Everyone loves buzz words, no? Red team is the newest (well... not that new) coolest thing on the streets of information security city and many cybersecurity pros want to jump right in and become involved in Red team activities at their company.
However, there is more to being a Red team member than just signing up. In this blog post I will lead you down a path will first explain what a Red team does, the different types of Red teams that generally operate and finally how you can become a Red Reamer.
What is Red team?
A little history. According to some sources the name Red team has its roots in the U.S. military. During the Cold War wargame exercises would divide a force into two teams. Red (playing the Soviet Union Forces) and Blue (acting as the U.S. and NATO side.)
In the cybersecurity industry, a Red team exercise (also referred to as an adversary simulation) contains penetration testers who are hired to conduct a simulation of how hackers might attempt to breach a company’s defences.
I Like It, Where Do I Sign?
To become a Red teamer one does need to have a certain skills set. Trustwave recommends a potential Red team member should have:
Strong networking knowledge – Knowing how a network works is very important, understanding how services work in large networks will help you understand where the weaknesses are likely located.
Be willing to get your hands dirty with some code – Being a Red teamer is not pushing a button and walking away. There is a lot of thought and research going into each Red team activity and no Red team is the same. Many times we are required to perform changes on the fly and know how tools work.
Be passionate – Everyday new tools, techniques or patches are released; what you exploited last week might not work this week, what was not possible last week might be possible this week. A new tool came out? Open it up, read the source code, run it in a lab to see what it does, understand what it can or can’t do, understanding the code will help you understand new things and help you get better at what you do. It’s an ever-changing field so staying on top of your game by knowing the newest techniques is a necessity.
Collaboration and knowledge sharing – Four eyes are better than two, while you can be the best Red teamer in the world and hack the client’s network all by yourself, having another person to doublecheck your work, or suggest additional will benefit both yourself and the clients.
Learn the difference between penetration testing/Red team/bug bounty/purple team - it’s important to understand the difference in each task and way of doing things between these four different types of assessment.
Vulnerability assessment – Basically validated scanning that is used to identify vulnerabilities, but not to exploit them.
Penetration testing - The goal of penetration testing is to identify the degree of control over supplied target systems an attacker could gain either from the Internet (if external) or from a position of having gained access to a private internal network (if internal), and within the limited time also identify as many different ways that such compromises could be obtained.
Red team -The goal is the crown jewels, it doesn’t mean you need to get DA, if DA will help you achieve the goal (e.g. get to the client private database instance with all HR records) then go for it, but a lot of the time it’s not required. The goal is to avoid detection and gain access to the predefined goals. While Red team exercises usually longer than penetration testing that is because we are trying to avoid detection at all costs, the Blue, or defending, team shouldn’t be aware that a Red team has started.
Bug bounty – Bug bounty goals are offered to help companies improve their security posture continuously (over a long period of time) by rewarding a researcher on issues he/she reports, each issue will equate to a certain amount of rewards. The difference here compared to penetration testing is that you are paid per finding, compared to penetration testing where you get paid for your time and not issues.
Purple team – Is a more collaborative way of working, collaboration between the Red and blue team. A Red team will attempt to execute a technique, for example injection into a different process, the Red team will communicate that in this time X we performed action Y and find out if the blue team detected it, if they did – great - move to the next technique. If not help them tune their security tools to identify the technique.
Additional Resources
The following resources are good places to start your journey into Red team:
Certifications/Labs:
- Red team Ops by Zero-Point Security – This course provides the basic techniques that will be used in Red team, the labs are great and the author (@_RastaMouse) explains very well how things works.
- Attacking and Defending Active Directory by Pentester Academy – A great overall course that will provide you information on not only how to attack, but also how to fix (which is a very important skill in Red team), knowing what’s the best way to mitigate issues and fix them (you can be sure that a client will ask you how to mitigate an issue during debrief). Nikhil Mittal is a legend in the industry and explains the topics very well.
- PEN-200 and PEN-300 by Offensive Security – While not specifically about Red teams, these courses will provide you with the background and skills to perform Red team.
- There are many other companies that offer Red team training but are more expensive (as usually they are done with an instructor explaining all the topics), companies like SpecterOps, SANS, Nettitude, FortyNorthSec and many more.
- HackTheBox Pro Labs – HackTheBox (HTB) Pro labs are a great place to practice your Red team skills. Starting from easy labs such as Danta to extremely difficult labs such as Cybernetics. Additionally these labs are relativity cheap and you can jump into the labs on your free time.
Books:
- The Hacker Playbook – All the Hacker Playbook series (3 books) are great, really detailed and interesting way of explaining about issues and solving them in a methodical way. The third book in the series focuses on Red team operation on goes from A to Z on how to conduct one, including what tools to use and how to interpret the results.
- How to Hack Like a Pornstar – You won’t be able to put down the book - Sparc Flow explains really well and in an interesting way about procedures and ways to conduct operations.
- Red team Development and Operations: A practical guide Paperback – Written by Joe Vest the Technical Director for Cobalt Strike. This book looks at all the Red team process from a management perspective, everything you need to know from A-Z about how to run a successful Red team, including terms, reporting, best approach, maximizing impact and more. Highly recommended.
Sites/videos:
- iRed team – One of the most useful sites when it comes to Red team, loads of useful information on doing each step in a Red team engagement.
- The Hacker Recipes – Quite a new site, but loads of useful information on how to perform certain types of attacks.
- Red team Operations with Cobalt Strike (YouTube series) – These 9 videos by Raphael Mudge are the best guide on how to conduct Red teams using Cobalt Strike. Must watch for anyone getting into the field.
- Twitter – I know I wouldn’t have made it in the field without keeping up to date on the latest techniques, tools and producers (TTP). I browse twitter frequently to find new tools and articles on the latest and greatest TTPs.
As always, SpiderLabs can assist you with training and development if needed.
Trustwave SpiderLabs recommends its clients perform multiple scenarios, this way we can help test different components of the organization’s security posture. For example, perform an attack surface review to cover any external assets, assumed breach compromise scenario and a phishing scenarios are great to check employee’s security awareness.
