@bullz3ye
Mark Clayton (Bullz3ye) is a red teamer, security engineer, and application developer who can’t seem to choose between the three. Professionally he is a red teamer and security engineer but is always developing web and mobile applications at night. As of late, his primary focus has been on DevSecOps, where he is able to blend his security and development experience. Since a young age, Mark has been under the mentorship of a Cult of the Dead Cow (cDc) member, who showed him the ropes and taught him the security ecosystem, and he’s stayed true to those lessons.
How did you get your start on a red team?
I guess you could say my path was a bit unconventional. During college, I was originally cut out to be a software developer. My primary focus was building mobile applications on the Windows Phone…because that was going to take the world by storm. I even had a track laid out for me to potentially join Microsoft after my graduation—that is, until one day during my sophomore year a close friend of mine asked me to join his Collegiate Cyber Defense Competition (CCDC) team, and that’s really when it all changed for me.
About a month into training for the competition, I’m sitting at a CentOS terminal when this tattooed bald guy comes up to me and says, “You like this shit, kid?” I respond with, “Yeah, man, I’m having a blast,” nervously. He then simply says, “Give me a call tonight, man; we’ll chat.” This man was one of the mentors for my CCDC team, but what I didn’t know until later was that he was also CDC (Cult of the Dead Cow). Long story short, during the years I was about 18 to 20 years old he was my mentor. He taught me about the “old school days,” talked philosophy, pushed mandatory Phrack High Council reading material, and preached that FreeBSD is God. Over those years we became good friends, and eventually he said I was ready to join his team as a junior penetration tester, with a specific focus on the web. App sec came naturally for me since I was a natural software developer, so as I grew within the company, I was able to transition into the red team as the “web kid.” Ah, good times. Nowadays I just feel old, and I’m bald at 25.
What is the best way to get a red team job?
Honestly, I think that passion is everything. Passion is what drives you to continue to learn and constantly take on challenges because they are more interesting than watching your favorite Netflix show. Of course, you have to be technical, and it really helps if you know a little about everything but also a lot about one subject. Too often, people try to be the best l33t hacker and know everything about everything, until they realize exactly how vast the technical landscape is.
Understand that a red team is just that—a team. Every person plays their part and has their specialty. If you want to join a red team, I’d say double down on your specialty, stay passionate, and always be curious. I believe that this energy can be seen from across the room, and a candidate in this position will be a quick hire. You can always teach technical skills, but you can’t teach, much less force passion. Also, get involved in the community and put yourself around others and soon enough you’ll begin to hear about positions.
“If you want to join a red team, I’d say double down on your specialty, stay passionate, and always be curious.”
More practically, I would also say that taking the time to first be a blue teamer, system admin, software dev, or network engineer is key if it’s in your cards. How else will you be able to practically understand environments both culturally and technically if you’ve never been on the other side? I think the best red teamers are previous blue teamers, just like red teamers make fantastic incident response folks!
How can someone gain red team skills without getting in trouble with the law?
Now I’m young, but I would say that back in the day “teetering” on the lines of the law was a given. You didn’t have these massive amounts of CTF challenges, Hack The Box, vulnerable VMs, and training courses. The world was your lab, so you learned by doing…practicing on prod, baby! Today, things have changed. There is a plethora of training materials, classes, and labs to simulate real-world environments so that you can emulate the attacks all within the confines of the law.
Why can’t we agree on what a red team is?
Because it sounds sexy to be part of the red team, everybody wants to call themselves that. Red teamers are seen as the grown-up versions of penetration testers. You do penetration testing for a while; then you go to the big leagues, and now you’re red teaming! I’ve spoken to people who claim they are red teamers, and it’s just a team of one within the organization. There is no “I” in team. The allure of wanting to be classified as a red team has muddied the definition to the point where any offensive consultant says they are a red teamer because it is cool to say. You have to get back to the roots of where the term comes from.
What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?
As a red teamer, your true goal is to help the blue team and emulate attacks and scenarios, not break everything and start celebrating (in front of the blue team at least). The red team is there to help the blue team, not break the blue team’s spirits and pillage villages. There is no (or shouldn’t be) a red team without a blue team, even if the red team is a drop-in consultant shop. There is always an adversarial stance between the two, and it is reinforced on both ends. The blue team is mad at the red team, or the red team brags about owning the blue team. It isn’t about who wins; it’s about training together to make the organization’s security posture stronger as a whole.
When should you introduce a formal red team into an organization’s security program?
When you can actionably digest the results of the red team’s findings. If your security program is immature and you don’t do any threat modeling, letting a red team loose throughout your environment will tell you what you already know—that your security program needs work. First take the time to understand your environment, your security controls, and your potential pitfalls. Once that happens, you can start to bring in the attackers and see where you stand.
How do you explain the value of red teaming to a reluctant or nontechnical client or organization?
Reinforce the fact that we are here to help, not break everything and walk away. This goes back to the natural adversarial stance between the two. We are here to emulate your worst-case scenarios in a controlled fashion, and afterward we will be here to help every step of the way. Too often people see red teamers as those who create more work or leave a bigger headache once the engagement is done, and are reluctant to perform red teaming.
“Reinforce the fact that we are here to help, not break everything and walk away.”
What is the least bang-for-your-buck security control that you see implemented?
Yeah. Definitely antivirus.
Have you ever recommended not doing a red team engagement?
Absolutely. I’ve gotten requests to have a red team engagement on X environment to demonstrate impact or “see how secure it is.” There have been several times when doing an “offensive” architecture review or a review of the security controls in place may be more effective. This allows the customer to understand the theoretical attacks and how we would approach it, assume successful attacks, and approach implementing security controls accordingly.
What’s
