How to Become a Red Team Hacker & Penetration Tester | Most FAQs
Most Frequenty asked questions on How to Become Red Team Hacker & Penetration Tester answered by experts from Triber of Hackers.
Similar cyber security articles.
What is the best way to get a red team job?
It is uncommon for people to start directly into red team jobs. The best way
is to have or gain a skill such as internetworking, system administration, or
software engineering and start out in a blue team role. Getting into a blue team role will allow you gain cybersecurity experience and network with people in your dream role.
You can network internally and externally from your organization at
local events and regional cybersecurity conferences. There are a couple of
certifications tailored to red teaming that can get you noticed by red teams
looking to add some human resources.
You need to know your target audience, and then you need to impress
them. There isn’t just one type of red team job. There are quite a few subtle
differences between different companies/groups that perform this type of work.
From a high level, you’ll find that there are two major types of hackers in this field. Both have places on different red teams, and both are really cool. The biggest practical difference between the two will be in their clientele.
The first type of red team is the computer network operator–type team.
Their primary focus is going to be on access. They train to utilize hacking tools and frameworks, and they aim to impress. If you want to join one of these teams, you need to be focusing on training on breach simulation because that’s what their world is all about.
Their clients hire them to show exactly how an attacker might gain and leverage access to a network or system. This type of team is going to be dropped into a network, or onto a target system, with the goal of exploiting the system to its fullest extent and building a narrative they can present to the company’s executive team detailing how they got it done.
To join one of these teams, you almost certainly won’t need a bunch of certs, and you probably don’t need a college degree. What you do need are the skills to do the job and the guts to ask for it. To get there, find a team that you want to join, train until you’re ready, and then prove yourself by competing or contributing to the community.
The second type of team is the security engineering–type team. This type of team is less likely to be dropped into networks with the goal of “simulating” a literal breach. Instead, they are likely to spend their time creating and building and auditing complex solutions to hard security-centric problems with the goal of improving the technical sophistication and security of a given software or hardware system.
If you join one of these teams, you won’t spend your time trying to create a narrative to describe how exactly you accessed a network via a simulated hack. Rather, you will spend your time analyzing systems from a multitude of perspectives and then applying your knowledge to answer tightly scoped questions such as “If an attacker had access to this network, could they bypass our host whitelist?”
For both team types you’ll want some combination of computer science and information technology knowledge.
You can gain these things in school or on your own time. The type of team that you want to join will influence whether you should be learning Metasploit and Active Directory or cryptology and software engineering.
Once you know what it is exactly that you want to do, simply learn
those skills and send in an application.
How can someone gain red team and penetration testing skills without getting in trouble with the law?
I recommend downloading virtual machines and web applications that have vulnerabilities on them when trying to learn at home. There are plenty out there; just be careful and don’t put them on the internet because they will be compromised in short order.
If you don’t have permission from the system owners to test or run tools, you are probably violating some law. If you are trying to get into red teaming, try to exploit only the systems that you own or systems that you have explicit written permission to exploit.
Join the bug bounty programs and start hacking away. These companies are providing an incentive for bug hunters to find bugs, so they offer you training on their websites to get you started.
HackerOne and BugCrowd are just two of the companies, but this space I believe will be crowded in the next few years. The company that wins this race will be the company that provides the most value to its community by going above and beyond for them. They can be providing you with every tool and training there is, but you must put the work in and type away on your keyboard to develop those skills to earn the bounties.
Coding would be one of the easy ones. And this has an almost unlimited
number of paths where you can spend time. You can write tools that do fun
security-related things that will teach you things as you go. I think everyone should write a network port scanner at some point and make a real effort to understand how a socket really works. You can play with other people’s code to learn how they conquer interesting challenges in the offensive security space.
Learn enough code to understand how fantastic projects like BloodHound really work so that you can talk about what they are really doing in depth. Pluralsight has a ton of great content on Active Directory (AD). Set up AD in a lab and try to manage it for a few weeks.
This ties into what I think of as a classic answer to this kind of question, which is to build a lab. I would say this is almost a must. I have several labs I use on a regular basis. I recently purchased a laptop where I have a mini-Windows lab.
I use Hyper-V to create a domain controller with one or two joined members. It just so happens this laptop is also great for gaming. The trick with the lab is to make it flexible and go use it. Install EDR or AV and try to get past it. Understand what works and what doesn’t and why.
Social engineering and physical access skills are a bit more challenging to
acquire without on-the-job training. Social engineering CTFs exist along with organizations like TOOOL that can help guide people to be better at lockpicking or physical access attacks. In the end, you’ll need to do the engagements with that get-out-of-jail-free letter.
On the electronic attack side of things, copious opportunities exist, including capture-the-flag (CTF) events, bug bounty programs, vulnerable hackable systems (Hack The Box, VulnHub, tryhackme, and so on), and vulnerable software repositories and local virtual machines/Docker containers. Coupled with thousands of hours of conference videos and online training, there is more material out there than someone could ever expect to consume.
