style="font-size:15px;">
How does the red team work together to get the job done?
The “team” element of red teaming is critical. No one can be an expert in everything. Having people with diverse technology backgrounds allows you to work together to accomplish the mission. Communication is important, and each member of the team should have an understanding of what the others are working on. Additionally, leadership of the team is extremely important. Each action on the network and the risk it presents of being caught or reacted to needs to be understood and analyzed. Rogue actions can be detrimental and lead to internal conflict as well as poor results. Documentation during the assessment should be everyone’s responsibility, but it is my experience that rotating one person to combine the results into the report leads to better results.
What is your approach to debriefing and supporting blue teams after an operation is completed?
Every engagement is going to have required written or oral deliverables, but I have always been partial to the informal out-brief. This brief is free of managers and egos and is just a frank discussion of the things that were done with all who were involved. When it is done correctly, both sides benefit. Additionally, this is a great time to glean things that the organization did well or things the defenders would like you to emphasize for their bosses in order to secure support or funding.
If you were to switch to the blue team, what would be your first step to better defend against attacks?
I believe that the first step in defending any environment is to map it. There is almost always a discrepancy between the number of machines an organization believes they have and how many they actually have. It seems so simple, yet there are often surprises that have been either forgotten over the years or never documented. You have to figure out what is there before you can ever hope to defend it.
What is some practical advice on writing a good report?
The unfortunate reality is that the report matters more to everyone else than to the person writing it. The best reports are accurate, concise, and engaging. Accuracy comes from documenting your actions and providing evidence of your findings and not overstating them. State the facts that your data points to. Concise writing prevents reader fatigue. If you have made it this far into my answers, you have likely discovered that I struggle with this. Figure out who on the team is good at it and have that person edit reports until everyone improves their writing style. Provide raw data and results as addendums. Finally, you want your reports to be engaging. Speak to the reader in a way that keeps them reading. Show them how much work went into the assessment and possibly inspire one of their admins to go into security.
How do you ensure your program results are valuable to people who need a full narrative and context?
The narrative is what differentiates a red team report from a pentest report, and for many it is where much of the value of a red team engagement comes from. What techniques did you use? What adversary were you emulating? Why did you choose that group over other groups? All of those questions should be answered in a red team report. The reader should learn not just what you did to them but how their environment could be realistically attacked in the future.
How do you recommend security improvements other than pointing out where it’s insufficient?
It is important to understand that you don’t know why decisions were made in an environment. It is so easy to recommend specific improvements without having any knowledge of business needs, which makes your recommendations potentially worthless and may actually serve to discount your findings entirely. Presenting findings with generic recommendations for how to improve their security posture is likely the best a true red team will be able to do. You need to have a better understanding of an organization’s needs to make specific recommendations in a lot of cases. You just don’t get that from the adversarial perspective.
What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?
Empathy and passion are what I look for. Passion keeps you learning new technologies and not becoming complacent with the same techniques you have previously used. Empathy helps you predict what people would likely not have had time to devote attention to, and it helps you write a more effective report.
What differentiates good red teamers from the pack as far as approaching a problem differently?
Good red teamers are able to quickly evaluate attack surface. All testers rely on some sort of methodology, but a red teamer doesn’t need to flip every stone. They can look at an application or system and see where the quick wins or low-hanging fruit are and move on. I like to describe it as being in a dark room with one door. A typical tester will walk in every direction and will eventually find the door after touching most of the walls. A good red teamer will walk straight to the door and never touch the wall. It looks like magic, but being able to quickly identify attack surfaces is what separates a good red teamer from the rest of the pack. ■
6 Stephanie Carruthers
“The best way to get a red team job is to network. The goal when networking with people is building relationships.”
Twitter: @_sn0ww
Stephanie “Snow” Carruthers is a professional liar performing social engineering as a service for her clients. Stephanie specializes in using her social engineering skills to perform a variety of assessments, including OSINT, phishing, vishing, covert entry, and red team exercises. She works with clients of all sizes from startups to Fortune 100 companies in all industries, as well as government agencies. Since 2014, Stephanie has presented and taught at numerous security conferences and private events around the world. For fun, Stephanie has earned black badges for winning the Social Engineering Capture the Flag (SECTF) at DEF CON 22 and also The Vault, a physical security competition at SAINTCON 2017. Stephanie also enjoys traveling the world to see beautiful locations and meeting new people, like Larry, who just let her into your data center.
How did you get your start on a red team?
The short answer is slowly. I started my career by specializing in social engineering and physical security by working at different organizations, including an information security consultancy and government contractor, and I even started my own business. At each of these different types of organizations, I was able to grow and learn professionally in different ways. However, I still worked hard at developing and expanding my specific skill set.
In time and as a result of networking, a red team saw value in my specialized skill set and made me an offer. I brought a specific talent and value to the team. I think a common misconception about red teamers is that they must be jacks-of-all-trades, and that is not the case at all. Having a group of talented individuals in specific areas makes for a much more talented and capable team.
What is the best way to get a red team job?
I believe this answer is two-part. First, you need to develop a specialty. There is no doubt that solid, specific talent is a requirement. As Charley Bowdre once said, “You can’t be any geek off the street; gotta be handy with the steel if you know what I mean; earn your keep”!
The second part is
