Get Stuff Done: Red Team Edition
“The most important advice I give to young people is … just learn how to get stuff done,” Obama explained. “I’ve seen at every level people who are very good at describing problems, people who are very sophisticated in explaining why something went wrong or why something can’t get fixed, but what I’m always looking for is no matter how small the problem or how big it is, somebody who says, ‘Let me take care of that.’”
Projecting an attitude of “whatever it is that’s needed, I can handle it” at work, the former president added, will help you build a strong rapport with your co-workers and managers. “Whoever’s running that organization will notice, I promise,” he said.
Get stuff done. This is such simple, excellent advice from former President Barack Obama. In the workplace you will undoubtedly encounter people who have mastered the art of looking busy or people who create the perception of value by completing significant amounts of work that isn’t necessarily impactful. As Obama said, they can (and will) talk at great lengths about lots of things, and it will probably even sound impressive too. Don’t do this.
If you’re really interested in getting ahead, develop a solid understanding your company’s and department’s priorities and figure out what truly impactful work looks like specific to those priorities for your individual team. Then focus your efforts on those things.
To put a red team twist on this, let’s say you’re working on red team assessment with a few other team members. There are two weeks remaining on your assignment, and you have stumbled into something that piques your personal interest. Let’s say it’s the ability to exfiltrate data over DNS from the client environment. You know the team has already identified numerous other exfiltration avenues that are not detected by the SOC; however, this is a good opportunity for you to finish a module for an offensive security tool that you eagerly want to release on GitHub. So, you tinker with your tool and do some additional testing against the client environment while your teammates shoulder the bulk of the remaining work. When it’s time to write the report, you add a section to the report that places much emphasis data exfiltration over DNS and the client’s inability to detect. After all, you’ve given multiple conference talks on this topic and already had some existing content that you could repurpose for this report. Unfortunately, you ran out of time to develop detailed recommendations but hopefully no one notices that little detail. In this instance, you may have created the appearance of getting stuff done and the perception of value because you added a section in the report that sounds impressive and cool. However, was it the most meaningful work? Did you provide value to the client? Did you screw your team over in the process?
Unfortunately, I’ve seen lots of similar scenarios like this over the years. If you really want to become indispensable and stand out from everyone else, then get stuff done, yes, but make sure it’s the right stuff. If it’s only benefiting you, it’s probably not the right stuff.
And if you’re writing red team reports, always make sure to include solid recommendations for your clients. They don’t care about how cool your tools are.
