I recommend using collaborative tools so everyone can see what their teammates are doing. Transparency always wins. One more thing, don’t be afraid to ask for help; that’s what teammates are for. If your teammate is an expert at a certain thing, simply ask for help.
What is your approach to debriefing and supporting blue teams after an operation is completed?
Professionalism is the key. Since we are all human, feelings can come into play when debriefing to internal and external blue teams. Always let them know you are on the same team as far as the big mission goes. If you do it right, they will have a detailed plan for how to correct any issues you discovered.
The hard part is when you help someone and then come back in the future and find that the same issues exist. Don’t get mad. Try not to get burnt out. Stay professional and try to help. You can lead a horse to water, but you can’t make it drink.
If you were to switch to blue team, what would be your first step to better defend against attacks?
I’m blue team for life, but I occasionally red team. The first step to being able to defend against attacks is putting policy in place and following it. I repeat, follow it.
People don’t implement policies because it feels cumbersome. Security policy should be looked at like a map. You may not be where the policy says you are, but if you don’t have a map, you’ll never reach your destination.
What is some practical advice on writing a good report?
My advice is to not reinvent the wheel—there are plenty of resources out there to describe vulnerabilities, exploitation, and risk scoring. Feel free to grab content from NIST, CVSS, or MITRE ATT&CK and cite them as references. Citing them as references actually boosts the credibility of your findings and report.
Use something like CVSS to help score the vulnerabilities that you find. MITRE ATT&CK is great for discussing exploitation techniques and suggested remediations. If you use those resources, the report will be easier to write for you and easier for the consumer to trust.
How do you ensure your program results are valuable to people who need a full narrative and context?
I think it’s important to use something that tells both sides of the story. I like things like the MITRE ATT&CK framework and the NIST Cybersecurity Framework because they both can be used to measure your actual capabilities and skill sets. It’s possible to be effective at cybersecurity without mastering all the skill sets. Pick three things and be the best at them.
The book From Good to Great talks about how great businesses understand what they are good at. We can apply the same thing to cybersecurity.
How do you recommend security improvements other than pointing out where it’s insufficient?
I always try to find some areas where organizations are doing some things right. So, low-hanging fruits for positive reinforcement are two-factor/two-step authentication, password length, and automatic updates.
Another way to help out as a red teamer is to understand ways to fix issues, whether on a system, on a network, or in code, that build camaraderie. I’ve sat side by side with Unix administrators helping them issue commands to harden systems. This is especially important if you are doing internal corporate red teams. At the end of the day, you are on the same mission.
What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?
Empathy is a great skill to have when you are delivering bad news. As a red teamer, you are going to have to give some bad news every once in a while. Put yourself in the other person’s shoes and don’t be a jerk.
What differentiates good red teamers from the pack as far as approaching a problem differently?
I think good red teamers study and know how things work. I mentioned empathy before. A good red teamer can put themselves in the system administrator, network engineer, or software developer mind-set and solve the problems they are facing. A good red teamer is always hungry to improve their skills and help others do so as well. ■
2 David Bell
“There’s no ‘right way’ to become a red team member.”
Twitter: @operant
Dave is currently the director of the red team for General Electric (GE), where he leads engagements against strategic assets in many industries across the globe. Prior to joining GE, Dave spent 10 years with the U.S. Navy red team, where he planned, led, and executed engagements against all branches of the U.S. military, many government agencies, and even coalition partners. Dave is also a veteran of the U.S. Navy, where he spent 10 years in the intelligence and special programs communities.
How did you get your start on a red team?
I got my start in 2006 with the U.S. Navy red team as a contractor. I had just spent about six months working nights as an IDS analyst with another contracting company, and prior to that I was on active duty in the Navy, mostly in signals intelligence. I spent a lot of time leading up to my separation from the Navy studying for certifications and hacking on home-built networks. That was enough to get me in the door, where the real learning began! I spent 10 years with that team, converted to a government civilian, and was the deputy director by the time I left. I’m now the director of the red team at GE.
What is the best way to get a red team job?
This is a question I am asked quite often, and I still struggle to answer it. There’s no “right way” to become a red team member. I worked with one really smart guy who at one point drove bulldozers. Having said that, demonstrating the ability to think like an attacker is critical and can’t be taught. We can teach technical skills, but mind-set seems to be innate. If someone has the right mind-set, generally my advice is to pursue applicable training and certifications and get involved in capture-the-flag (CTF) events.
Like college degrees, the certifications tell me that the candidate is committed and will follow through, and the CTF events give me an idea how they will perform as part a team. I also suggest starting with other InfoSec jobs, such as pentesting or incident handling.
How can someone gain red team skills without getting in trouble with the law?
This really shouldn’t be an issue anymore. There is a lot of training available, both online and in-person. Cloud platforms provide cost-effective learning environments, too; we no longer need to buy old gear from eBay or Craigslist to build a home lab.
Why can’t we agree on what a red team is?
Coming from the U.S. military red team community, I have a pretty strong opinion on the misuse of this and other terms with military roots. It’s tempting to blame industry marketing for this, but it really is a community problem. Penetration testing is a distinct and separate discipline from red teaming, and furthermore, there is a significant difference between internal red teams and consultant red teams. These differences can get quite confusing to customers who just want the best engagement they can get with the budget they have, and less principled teams might take advantage of this.
What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?
Red team operations can be painfully boring. It’s mind-numbing, detailed, analytical work, punctuated by moments of sheer elation and