What differentiates good red teamers from the pack as far as approaching a problem differently?
The degree of caution displayed. In some environments, one bad packet can kill your access. Good folks will test in a lab/VM environment first before trying it live on the wire. ■
10 Ronald Eddings
“From my perspective, the best way to get a red team job is to get involved in the red team community.”
Twitter: @ronaldeddings
Ronald Eddings is a Silicon Valley–based cybersecurity expert, blogger, and digital nomad whose ingenuity, dedication, and ambition have all earned him a reputation as a trusted industry leader. Over the course of his career, Ronald has garnered extensive experience working at various Fortune 500 companies and mentoring a multitude of fellow professionals. In addition to cybersecurity, he is well versed in software development, DevOps, and artificial intelligence. Currently, Ronald serves as a cyber fusion engineer at a cybersecurity startup and is an active contributor to several open source projects. He also holds a bachelor of science degree in information technology and an array of cybersecurity certifications.
How did you get your start on a red team?
My experience with red team, pentesting, and offensive operations came in phases. Before starting my career, I had a fortunate opportunity and became connected with hackers in the InfoSec community by being in the right places at the right times. When I first met Marcus J. Carey, I was still in high school and happened to be reading my first book on Linux.
Through Marcus, I met other hackers like Johnny Long, Marco Figueroa, Joe McCray, and many more. Through seeking and receiving mentorship, I learned that I could thrive in the field, and there was nothing in my way except for reading the material and understanding that mastery does not come all at once. At the time, there were not as many jobs for red teaming, pentesting, or anything attack related. Initially, I spent a great amount of time learning about how devices communicate and how to code in Python, JavaScript, and Ruby. Coincidentally, building a foundation of knowledge in those areas happened to be what the industry was looking for. Learning these topics did not come with ease but did make for a better time when interviewing and striving for my degree. While attending community college, I submerged myself in the newly organized InfoSec club and competed at events like Collegiate Cyber Defense Competition (CCDC). After mentioning my experiences to my college professor, I learned that he was a senior associate at Booz Allen Hamilton and recently opened a job requirement for a red team. Fortunately, I had stayed close with the idea that mastery does not come overnight and had been consistently making an attempt to become more versatile in the tools and programming languages available. When the time came to interview, I did everything to prepare—great meal, full night of rest, and showing up early to the interview. Since I was prepared and also had a reference, the opportunity was serendipitous and less stressful.
What is the best way to get a red team job?
From my perspective, the best way to get a red team job is to get involved in the red team community. There are many public events, conferences, and meetups that happen in various cities and online. It can also be a great start to participate and volunteer at conferences. This could be a significant start to diversify your peer group and ultimately strengthen your skills. Another strategy to get involved is to participate in CTFs and other public challenges. Practicing your craft for a set amount of time with a new set of challenges always goes a long way.
How can someone gain red team skills without getting in trouble with the law?
There has never been a better time to ethically obtain red team skills. Virtualization enables practitioners and enthusiasts to rapidly deploy infrastructure and applications. Today, my personal preference is Docker, which assists in creating a playground to attack devices and try new tools on various operating systems. To get started, there are many resources available such as books (e.g., Tribe of Hackers), online courses, conferences, and much more. My recommendation would be to become curious about what makes technology vulnerable and how to protect against attacks.
Why can’t we agree on what a red team is?
It’s probably a good thing that there are differences in red team definitions. Challenging current assumptions and searching for new solutions are what a red team is built on. I promote and encourage following a standard or setting out for a more optimal solution, since each organization has different requirements.
What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?
A falsehood that I hear commonly is that a team has a single or few purposes. Red, blue, and purple teams have overlapping responsibilities with several teams. In fact, there are some red teamers who are doing more blue team work due to a lack of blue team resources. What can be toxic is attempting to stick to a single lane and not completely participating with the organization as a whole.
When should you introduce a formal red team into an organization’s security program?
It can be difficult to determine when is a good time to introduce a red team into an organization. I’d measure a few key things: I’d assess if an organization had an incident response plan. If so, I’d ask, does the organization have a team to gather data and respond to such incidents? Lastly, I’d ask, does the organization have the capability and tools to eliminate and proactively protect against threats? If all of these are true, it may be time to introduce a red team. I’ve seen organizations invest in an existing team member to go to conferences and trainings to assist in building a new red team, which can go a long way if done with care.
How do you explain the value of red teaming to a reluctant or nontechnical client or organization?
With the growth and demand for InfoSec practitioners, red teams are appearing and growing to a larger size. Articulating the value of a red team is best done when threat research is done in concert. A red team that understands threats can perform more realistic tests based on previous attacks and events. Through documentation, it can be trivial to share details and metrics on what an organization is vulnerable to.
What is the least bang-for-your-buck security control that you see implemented?
To reverse the question, the most bang-for-your-buck control would be training. It’s easy to buy a product and hope that it works. Vulnerabilities often exist because of a lack of training or hard-to-follow processes. Receiving training and optimizing processes go a tremendous way. As mundane as it may sound, regular security awareness training is effective—and serves as a precursor to red team tests.
Have you ever recommended not doing a red team engagement?
My background is working with larger organizations, which I’ve always found needing/requiring a red team engagement. The attack surface/landscape has grown by several orders of magnitude and is proof that security integration is continuous and ongoing. With the rise of applications, APIs, and IoT devices, there are always quite a few red flags identified. Red teams can help flag and assess these vulnerabilities to ensure other attackers are not taking advantage of such issues.
What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?
A firewall. There’s very little reason for many ports to be able to communicate outside of your organization. Most modern firewalls can also assist with creating rules that block malformed application