An overview of the skills which make you valuable.

Credit: BYU Photo / EurekAlert

What Exactly Does a Red Team Do?

On a Red Team, you’ll be emulating, simulating, or otherwise pretending to be a particular, set of, or your own theoretical threat actor(s). Activities are usually encapsulated into individual operations or exercises. The purpose of these are to train the Blue Team, which consists of groups or individuals who are responsible for various defense capabilities. This can be anything from application security to active defense.

On the Attack Lifecycle

It’s important, first and foremost, to understand the attack lifecycle or cyber kill chain or just kill chain. This outline defines all the steps of how an attack might be carried out by a threat actor. Most of the Red Team operational work is executing on these steps, which are in service of a particular goal, often called “actions on the objective.”

Credit: Fireeye/Mandiant Consulting

What Role Should I Choose?

There’s a spectrum of skills Red Teams can use to best organize their capabilities into roles, and no one right way to do this. It helps to logically group two different types of activities though, engineering and operations. This is a common strategy for all types of teams in technology.

What Skills Should I Work On?

Easy! Pick relevant skills you find interesting, and that make you a better technical communicator. Try these on, and see how they fit…

A selection of Red Team skills, and their role relevance

Offensive Mindset

As a career in security grows, all of the ways the world is duct tape and bubblegum begin to reveal themselves. Most systems are designed only well enough to achieve the task for which they were designed. It will be your job to pick those systems apart, and poke at the gooey innards.

Penetration Testing

Under the banner of penetration testing lies a lot of what might be classified as vulnerability assessment, but for the sake of argument, let’s just describe it here as the process of hunting for known vulnerabilities on networks or hosts.

Vulnerability Research

It’s not necessary, but often very helpful to have the ability to develop your own 0-days as a Red Team. These are unknown vulnerabilities in either third-party or in-house developed applications.

Development

It cannot be stressed enough that the linchpin of a successful Red Team is in its development capabilities. The best Red Teams will be nearly indistinguishable from standard application product teams; adapting formal development methods, using version control and releases, setting roadmaps, using CI/CD techniques, writing tests. Most Red Teams do devops natively, if unknowingly.

Infrastructure

Red Team operators can work best when the busy work of setting up and maintaining the command and control (C2) infrastructure they operate on is someone else’s problem.

Networks and Systems

In the design and crafting of infrastructure, is all of the nuance required to maintain functional hosts and networks — reliably and securely. I can’t stress the securely enough.

Reverse Engineering

Reverse engineering is process of analyzing something with the intent of figuring out how it works.

Social Engineering

Since what we call initial access for threat actors so often involves schemes like phishing emails, it’s important to understand how people might be susceptible to a bamboozle.

Physical Security

Some Red Teams include physical within their scope of operations. This can be as simple as hiding a drop box somewhere on site, to a full on covert entry scenario. Don’t expect every organization to be excited about this. It’s a fun topic, but often not a risk organizations are interested in mitigating.

Threat Intelligence

Red Teaming requires multiple sources of threat actor tactical intelligence. This feeds the threat actor emulation portion of your tactical bucket. You can add new capability to your tools and documentation, with a reference, like a blog post, to that threat actor.

Detection and Response

The Blue Team will be your primary customer and opponent. They are the experts in detection of events, and execution of incident response. Your Red Team will need to be able to predict the capabilities the Blue Team, and use that knowledge to operate in the environment.

Technical Writing

Communicating highly technical issues clearly and with a broad audience in mind is challenging, but the importance cannot be overstated.

Training and Debriefing

All of the above skills build upon your ability to deliver on the educational goals of the Red Team.

Should I Go Internal?

Depends on what you want…

Can You Wrap This Up?

Finding what piques your interest in offensive security is step one, and a variety of skills are important to effective Red Teaming, so there’s absolutely no shortage of paths to employment there. Figuring out how you want to impact organizations is also important. Your biggest challenge will be to find an organization that has a functioning Red Team that shares your values, and is willing to grow along with you.

Break. Analyze. Repeat. Opinions do not reflect those of my employer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store