Findings: For every finding, you need to show the steps to re-create the finding and a risk rating to help the client prioritize the order of remediation.
Recommendations: Never provide findings without recommendations.
Review: Don’t forget to run spell-check. A client will start to question your work if they see grammar errors and misspellings in your report. Also, ensure your report is QA’d. Having a second set of eyes is always beneficial, no matter what. If your report comes back with red lines throughout, don’t take it personally. It’s not about you; it’s about the client.
What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?
Hands down, soft skills. I can teach you technical skills or send you to training, but I can’t teach you manners, how to be on time, how to talk to clients, how to respond to teammates, and so on. One of the most nontechnical skills used in red teaming is communication. You have to be able to communicate with both your teammates and the client to be successful.
“I can teach you technical skills or send you to training, but I can’t teach you manners, how to be on time, how to talk to clients, how to respond to teammates, and so on.”
What differentiates good red teamers from the pack as far as approaching a problem differently?
A good red teamer knows where they fit into a team and how they can provide value. They also need to be outside-the-box thinkers. Often during assessments things don’t always go to plan, so being able to throw out ideas with teammates to figure out the best next steps is valuable. ■
7 Mark Clayton
“Passion is what drives you to continue to learn and constantly take on challenges because they are more interesting than watching your favorite Netflix show.”
Twitter: @bullz3ye
Mark Clayton (Bullz3ye) is a red teamer, security engineer, and application developer who can’t seem to choose between the three. Professionally he is a red teamer and security engineer but is always developing web and mobile applications at night. As of late, his primary focus has been on DevSecOps, where he is able to blend his security and development experience. Since a young age, Mark has been under the mentorship of a Cult of the Dead Cow (cDc) member, who showed him the ropes and taught him the security ecosystem, and he’s stayed true to those lessons.
How did you get your start on a red team?
I guess you could say my path was a bit unconventional. During college, I was originally cut out to be a software developer. My primary focus was building mobile applications on the Windows Phone…because that was going to take the world by storm. I even had a track laid out for me to potentially join Microsoft after my graduation—that is, until one day during my sophomore year a close friend of mine asked me to join his Collegiate Cyber Defense Competition (CCDC) team, and that’s really when it all changed for me.
About a month into training for the competition, I’m sitting at a CentOS terminal when this tattooed bald guy comes up to me and says, “You like this shit, kid?” I respond with, “Yeah, man, I’m having a blast,” nervously. He then simply says, “Give me a call tonight, man; we’ll chat.” This man was one of the mentors for my CCDC team, but what I didn’t know until later was that he was also CDC (Cult of the Dead Cow). Long story short, during the years I was about 18 to 20 years old he was my mentor. He taught me about the “old school days,” talked philosophy, pushed mandatory Phrack High Council reading material, and preached that FreeBSD is God. Over those years we became good friends, and eventually he said I was ready to join his team as a junior penetration tester, with a specific focus on the web. App sec came naturally for me since I was a natural software developer, so as I grew within the company, I was able to transition into the red team as the “web kid.” Ah, good times. Nowadays I just feel old, and I’m bald at 25.
What is the best way to get a red team job?
Honestly, I think that passion is everything. Passion is what drives you to continue to learn and constantly take on challenges because they are more interesting than watching your favorite Netflix show. Of course, you have to be technical, and it really helps if you know a little about everything but also a lot about one subject. Too often, people try to be the best l33t hacker and know everything about everything, until they realize exactly how vast the technical landscape is.
Understand that a red team is just that—a team. Every person plays their part and has their specialty. If you want to join a red team, I’d say double down on your specialty, stay passionate, and always be curious. I believe that this energy can be seen from across the room, and a candidate in this position will be a quick hire. You can always teach technical skills, but you can’t teach, much less force passion. Also, get involved in the community and put yourself around others and soon enough you’ll begin to hear about positions.
“If you want to join a red team, I’d say double down on your specialty, stay passionate, and always be curious.”
More practically, I would also say that taking the time to first be a blue teamer, system admin, software dev, or network engineer is key if it’s in your cards. How else will you be able to practically understand environments both culturally and technically if you’ve never been on the other side? I think the best red teamers are previous blue teamers, just like red teamers make fantastic incident response folks!
How can someone gain red team skills without getting in trouble with the law?
Now I’m young, but I would say that back in the day “teetering” on the lines of the law was a given. You didn’t have these massive amounts of CTF challenges, Hack The Box, vulnerable VMs, and training courses. The world was your lab, so you learned by doing…practicing on prod, baby! Today, things have changed. There is a plethora of training materials, classes, and labs to simulate real-world environments so that you can emulate the attacks all within the confines of the law.
Why can’t we agree on what a red team is?
Because it sounds sexy to be part of the red team, everybody wants to call themselves that. Red teamers are seen as the grown-up versions of penetration testers. You do penetration testing for a while; then you go to the big leagues, and now you’re red teaming! I’ve spoken to people who claim they are red teamers, and it’s just a team of one within the organization. There is no “I” in team. The allure of wanting to be classified as a red team has muddied the definition to the point where any offensive consultant says they are a red teamer because it is cool to say. You have to get back to the roots of where the term comes from.
What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?
As a red teamer, your true goal is to help the blue team and emulate attacks and scenarios, not break everything and start celebrating (in front of the blue team at least). The red team is there to help the blue team, not break the blue team’s spirits and pillage villages. There is no (or shouldn’t be) a red team without a blue team, even if the red team is a drop-in consultant shop. There is always an adversarial stance between the two, and it is reinforced on both ends. The blue team is mad at the red team, or the red team brags about owning the blue team. It isn’t about who wins; it’s about training together