I know you’re supposed to be good and familiar with Metasploit. Or, java. Or, probably lockpicking, right? Or, is it vishing?
Here’s the gap I’m seeing – I haven’t been able to find reliable guides on developing a ‘red team’. And I’ll be honest – I like that phrase – the ‘read team’.
From what I’ve been able to tell, the culture that surrounds pentesting, red teaming, offensive security or how-ever-else you’re looking to be involved in ‘that side’ of infosec is sort of limiting. Not limiting in the way that some hobbies or activities have gatekeepers, but more from the standpoint of – at least by my perspective – it seems to be something that finds you. Or, it seems that positions where you would get time and experience in the field are a sort of thing that is offered to you as compared to maybe a SOC position, where you would apply / interview / onboard.
Maybe that’s a product of my situation, too. I own an IT company, so, I’m only really involved in information security positions from the perimeter. Sure, we roll out products to our client base that helps protect them from the big stuff. We chase certs to keep updated. I’ve taken to building out a few labs to learn about certain aspects of the offensive styles of security, too. Cool. So, how do ‘red teams’ get started?
Or, more specifically, how do commercially viable red teams get started.
Ovbiously, I’d figure that big players in business, healthcare, government and the other oft-targeted industries build out these teams as internal mechanisms to keep everybody sharp. But, what about the consultancy firms that do this stuff ‘on-call’?
Here’s where I can detect, maybe from some self-imposed imposter syndrome or misread Reddit posts that make me feel like I’m missing a handful of secrets that would otherwise allow me to start talking about these teams or their activities like I know something. That’s the thing, I think. I don’t really know a lot about how these teams function, how they close engagement opportunities, how they bill out their time or what mountains of knowledge and experience they possess.
One of the things that I’ve figured out in my adult life is one of those ‘simple, not easy’ principles of existing as a human. There’s some sort of line drawn between people who wish and people who work. I’ve applied that line of thinking to a good variety of stuff I already do. I don’t need the proof – I’ve lived through it. That line – the one that separates the workers from the wishers, can really only be tested by the work.
So, we’ve started. Because that’s the first thing required to do the work involved – to start. More labbing tools to understand how they interface with targets and could fit into a more complex framework. Performing phishing engagements with existing clients to sharpen the skills I’m really looking to develop – human based security. Networking with players in the field. To me – that’s starting. The planted seed of what I’m sure will be a multi-year project to get a trusted group of contractors together who can be called upon to work engagements with paying clients on the offensive side of the security round-table.
I wanted to start articulating this process to set into the archives of the internet the experiences of a leader (dare I say) who is crazy / stupid enough to actually try to spin something like this into existence. I’m going to post this in a few places and fully expect the spread of responses, from ‘fuck you, noob’ to ‘silently watching’. At the end of the day – I’m out here, starting, and I hope that makes somebody else want to start, too.