of trustworthiness and integrity within the candidate. Red teamers will have access to very sensitive knowledge about infrastructures, security controls, vulnerabilities, and so on, and that information will need to be held in the utmost of confidence. The ability to be not only technically astute but also able to explain those technical concepts to the layperson is invaluable in a red team asset.
What differentiates good red teamers from the pack as far as approaching a problem differently?
Good red teamers are not only technical hacks but also have an innate understanding of what value their activities represent to their organizations (as an employee or consultant). Good red teamers are thorough and detail-oriented and comfortable with their own skill. Good red teamers are always looking to hone their abilities and figure out ways to exploit without detection. Problem-solving can be highly methodical, or it can be serial. Regardless of the approach, a good red teamer applies the proper approach when necessary and adjusts when that approach runs into a dead end. ■
4 Beau Bullock
“I’m a firm believer that one should not jump directly into an offensive role without first getting a deep understanding of underlying protocols, including not only technical details but also business logic.”
Twitter: @dafthack
Beau Bullock is a senior security analyst and penetration tester who has been with Black Hills Information Security since 2014. Beau has a multitude of security certifications and maintains his extensive skills by routinely taking training, learning as much as he can from his peers, and researching topics that he lacks knowledge in. He is constantly contributing to the InfoSec community by authoring open source tools, writing blogs, and frequently speaking at conferences and on webcasts.
How did you get your start on a red team?
I meet a lot of people who are interested in pentesting or red teaming and want to jump straight into those roles. I did not start out my career in information security on the offensive side. Being tasked with protecting a network, its users, and their data forced me to think like an attacker so I could be a better defender. I first developed an interest in offensive operations during an ethical hacking course I took while in college, but that interest did not develop into an offensive role until years later.
Working on a blue team at a hospital and then at a bank, I would consider how an adversary would get around the controls we had in place. So naturally I began performing offensive tests against our own controls to see where we were missing things. It was integral for me to learn as much as possible about every single layer of the organization. Everything from firewall rules to router configs to host-based protections to physical security to managing risk associated with one-off exceptions for C-suite members to protecting data to stopping people from getting phished—these were all opportunities for me to find where protections were lacking. Through all of this I learned what pitfalls many organizations and blue teams face day to day.
From an operational standpoint, understanding the struggles blue teams have to deal with, how networks function, and what defensive controls are possible provides a much clearer picture to the offensive operator. I pivoted to an offensive role in 2014 when I started working at Black Hills Information Security. Throughout the first few years of working there, I performed many penetration tests for various organizations. This gave me the opportunity to tune my capabilities and develop red team tactics. Within the last three years, I have been fortunate enough to be assigned formal red team engagements.
What is the best way to get a red team job?
Being on a red team takes a unique and dedicated individual who has knowledge in vastly different areas. I’m a firm believer that one should not jump directly into an offensive role without first getting a deep understanding of underlying protocols, including not only technical details but also business logic. Do you know how the business you are targeting functions day to day? Can you determine what the organization values?
Many red teams consist of multiple individuals with skills in different areas. You might see team members who can perform architecture setup, payload delivery, and/or social engineering, act as internal network specialists, and more. Before you get a job on a red team, I would recommend first developing offensive skills in multiple areas on penetration tests. The key to being a good red teamer is having the knowledge to attack an organization from many angles and the discipline to use the one method that is necessary and won’t get you caught.
“The key to being a good red teamer is having the knowledge to attack an organization from many angles and the discipline to use the one method that is necessary and won’t get you caught.”
If you are already a pentester looking for a red team role, I would say networking is probably going to be your best bet. Go out and meet the people working on red teams and introduce yourself. Show them projects you’ve been working on. I see job openings posted by others on my Twitter timeline all the time.
If you are working for a company as an internal security analyst or the like and your company doesn’t have an internal red team, maybe it’s time to make a case for one. You might be able to build your own internal red team for your own organization and essentially create your own red team role.
How can someone gain red team skills without getting in trouble with the law?
For building skills, I am a huge advocate of participating in capture-the-flag contests. Also, jumping in on bug bounties is a good way to build web application hacking skills. Building a home lab doesn’t have to be expensive and can provide you with a test platform for performing red team research without breaking laws.
Why can’t we agree on what a red team is?
I think many have a hard time understanding where a pentest stops and a red team starts. There is definitely some overlap between the two that people get hung up on. Commonly people describe red team engagements as a penetration test without restrictions. But red team engagements do have restrictions. If they didn’t, then kidnapping, extortion, and blackmail would be in the rules of engagement. So since red teams are not truly unrestricted, I think people have a hard time grasping why it’s different from a pentest.
What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?
For the majority, I think they still think red teams are trying to sling exploits with Metasploit. I haven’t had to use an actual software exploit in years. Configuration issues, bad passwords, and poor user awareness of phishing are typically how we get in. Once inside a network, it is 100 percent a game of credentials: pivot, dump creds, pivot, dump creds, rinse, and repeat.
I think the most toxic thing I’ve seen is how some blue teamers and red teamers treat each other. Many treat the other side as an adversary in a bad way. Our job as red teamers is to help the blue team get better. We should never gloat about our ops. The same goes for the blue team. I love purple team assessments where we can work collectively to make the organization better. Some of the coolest things I’ve found on engagements have been on purple team engagements.
When should you introduce a formal red team into an organization’s security program?
Only
