this includes API keys (vaulting
products help make this a reality). A way to force this is to change your internal
password minimum to something like 40 characters. Initial login (in order to get
to the password manager) can be done via a smart card, FIDO, or another tokenbased
product. Even mobile devices these days can act as FIDO devices, which
would remove the need to deploy and manage a fleet of devices for authentication.
System-level firewall rules. Restricting the ability for systems to communicate
with each other can make lateral movement around a network difficult or
impossible. It can be difficult to execute from both planning and technical
aspects, but I think it will provide immense value if done correctly. I often ask
people, “Do your workstations need to be able to communicate on port X?” to
which the answer is almost always no.
How does the red team work together to get the job done?
If you are working with a team, communication is the most important element.
Split up work and ensure you document everything that you do on an
engagement. Trust is important as well, because I’ve seen situations where team
members lose faith in their teammates.
I recommend using collaborative tools so everyone can see what their
teammates are doing. Transparency always wins. One more thing, don’t be
afraid to ask for help; that’s what teammates are for. If your teammate is an
expert at a certain thing, simply ask for help.
What is some practical advice on writing a good penetration testing report?
My advice is to not reinvent the wheel—there are plenty of resources out
there to describe vulnerabilities, exploitation, and risk scoring. Feel free to grab
content from NIST, CVSS, or MITRE ATT&CK and cite them as references. Citing
them as references actually boosts the credibility of your findings and report.
Use something like CVSS to help score the vulnerabilities that you find.
MITRE ATT&CK is great for discussing exploitation techniques and suggested
remediations. If you use those resources, the report will be easier to write for
you and easier for the consumer to trust.
What differentiates good red teamers from the pack as far as
approaching a problem differently?
I think good red teamers study and know how things work. I mentioned
empathy before. A good red teamer can put themselves in the system
administrator, network engineer, or software developer mind-set and solve the
problems they are facing. A good red teamer is always hungry to improve their
skills and help others do so as well.
What nontechnical skills or attitudes do you look for when recruiting
and interviewing red team members?
When I am talking to candidates, I am looking for positive attitudes and strong
internal drive/motivation. Red teamers will often find themselves neck-deep in
mind-numbing analysis, the results of which could determine the success of the
engagement.
Therefore, it is important that candidates are able to motivate themselves
to keep going, not lose sight of the objective, and not complain that they’re “not
doing cool stuff.” Red team work is usually pretty boring, minus the moments of
sheer adrenaline when that shell finally comes back, so candidates need to give
the impression that they have the patience and determination to accomplish
the mission.
