Tribe of Hackers: Red Team Edition

I have never been one to recommend any specific “red team” related book due to the ever-changing trends and threat landscape in Cybersecurity, and how often adversaries modify their tactics, techniques, and procedures (TTPs). MITRE’s ATT&CK matrix does a great job of documenting these TTPs, and is often the one resource I recommend to those starting their journey with Red Teaming, Threat Hunting, or Detection Engineering.

I do, however, recommend Tribe of Hackers Red Team written by Marcus J. Carey and Jennifer Jin.

Tribal knowledge from the best in offensive cybersecurity

The book interviews 47 industry experts in offensive security with ~20 questions related to their experience and journey into Red Teaming.

Below are a few of these questions, with some personal answers, but I highly recommend purchasing the book. It will provide guidance, inspire, and motivate you towards your first or next Red Team role.

How did you get your start on a red team?

I’ve always worked to pave my own path in Cybersecurity; applying to positions which were beyond my current capabilities. This forced me to constantly practice my craft and learn new skills along the way. To build on the experiences offered in my current role, studying for certifications on my personal time, and always tinkering in my detections lab environment.

I found myself in an official red team role while enjoying years of Threat Hunting and Incident Response positions, across multiple industries. I always searched for ways to apply the red team mentality and related skills where I could, and build relationships with those on red teams for guidance and support.

What is the best way to get a red team job?

The “lather, rinse, repeat” of Cybersecurity: practice, skill building, and networking. I always advocate to apply the idea of “red teaming” to your current role, and think about what you would do as a Red Teamer in that situation. My own experience involved a horizontal move to an internal red team position, where I was able to apply the red team mindset as a threat hunter.

When should you introduce a formal red team into an organization’s security program?

The maturity of an organization’s security program should directly influence the introduction of red teaming. If an organization has a formal incident response capability, appropriate visibility and ability to respond to custom detection logic (tailored for that environment), and also the “buy in” or support from management on what “red teaming” is, then they are on the right path towards introducing a formal red team (either internal or external).

What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?

This can be a multi-faceted question. I will always recommend restricting admin-level or elevated access; both on individual workstations, but also across the domain. This can prevent a number of techniques and capabilities with minimal effort. An important control, but there is no better strategy than to apply defense-in-depth, and never rely on a single capability or configuration.

What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?

I can’t stress the value of relationship building or networking. Strong relationships with the blue team and other business stakeholders goes a long way, when you’re abusing gaps and misconfigurations.

If you’re looking for additional guidance on how to get involved in Cybersecurity or Red Teaming, Threat Hunting, or Detection Engineering, feel free to send me a message!