Red team members are ethical hackers hired by an organization to carry out real-world, advanced attacks. The work is worth considering if you’re a cybersecurity pro looking to make a distinct difference for organizations making a concerted effort to keep bad actors out. Red teaming includes “an element of breaking in and legally doing as much as you can under the radar, and that’s pretty fun,” says Curtis Brazzell, managing cybersecurity consultant with GuidePoint Security.

What is red teaming?

The National Institute of Standards and Technology (NIST) defines red teams as groups of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. Their objective is to improve enterprise cybersecurity by demonstrating the impacts of successful attacks. They often work together with blue teams, which are a separate group of incident responders charged with defending against the simulated attacks instituted by the red team in a way that represents the organization’s current security posture. Both teams hope to demonstrate how a hacker might get in, the impact and how well security defenses can withstand an attempted attack. In recent years, the concept of purple teams has also risen to the surface.  A purple team can be a separate group of people, usually outside security consultants, who oversee red teams and blue teams. A single purple team might perform the functions of both red and blue teams or represent the need for integration between red team testing and blue team defenses.

What does a red team member do?

Most commonly, blue teams usually consist of security experts internal to the organization. On the other hand, red teams are hired as outside consultants who come in and conduct comprehensive security assessments using simulated cyberattacks. While their tactics likely include a penetration test, their work represents a broader scope that often addresses physical security considerations, employee understanding and network and endpoint vulnerabilities. Red team exercises are ideally done after initial pentests have already been conducted and applicable fixes applied. “A lot of guys on the team are lock pickers, or maybe you use RF (radio frequency) badge scanners,” Brazzell says of how their firm engages in red teaming. “Once inside, we see if maybe you can plug into an open port in a lobby, and then you analyze the wireless traffic. Maybe then we notice the local LAN isn’t segmented from the public, wireless LAN. Physical USB-type attacks, or Rubber Duckies as we like to call them, we’re still doing too, to see if we can’t compromise at least one workstation and then move laterally.” Critically crucial to every red team member is comprehensive security testing using tips and tricks they’ve learned over the years, along with buy-in and the necessary permissions from the organization’s upper management. Without permission, strategies become less ethical hacking and more criminal.  With red teaming, “you really have to approach your objectives as an adversary would,” says Amyn Gilani, chief growth officer at Countercraft. “Of course, you also need to make sure you’re sponsored by the correct entities so you don’t get into trouble when you do break something or gain access to something that you shouldn’t have.”   Another common component of red teaming is performing “tabletop exercises” together with the organization’s employees. In the exercise, a simulated cyberattack is executed, and then red team members can work with various areas of the organization on how to best handle the scenario.  This includes the incident response team and designees from the organization’s legal, human resources, public relations and other functional areas that should get involved when a real-life breach occurs. “That’s one of the great things about red teaming,” Gilani says. “It goes beyond just your technical chops. It really does challenge the entire organization of how to respond to adversaries within your network.” 

How do you become a red team member?

As is the case with most professionals in the cybersecurity industry, hard and fast education and experience requirements are not common. Most good red teamers came to their positions from various backgrounds and diverse expertise among individual members, making for a stronger team. Key to being a successful attack simulator, however, usually requires a broad knowledge of IT systems and networks and basic cybersecurity approaches, common threat types and attack vectors. Knowledge of basic programming languages is beneficial, Gilani says. Certifications and training will also help provide this foundation, and they will help you demonstrate to prospective employers you have what it takes.  A few popular red teaming and pentesting certifications to consider include:

Certified Red Team Operations Professional (CRTOP) Certified Cloud Penetration Tester (CCPT)  Certified Mobile and Web Application Penetration Tester (CMWAPT) CompTIA PenTest+ EC-Council Certified Ethical Hacker (CEH) 

You can also train on-demand via Infosec Skills, which includes popular learning paths and cyber ranges, such as Machine Learning for Red Team Hackers, Python for Pentesters and Ethical Hacking. Perhaps most important is an individual’s interest in security and a willingness to learn, Gilani says. “There are many online resources you can learn from, like capture the flags. This a really good way to get practical experience, in my opinion, and demonstrate that you are working toward this profession.” To learn more about working on a Red Team, watch the Cyber Work podcasts, Red teaming: the fun, and the fundamentals with Curtis Brazzell and Amyn Gilani, and Getting started in Red Teaming and Offensive Security with Curtis Brazzell.

Sources

Red Team, NIST Computer Security Resource Center Red Team/Blue Team Approach, NIST Computer Security Resource Center