The question that everybody asks... Again
I posted this already, but in light of the last 50+ emails I received in the past 3 days I thought it would be wise to post this again.
OK, these are the questions everyone asks: how do I get into a red team? What do I learn? What degree would you recommend for something in this field? Should I get a certification? Do I need to have a military experience? I'm adding to this the following: I'm learning hacking so I think I can be a great asset to your team, how do I apply? I was in IT for 10 years so I know computers, how do I get into your red team? I have 4 different certifications and I would like to start my career on a red team...
I'll try to answer this the best way I can, however there is no definitive answer to this, if you are expecting a read this, learn that and you are done kind of answer then you really don’t know enough to even begin to try. There is no simple answer like that.
I’ve been learning and continue to lear what I do for over 16 years. And even before that, I was involved in low-level system programming and crypto, and before that I was a in the military. Becoming good in the information security world takes years, it usually involves learning a large number of things, from coding to networking to the inner workings of operating systems, web technology, database and other information management theory, etc, etc. But most importantly: it requires the right mindset.
You can be an expert in these technologies, however if you can’t think outside the box, if you can’t find ways to bend the rules, to think like an attacker, to lie, to cheat and to really want to find a way to succeed, then you won’t be able to perform.
Then there’s the physical security knowledge if you want to go that path. Not needed, but sometimes it’s required...
A lot of people think that since they have a background in IT, or programming, or system administration then they are ready and can grab a book or two and presto! They are instant security experts. Unfortunately it doesn’t work like that. They might have an advantage over someone that doesn’t know anything at all, but they are still far from being there. I’ve been at this for a long time and I am always finding things I don’t know anything about and need to learn. Often quickly and under stress, often by myself.
Then you have the certifications. I trust experience over ANY certification. I find most of them useless. There are some good ones, but not really needed for this job, in my opnion.
So, in short, how can you learn this? Where do you start? I would go for a degree in computer sciences. Nothing fancy. A degree that gives you the basics on programming (you will need this to write your own tools and exploits, and to understand how programs work to find vulnerabilities), Operating System theory (to understand how OS’s work and how to exploit them), information theory, some math (especially boolean math), databases theory, etc. Once you have that you can move to a 2nd degree in information security, however at this point I would just try to go to a private org. or school and have one of the courses they offer (like ethical hacking although I hate that term), or get a job at a company that does information security so you can start learning the trade, find an intern position at a large security company doing the dirty work for a pentester. Learn the craft and you’ll be on your way.
If you want to focus on the physical side of this, then you need experience that maybe a law enforcement organization or the military can give you. You can alway go to private courses.
Now for the hardest part to learn: the mindset. You can't learn it. You either have it or not. You can either think like an attacker or not. You have to be able to see things from the front, side, top and bottom, at the same time. See the connections between things that are not connected. Bend the rules in front of you. This is not something you can learn easely. Usually you need to have it and then you need a good team leader to help you polish it and focus it. You have to be interested in large number of things: warfare, philosophy, physics, math, marketing... Just to name a few. You need to view the entire problem and swallow it whole, but at the same time you have to be able to separate the different parts that make the puzzle and work with each one independently.
Yes, there is no easy answer.