Pick a topic that interests you and go to work.
Here are a few helpful resources you
might want to explore:
- SANS.org
- Cybrary.it
- PenTesterLabs.com
- github.com/enaqx/awesome-pentest
The key to moving from Novice toward Competent is consistent, deliberate,
hands-on practice. The resources will provide a treasure trove of guidance that
will enable you to chart a course based on your available resources.
A few guiding principles will assist in avoiding criminal and legal issues while
developing your offensive security skills: - “First do no harm.”
- Don’t break into places you don’t own/have legitimate access to.
- When in doubt, refer to the first point.
When should you introduce a formal red team into an organization’s
security program?
I believe that everyone in information technology and software engineering should know how to build, secure, and hack anything they are in charge of. My crazy vision is everyone always threat modeling and red teaming everything they do.
You don’t need to have red team as your title to utilize red team skills. I always say, “Hack more. Worry less.”
How do you explain the value of red teaming to a reluctant or
nontechnical client or organization?
I believe the best way to do this is to explain that even though the red team has an adversarial role, internal and external red team goals are aligned in the sense that we all want to protect sensitive data and critical systems. To keep the trust over time, red teams should always avoid showing up blue teams and internal stakeholders. You can only do this by working closely as a team. It takes only one bad experience to potentially ruin these relationships.
What’s the most important and easiest-to-implement cyber security controls that can prevent you from compromising a system or network?
I’m going to go with restricting administrative privileges for end users. I’ve seen first hand how this drastically reduces infections on a network. This simple control applies to organizations of any size. Restricting privileges is easy to implement and scale.
Why do you feel it is critical to stay within the rules of engagement?
The only difference between a good person and a bad person is that the good person follows the rules. Violating the rules of engagement breaks the trust between teams. If you violate the rules of engagement, you may be breaking the law as well.
The combination of a strong password policy and mandatory two-factor
authentication on all critical services commonly results in major headaches on a red team. The larger an organization, the more difficult this can be to roll out, but for small and medium businesses this can be a quick win that grows with the organization while being enabled with a small budget.
Passwords are the bane of information security right now. 2FA/MFA is a solution, but it is still cumbersome or impossible to incorporate into the authentication platform a company uses. Most pentests and red team
assessments that I perform these days start with some kind of initial foothold into the organization, and then the hunt for credentials begins — API keys, SSH keys, passwords, anything that can get me to a higher level or more access than that toehold.
This is why I think a company should require the use of password
managers for all work-based authentication; this includes API keys (vaulting products help make this a reality). A way to force this is to change your internal password minimum to something like 40 characters. Initial login (in order to get to the password manager) can be done via a smart card, FIDO, or another tokenbased product. Even mobile devices these days can act as FIDO devices, which would remove the need to deploy and manage a fleet of devices for authentication.
System-level firewall rules. Restricting the ability for systems to communicate with each other can make lateral movement around a network difficult or impossible. It can be difficult to execute from both planning and technical aspects, but I think it will provide immense value if done correctly. I often ask people, “Do your workstations need to be able to communicate on port X?” to which the answer is almost always no.
How does the red team work together to get the job done?
If you are working with a team, communication is the most important element. Split up work and ensure you document everything that you do on an engagement. Trust is important as well, because I’ve seen situations where team members lose faith in their teammates.
I recommend using collaborative tools so everyone can see what their
teammates are doing. Transparency always wins. One more thing, don’t be
afraid to ask for help; that’s what teammates are for. If your teammate is an
expert at a certain thing, simply ask for help.
What is some practical advice on writing a good penetration testing report?
My advice is to not reinvent the wheel — there are plenty of resources out
there to describe vulnerabilities, exploitation, and risk scoring. Feel free to grab content from NIST, CVSS, or MITRE ATT&CK and cite them as references. Citing them as references actually boosts the credibility of your findings and report. Use something like CVSS to help score the vulnerabilities that you find.
MITRE ATT&CK is great for discussing exploitation techniques and suggested remediations. If you use those resources, the report will be easier to write for you and easier for the consumer to trust.
What differentiates good red teamers from the pack as far as
approaching a problem differently?
I think good red teamers study and know how things work. I mentioned
empathy before. A good red teamer can put themselves in the system
administrator, network engineer, or software developer mind-set and solve the problems they are facing. A good red teamer is always hungry to improve their skills and help others do so as well.
What nontechnical skills or attitudes do you look for when recruiting
and interviewing red team members?
When I am talking to candidates, I am looking for positive attitudes and strong internal drive/motivation. Red teamers will often find themselves neck-deep in mind-numbing analysis, the results of which could determine the success of the engagement.
Therefore, it is important that candidates are able to motivate themselves
to keep going, not lose sight of the objective, and not complain that they’re “not doing cool stuff.” Red team work is usually pretty boring, minus the moments of sheer adrenaline when that shell finally comes back, so candidates need to give the impression that they have the patience and determination to accomplish the mission.
