that you are excited about your l33t hacker hacks, but you’re not here to brag. Sometimes you have to be able to step out of the terminal and understand the true objective.
What differentiates good red teamers from the pack as far as approaching a problem differently?
I think it all boils down to the ability to adapt. You see a lot of red teamers fold when the tricks they already know fail or the tutorials they read aren’t giving them shell. I’ve seen several cases where the big break is right on the other side of banging your head against the wall because you are at the point of giving up. Being able to go that next step and leave the realm of comfort makes all the difference. Lastly, I think it goes without saying that a good teamer “thinks outside of the box.” In this case, the box would be the comfort zone and the tricks you know so well. ■
8 Ben Donnelly
“There isn’t just one type of red team job. There are quite a few subtle differences between different companies/groups that perform this type of work.”
Twitter: @Zaeyx
Benjamin Donnelly is an omni-domain engineer and the founder of Promethean Information Security LLC. Ben has worked as part of teams hacking such things as prisons, power plants, multinationals, and even entire states. He is most well known for his research projects, including his work on the DARPA-funded Active Defense Harbinger Distribution. Ben has produced a number of field-leading advancements, including the Ball and Chain cryptosystem. He has spoken at Derbycon and BSides Boise and has contributed content to multiple SANS courses. Outside of cybersecurity, he can often be found skydiving, producing underground electronic music, or starring in indie films.
How did you get your start on a red team?
I competed in a high school cyber-defense competition called Cyberpatriot. My team did quite well, and from there I managed to talk myself into getting invited to come out and compete in the first-ever NetWars tournament of champions. At this point, my entire skill set was still entirely from a blue team perspective—that was the only thing that Cyberpatriot had trained us in. Recently graduated from high school, where else was I supposed to learn the black arts (“red arts”?)?
But it turns out that my specialized blue team skill set quickly transitioned into red cell activity. I didn’t win my first run at NetWars, but I did score in the top ~10 percent. Considering my age and that I was competing against professionals, I think that impressed some people. This got me a few job offers, and I took one working for a SANS instructor. I was supposed to just be an intern, but I kept throwing out knowledge and hard work. It wasn’t long before I was getting called in to help with penetration tests, and my job title officially changed to penetration tester/security researcher.
What is the best way to get a red team job?
Define “best.” If what you value is an interesting story, then perhaps your best way would be to do the old “black hat captured by FBI and forced to hack for good.” Of course, assuming that your idea of best is to (as soon as possible) have a strong, well-paying, prestigious job “hacking things” legally, then there are a few things I can recommend.
You need to know your target audience, and then you need to impress them. There isn’t just one type of red team job. There are quite a few subtle differences between different companies/groups that perform this type of work. From a high level, you’ll find that there are two major types of hackers in this field. Both have places on different red teams, and both are really cool. The biggest practical difference between the two will be in their clientele.
The first type of red team is the computer network operator–type team. Their primary focus is going to be on access. They train to utilize hacking tools and frameworks, and they aim to impress. If you want to join one of these teams, you need to be focusing on training on breach simulation because that’s what their world is all about. Their clients hire them to show exactly how an attacker might gain and leverage access to a network or system. This type of team is going to be dropped into a network, or onto a target system, with the goal of exploiting the system to its fullest extent and building a narrative they can present to the company’s executive team detailing how they got it done. To join one of these teams, you almost certainly won’t need a bunch of certs, and you probably don’t need a college degree. What you do need are the skills to do the job and the guts to ask for it. To get there, find a team that you want to join, train until you’re ready, and then prove yourself by competing or contributing to the community.
The second type of team is the security engineering–type team. This type of team is less likely to be dropped into networks with the goal of “simulating” a literal breach. Instead, they are likely to spend their time creating and building and auditing complex solutions to hard security-centric problems with the goal of improving the technical sophistication and security of a given software or hardware system. If you join one of these teams, you won’t spend your time trying to create a narrative to describe how exactly you accessed a network via a simulated hack. Rather, you will spend your time analyzing systems from a multitude of perspectives and then applying your knowledge to answer tightly scoped questions such as “If an attacker had access to this network, could they bypass our host whitelist?”
For both team types you’ll want some combination of computer science and information technology knowledge. You can gain these things in school or on your own time. The type of team that you want to join will influence whether you should be learning Metasploit and Active Directory or cryptology and software engineering. Once you know what it is exactly that you want to do, simply learn those skills and send in an application.
How can someone gain red team skills without getting in trouble with the law?
For me it was competitions. I kind of got dragged into them when I was quite young. I was in a cadet program in high school that gave me the opportunity to compete in Cyberpatriot back when it was just getting started. This competition opened my eyes to information security, though it didn’t really give me red team skills. What it did do was to prepare me to be able to understand and parse red team contexts.
You can easily and legally learn the basal skills required to be ready to quickly transition into a red team role by working in computer network defense–type roles. You’ll learn about what it is that attackers do as you learn to anticipate them. And far more importantly, you’ll learn how to play with infrastructure.
Look, certainly part of red teaming is knowing how to actually exploit a system. You will need to know SQLi and XSS, and you will need to know how to pop a shell and pivot through it. Those specific things will not use up even half of your time. Even when you’re actively “hacking,” you will spend the vast majority of your time on building, manipulating, and traversing infrastructure.
If you want to be an amazing red cell member, here’s what you need:
Massive ability to manipulate infrastructure (gained from IT training)
Massive ability to manipulate software systems (gained from CS training)
Massive ability to manipulate social systems (gained from psychology training/high empathy/life)
I left out a few skills there, such as time management and report writing, but you get the idea. In the end, the crazy cool “hacker” things do not exist in a void. They are just the other sides of various coins you’re already familiar with.
What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?
Many people think what we do is magic. In the past, I’ve met incredibly intelligent and well-spoken