alt="Closeup image of the cybersecurity community advocate and startup founder "Marcus J. Carey.""/>
Twitter: @marcusjcarey • Website: https://www.linkedin.com/in/marcuscarey/
Marcus J. Carey is a cybersecurity community advocate and startup founder with more than 25 years of protecting government and commercial sensitive data. He started his cybersecurity career in U.S. Navy cryptology with further service in the National Security Agency (NSA).
How did you get your start on a red team?
The funny thing about my red team journey is I wasn’t technically a paid red teamer until I got fired from a job and had to make ends meet. I picked up work at an East Coast consultancy doing penetration testing and product development.
I was able to gain red team skills by working at the Defense Cyber Crime Center (DC3). There I did research, taught, and did course development. Amazingly, I had access to all the red team tools that you could imagine, plus every digital forensics tool on the planet. I also had the pleasure of working with a guy named Johnny Long who was quite the hacker and red teamer himself.
I’m extremely lucky to have been in those positions to prepare me for a red team role. Today, open source tools dominate the red team space, making it possible for more people to get familiar and practice.
They say luck is when preparation meets opportunity. It sucks that I was laid off, but it was a blessing to have red team skills to pay the bills.
What is the best way to get a red team job?
It is uncommon for people to start directly into red team jobs. The best way is to have or gain a skill such as internetworking, system administration, or software engineering and start out in a blue team role. Getting into a blue team role will allow you gain cybersecurity experience and network with people in your dream role.
You can network internally and externally from your organization at local events and regional cybersecurity conferences. There are a couple of certifications tailored to red teaming that can get you noticed by red teams looking to add some human resources.
How can someone gain red team skills without getting in trouble with the law?
I recommend downloading virtual machines and web applications that have vulnerabilities on them when trying to learn at home. There are plenty out there; just be careful and don’t put them on the internet because they will be compromised in short order.
If you don’t have permission from the system owners to test or run tools, you are probably violating some law. If you are trying to get into red teaming, try to exploit only the systems that you own or systems that you have explicit written permission to exploit.
Why can’t we agree on what a red team is?
I think it’s human nature to want to differentiate from each other, especially in a competitive environment like the cybersecurity community. What I have learned is that there are only so many ways to solve problems. Many times we end up with the same solutions to the same problems we see. We end up having different names for the same thing. The old saying “There are no new ideas under the sun” is proven right every time I talk to people trying to solve the same issues.
What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?
There is a natural conflict between the red team and the blue team caused by a mixture of bad experiences and misunderstandings. I think the toxic bit sometimes comes from people making mistakes like taking down servers or leaving malware on endpoints. The problem is that everyone hears red team horror stories, and there isn’t a lot of data that backs anything up.
When should you introduce a formal red team into an organization’s security program?
I believe that everyone in information technology and software engineering should know how to build, secure, and hack anything they are in charge of. My crazy vision is everyone always threat modeling and red teaming everything they do. You don’t need to have red team as your title to utilize red team skills. I always say, “Hack more. Worry less.”
How do you explain the value of red teaming to a reluctant or nontechnical client or organization?
I believe the best way to do this is to explain that even though the red team has an adversarial role, internal and external red team goals are aligned in the sense that we all want to protect sensitive data and critical systems. To keep the trust over time, red teams should always avoid showing up blue teams and internal stakeholders. You can only do this by working closely as a team. It takes only one bad experience to potentially ruin these relationships.
What is the least bang-for-your-buck security control that you see implemented?
Antivirus.
Have you ever recommended not doing a red team engagement?
I certainly have. I recommend that the organization start with vulnerability management and getting policy and governance into play. I see too many organizations out there getting “penetration tested” for compliance. I put those words in quotes because organizations are typically getting a limited-scope vulnerability scan.
What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?
I’m going to go with restricting administrative privileges for end users. I’ve seen first hand how this drastically reduces infections on a network. This simple control applies to organizations of any size. Restricting privileges is easy to implement and scale.
Why do you feel it is critical to stay within the rules of engagement?
The only difference between a good person and a bad person is that the good person follows the rules. Violating the rules of engagement breaks the trust between teams. If you violate the rules of engagement, you may be breaking the law as well.
If you were ever busted on a penetration test or other engagement, how did you handle it?
One of the most embarrassing things I ever did related to red teaming is owning a USB thumb drive with a volume name of Marcus Carey. I ended up using the thumb drive in a server, and the forensics software detected the device that had my name on it.
I’ll never make that mistake again. I’m sharing this story so it doesn’t happen to you. Sharing is caring!
What is the biggest ethical quandary you experienced while on an assigned objective?
The biggest ethical quandary is being intentionally deceptive in spear phishing and social engineering. This is primarily because you could cause actual harm to people and their livelihoods on the other side of the phish.
One of my mentors would always ask for a few executives to be in scope in every engagement so management couldn’t blame it on their staff. He wasn’t satisfied until an executive
