much as possible, I try to explain what an attacker who was actually trying to do malicious things could have done. Most real attackers don’t have the same deadlines as red teamers, so they are not worried about being done within a few weeks’ time. They can take all the time they want. So for many organizations, being able to tie an actual threat actor’s potential actions to data you provide can result in great value for them, because they understand how bad things could really be.
An important part of my red team engagements is that I’m not placing domain admin access as a primary goal. In most cases, the data I want doesn’t require domain admin credentials to get it. I feel like the goal of the assessment needs to be something that the organization deems sensitive. If I can show that I’ve been able to compromise the CEO’s desktop or maybe a database containing credit card data or plans to build a battleship and then describe how these would be useful to an attacker, most organizations seem to find value in that.
How do you recommend security improvements other than pointing out where it’s insufficient?
Oftentimes I’m providing positive findings to customers to let them know where I think their controls are working. Even though something might be preventing me as an attacker, there are cases where those could still be improved. For example, maybe the organization has an exposed Outlook Web Access portal. Maybe I wasn’t able to access it during the assessment, but I still might recommend that they move it to the internal network and protect it behind a VPN.
Additionally, constant testing of your controls is a must. Even though the red team engagement is over, learn and utilize some of the techniques that were used. The methodology of the tester should be outlined in the report and will typically include both successes and failures. While some of the tester’s techniques might have failed during your engagement, you might find that something gets changed on your network without you knowing and now those techniques are successful. Lastly, having management support behind security improvements is critical. Policy controls that executives need to address should be provided in the report.
What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?
The hacker mind-set and creativity are the most important nontechnical character traits for a red teamer. Frequently on red team engagements they will be faced with challenges they have never seen before. Having the hacker mind-set means they will not stop when they face the unknown, but instead they will question everything and find unique and new ways to face a problem. When facing highly secured environments that utilize defense-in-depth strategies along with quality alerting and response, creativity on the red team is a must.
“Having the hacker mind-set means they will not stop when they face the unknown, but instead they will question everything and find unique and new ways to face a problem.”
What differentiates good red teamers from the pack as far as approaching a problem differently?
Most of the really good red teamers I have met specialize in some area heavily. This enables them to develop a deep understanding of a certain technology or software. Becoming a master of infrastructure setup, coding, device hacking, lock picking, or any other area will help you develop a niche skill that is useful on red team engagements. Having the ability to approach unique problems with a creative mind-set can make the difference between a successful red teamer and one who fails. ■
5 Christopher Campbell
“What are red team skills? When you list the skills that make someone a competent and effective attacker, you realize that those are the same skills that make someone a good server administrator, network engineer, or security practitioner.”
Twitter: @obscuresec
Christopher Campbell has been doing security research for many years and has a few college degrees, industry certifications, and open source project contributions. He has also found a few bugs and given a few talks at conferences. Chris is currently the red team chief for ManTech ACRE and was formerly a member of the U.S. Army red team.
How did you get your start on a red team?
The opportunity to join the U.S. Army red team was a lot more luck than anything else. I was on the receiving end of an assessment 15 years ago before I had any idea that it was a possible career field. I decided to work on making myself marketable and reaching out to members of the red team community at conferences. I received a lot of helpful advice. I would like to think that it helped, but ultimately it was just applying for positions that seemed interesting, working through the interview process, and following up after being interviewed about where I needed to focus more attention. Once I got on the team, my true journey started.
What is the best way to get a red team job?
The best way to get any job that you want is to document demonstrated competency and diligently apply. I had the opportunity to interview and have a part in hiring some really awesome red teamers, and they were all persistent throughout the process. All were honest about their skill sets during their interviews, and many asked for feedback afterward. Demonstrating passion and a willingness to learn whatever is necessary to be successful in a task goes a long way in the hiring process.
How can someone gain red team skills without getting in trouble with the law?
This question hits at a really misunderstood topic. What are red team skills? When you list the skills that make someone a competent and effective attacker, you realize that those are the same skills that make someone a good server administrator, network engineer, or security practitioner. You can gain all the skills you need to be a good tester without ever breaking a law. Even things that seem borderline illegal can be done within virtualized environments on your own computer with free software. Ultimately, getting in trouble with the law could likely be far more detrimental to your future career aspirations than most people realize. Why risk it?
“Ultimately, getting in trouble with the law could likely be far more detrimental to your future career aspirations than most people realize. Why risk it?”
Why can’t we agree on what a red team is?
In a similar semantic shift as the word cyber, red team has lost the meaning that many still associate with it. The key distinction between a red team assessment and any other kind of test is adversarial replication. In other words, if you aren’t utilizing the tactics, techniques, and procedures of an actual, documented threat actor, then it is likely you aren’t conducting a red team assessment. That doesn’t mean you aren’t a red teamer. However, if you can’t articulate which actors use which techniques, then many would have a hard time believing that you are. Red team assessments aren’t better or worse than any other type of assessment, but for a long time they have been considered the sexiest. They exercise an actual defender on production networks and test policies and human responses that aren’t otherwise properly evaluated. I hope that the industry is able to reclaim the old definition, but it is probably unlikely.
What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?
One thing that people are often surprised by is the fact that I value empathy over most other traits when looking for red team members. Unfortunately, that empathy
