What differentiates good red teamers from the pack as far as approaching a problem differently?
Good red teamers are able to quickly evaluate attack surface. All testers rely on some sort of methodology, but a red teamer doesn’t need to flip every stone. They can look at an application or system and see where the quick wins or low-hanging fruit are and move on. I like to describe it as being in a dark room with one door. A typical tester will walk in every direction and will eventually find the door after touching most of the walls. A good red teamer will walk straight to the door and never touch the wall. It looks like magic, but being able to quickly identify attack surfaces is what separates a good red teamer from the rest of the pack. ■
6 Stephanie Carruthers
“The best way to get a red team job is to network. The goal when networking with people is building relationships.”
Twitter: @_sn0ww
Stephanie “Snow” Carruthers is a professional liar performing social engineering as a service for her clients. Stephanie specializes in using her social engineering skills to perform a variety of assessments, including OSINT, phishing, vishing, covert entry, and red team exercises. She works with clients of all sizes from startups to Fortune 100 companies in all industries, as well as government agencies. Since 2014, Stephanie has presented and taught at numerous security conferences and private events around the world. For fun, Stephanie has earned black badges for winning the Social Engineering Capture the Flag (SECTF) at DEF CON 22 and also The Vault, a physical security competition at SAINTCON 2017. Stephanie also enjoys traveling the world to see beautiful locations and meeting new people, like Larry, who just let her into your data center.
How did you get your start on a red team?
The short answer is slowly. I started my career by specializing in social engineering and physical security by working at different organizations, including an information security consultancy and government contractor, and I even started my own business. At each of these different types of organizations, I was able to grow and learn professionally in different ways. However, I still worked hard at developing and expanding my specific skill set.
In time and as a result of networking, a red team saw value in my specialized skill set and made me an offer. I brought a specific talent and value to the team. I think a common misconception about red teamers is that they must be jacks-of-all-trades, and that is not the case at all. Having a group of talented individuals in specific areas makes for a much more talented and capable team.
What is the best way to get a red team job?
I believe this answer is two-part. First, you need to develop a specialty. There is no doubt that solid, specific talent is a requirement. As Charley Bowdre once said, “You can’t be any geek off the street; gotta be handy with the steel if you know what I mean; earn your keep”!
The second part is the hard part. The best way to get a red team job is to network. The goal when networking with people is building relationships. As those relationships build, which is naturally a slow process, you must show that you can be trusted. The value of trust between red team members can’t be overstated.
How can someone gain red team skills without getting in trouble with the law?
I think this question is flawed. First and foremost, when people say “red team skills,” I feel like Inigo Montoya would say, “You keep using that word. I do not think it means what you think it means.” Red team skills aren’t anything more than working in a fast-paced team dynamic. The technical aspect of red teaming aside, you can get “red team skills” anywhere there is a fast-paced team dynamic, from McDonald’s to the military. Any time you’re required to work as a part instead of the whole, you’re working on red team skills. In fact, you’d have to go out of your way to gain these skills in an illegal manner with so many opportunities present. It’s just a matter of knowing where to look.
I’d be remiss if I didn’t talk about the technical aspect, though. This is where the trouble with the law caveat in the question comes from. Twenty years ago, in 1999, this would have been a real problem. However, it’s 2019. Access to labs, capture-the-flag (CTF) events, blogs, YouTube, a vibrant and social information security community, university degree programs, high school programs (CyberPatriot), college programs (Collegiate Penetration Testing Competition, National Collegiate Cyber Defense Competition, etc.), and even paid training programs exist. The resources are here in abundance. You can’t go 30 seconds on YouTube without a Udemy ad trying to teach you ethical hacking. Even with the physical security portion, at the SAINTCON conference in Utah, I proudly help run the The Vault, a physical security challenge that gives attendees an opportunity to practice attacks against physical security controls such as RFID cloning, lockpicking, request-to-exit bypasses, under- and over-the-door tools, alarm systems, biometrics, and so on. With all this information present, the bar to a technical skill set has been drastically lowered as compared to 20 years ago.
Why can’t we agree on what a red team is?
Spoiler alert: we can, and we have. However, there is a consumer education problem. Some in the information security industry want to do things “their way” or want to make new definitions for things to meet their abilities but add more markup to their services. This is unfortunate and contributes to the confusion of the consumer. Unfortunately, because the commercial sector doesn’t usually look to the government sector, many aren’t aware that the term red team has been defined for quite some time and is a very good definition.
In 2005 the Department of Defense released Manual 8570.01-M, which defines “red team” as
“An independent and focused threat based effort by a multi-disciplinary, opposing force using active and passive capabilities; based on formal; time bounded tasking to expose and exploit information operations vulnerabilities of friendly forces as a means to improve readiness of U.S. units, organizations, and facilities.”
In recent years, as this concept is expanded, I feel that this industry will naturally align with the 8570 definition much as PCI has helped drive the difference between vulnerability scan and penetration test.
What is one thing the rest of information security doesn’t understand about being on a red team?
Hot take: being on the offensive side doesn’t mean you’re on a red team. There is no red side. You’re confusing it with opposition forces (OPFOR). Stop saying you’re red or blue—this isn’t fucking gang territory, and you aren’t Bloods or Crips.
Many people think that a red team is a one-person show, which isn’t the case at all. A true red team has multiple team members and a lead. These team members work as a cohesive unit toward a common goal. There is no room to operate independently, which is difficult for many offensive testers as they are used to doing things their way at their pace.
“Many people think that a red team is a one-person show, which isn’t the case at all. A true red team has multiple team members and a lead.”
When should you introduce a formal red team into an organization’s security program?
While this is a gut feeling, it’s a pretty easy one to come by. Consider how a company isn’t going to get the right value they need out of a penetration test if they have never done a vulnerability assessment and also have no patch management process. An organization is ready for red team assessments once penetration tests have diminished in value.
How do you explain the value of red teaming to a reluctant or nontechnical client or organization?