TryHackMe’s Red Team learning path

The infosec training platform raises the bar in cultivating the next generation of hackers

After many weeks — perhaps even months — of hard work, TryHackMe has finally published their Red Team learning pathway. This is arguably one of the finest “learn-by-doing” attempts to teach anyone in the I.T. field, from entry-level to experts, the various techniques that are employed by members of the Red Team in offensive security engineering. In this article, I will discuss what Red Teaming is and how TryHackMe can be a useful platform for anyone to learn the skills needed to enter the field.

Full disclosure: This post is written as part of a contest that TryHackMe is running, so there will be some incentive, bias and referral links on my part.

Image Source: TryHackMe website (n.d.)

Introduction

In the context of cybersecurity, a Red Team can be defined as “a group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture” (National Institute of Standards and Technology, n.d.). Their job is to help technicians, administrators, and defenders of their respective domains improve their security posture and avoid the attacks of bad hackers.

Why join a red team?

While I will confess to having a somewhat selfish motive in writing this article — that is, to get tickets and prizes from the TryHackMe platform — I do have an altruistic motive as well. I do hope the best for everyone, and do not intend to mislead anyone and try to provide the best information that I can. Furthermore, I would like to encourage the reader to do their own research regarding what kind of careers they want to enter.

With that said, I will start out by saying that red teaming, legal hacking, or I.T. in general, is not for everyone. It takes a combination of traits regarding intelligence and personality, as well as the motivation to do it.

Do you get a “high,” for lack of a better term, when exploiting a bug in a computer system to gain initial access? Do you like solving novel problems and building skills and knowledge through hands-on means? Then you may want to consider penetration testing, or the focal point of this article: red teaming.

With regards to careers and income, the “red team” position is rather lucrative — and there are many job openings available. The following are the result of cursory searches on popular job boards:

• Indeed (c.a. Sept., 2022) has listed 1,355 jobs in the United States that involve the keyword “red team.” The first ten job reported annual salaries at six-figures or $100 dollars per hour.
• Monster (c.a. Sept., 2022) has listed at least 320 jobs in the United states that involve the keyword “red team.”¹
• ZipRecruiter (c.a. Sept., 2022) has listed 149 jobs in the United States that involve the keyword “red team.”
• LinkedIn (c.a. Sept., 2022) has listed over 27,000 jobs in the United States that involve the keyword “red team.”

Furthermore, the United States Bureau of Labour give us indirect evidence that red teamers can make a decent living. They report a median income of $102,600 dollars per year and a projected² job growth rate of 35% for “information security analysts”— which is “much faster than average” (BLS, c.a. Sept., 2022). The graphic below depicts summary statistics regarding the cybersecurity job market derived by the U.S. Bureau of Labour:

From (BLS, c.a. Sept., 2022)

Of course, the lucrative aspects of a cybersecurity job is not enough that is needed to coax someone into entering the field. One must have a desire to learn new things and find creative solutions to problems in order to be successful in a red team.

What kind of people makes up a red team?

While, to my knowledge, there have not yet been standards established for what roles an individual can fill when joining a red team, I have found some potential specialties with a wee bit of research:

• The operations lead devises the tactics, techniques and procedures by which the team will execute their attacks, as well as assessing performance (INE, 2021).
• The “external network hacker” (after Mitnick Security, 2020) uses techniques in domain scanning and vulnerability injection to gain initial access into a target computer system.
• The “malicious insider” (after Mitnick Security, 2020) will pose as a member of an organisation and gain initial access to their computer systems from inside the organisation.
• The “social engineer” (after Mitnick Security, 2020) uses techniques in social psychology to manipulate people into behaving in a manner that helps the red team gain initial access to the target computer system. The social engineer may engage in “low tech” approaches such as dumpster diving or simply looking up their targets in a phone book.
• The researcher or “exploit engineer” (after Esage, n.d.) does vulnerability research and builds tooling to exploit those vulnerabilities to gain initial access into a system.

At the risk of not sounding repetitive, I am not aware of any standardisation of red team assignments, so I do encourage the reader to explore it further.

TryHackMe’s Red Team path

TryHackMe recently released their Red Team learning path:

TryHackMe | Cyber Security Training

The path’s content

TryHackMe’s red team learning pathway is arguably one of the most thorough offensive security engineering pathways on their entire website. It goes over the following topics and subject matters:

• The Fundamentals: which include setting up the engagement, operational security, setting up command-and-control infrastructure and more!
• Initial access: like the name suggests, this section involves gaining access with techniques like spear phishing, password cracking. It also discusses the process of reconnaissance and weaponisation of hacking toolkits.
• Post compromise: This section discusses what to do after gaining initial access. Techniques like privilege escalation, persistence, lateral movement, data exfiltration and more are discussed.
• Host evasion: This section discusses techniques for evading antivirus and intrusion detection and/or prevention systems by first giving a foundation in Windows internals programming. Then, techniques such as shellcoding, abusing Windows internals, bypassing Windows’ user account control, and more are discussed.
• Network security evasion: Like host evasion, but at the network level 😉 — techniques discussed are firewalls, sandbox evasion and the various kinds of network security solutions.
• Active Directory: Microsoft Windows is perhaps the most used operating system for corporate networks. To fill the demand for red teamers familiar with Microsoft Windows and their Active Directory platform, this section discusses how Active Directory works, and applied the red team methodology to hacking an Active Directory-based organisation.

Why TryHackMe?

I must confess that I am also biased in how I report the positives of TryHackMe. After all, I am doing this as part of a tickets and prizes contest. But nonetheless, I do genuinely like the platform. Its interface is very intuitive, it is both easy enough for a newbie (like myself) and challenging enough for a seasoned cybersecurity expert, and it has a fun community!

Again, this is all just my silly opinion. I would like to let the reader know that there are other platforms like HackTheBox and CTFLearn that are interesting in their own right. I do recommend TryHackMe if you’re an absolute beginner though — it does the best job in helping newbies out in my (very biased) opinion.

If you do decide to sign up for TryHackMe, if you can sign up using my referral link, that would be much appreciated 😘

TryHackMe | Cyber Security Training

Summary

So let’s recap:

• In infosec, Red Teaming is the latest “hot job” out there.
• TryHackMe is offering a learning pathway that’ll skill you up to become a red team hacker (and give you all other kinds of fun challenges).
• The reader can visit their website here: https://tryhackme.com
• … and check out their red team path here: https://tryhackme.com/path/outline/redteaming
• … and sign up here (referral link 😉): https://tryhackme.com/signup?referrer=3b16c3872b9397677fc67e2b36a96bd4982f85e9

If you do decide to be a red team hacker, I wish you the best on your journey!

Endnotes

1. In Monster.com, the logic that I used to work out this raw count is that a page, as expressed through the &page= parameter, has 10 jobs listed. The parameter is incremented by “scrolling down” by means of a responsive web design. I scrolled down to the point that the parameter was set to &page=32 . I then multiplied 10-by-32 to obtain the raw count estimate of 320 jobs.
2. For the sake of reporting the “full picture,” it should be noted that economic projections have their limitations. Taleb (2008) discusses the perils of economic forecasting, and Atkins (2022) demonstrates large errors in economic forecasting models. In my non-expert opinion, the reader should exercise a healthy dose of scepticism when consulting job growth projections.

[NOTE: Last updated 11 Sept., 2022]