So, you want to be a Red Teamer

I posted this already back in 2013, but in light of the recent number of emails I thought it would be wise to repost this again, this year.

The questions often asked are the following:

  • How do I get into a Red Team?
  • What do I learn?
  • What degree would you recommend for something in this field?
  • Should I get a certification?
  • Do I need to have a military experience to be in a Red Team?

I'm adding the following based on comments from readers:

  • I'm learning hacking so I think I can be a great asset to your Team, how do I apply?
  • I was in IT for 10 years so I know computers, how do I get into your Red Team?
  • I have 4 different certifications and I would like to start my career on a red team...

I'll try to answer this the best way I can, however there is no definitive answer to this, if you are expecting a read this, learn that guide then you really don’t know enough to even begin to try. There is no simple answer like that.

I’ve been learning and continue to learn what I do for over 16 years. And even before that, I was involved in low-level system programming and crypto, and I was also in the military, working on small teams.
Becoming good in the digital security and red teaming worlds takes years. It usually involves learning a large number of things, from coding to networking, to the inner workings of operating systems, web technology, database and other information management theory, etc, etc. But most importantly: it requires the right mindset.
You can be an expert in these technologies, however if you can’t think outside the box, if you can’t find ways to bend the rules, to think like an attacker, to lie, to cheat and to really want to find a way to succeed, then you won’t be able to perform.

Then there’s the physical security knowledge if you want to go that path. Not needed, but sometimes it’s required...

A lot of people think that since they have a background in IT, programming, or system administration then they are ready and can grab a book or two and presto! They are instant security experts. Unfortunately it doesn’t work like that. They might have an advantage over someone that doesn’t know anything at all, at least on the technical side, but they are still far from being there. I’ve been at this for a long time and I am always finding things I don’t know anything about and need to learn. Often quickly and under stress, often by myself.

Then you have the certifications. I trust experience over ANY certification. I find most of them useless. There are some good ones, but not really needed for this job, in my opnion.

So, in short, how can you learn this? Where do you start? Tough question.
I would go for a degree in computer sciences. Nothing fancy. A degree that gives you the basics on programming (you will need this to write your own tools and exploits, and to understand how programs work to find vulnerabilities), Operating System theory (to understand how OS’s work and how to exploit them), information theory, some math (especially boolean math), databases theory, etc. Physics would also work, in my experience.
Once you have that you can move to a 2nd degree in information security, however at this point I would just try to go to a private org. or school and have one of the courses they offer (like ethical hacking although I hate that term), or get a job at a company that does information security so you can start learning the trade, find an intern position at a large security company doing the dirty work for a pentester. Learn the craft and you’ll be on your way.

If you want to focus on the physical side of this, then you need experience that maybe a law enforcement organization or the military can give you. You can always go to private courses, but it's a tough craft to learn.

Now for the hardest part: the mindset. You can't learn it. You either have it or not. You can either think like an attacker or not. You can either think outside the box or you can't. You have to be able to see things from the front, side, top and bottom, at the same time. See the connections between things that are not connected. Bend the rules in front of you. This is not something you can learn easely, if at all. Usually you need to have it and then you need a good team leader to help you polish it and focus it. You have to be interested in large number of things: warfare, philosophy, physics, math, marketing... Just to name a few. You need to view the entire problem and swallow it whole, but at the same time you have to be able to separate the different parts that make the puzzle and work with each one independently.

Yes, there is no easy answer.

So, you still want to be a Red Teamer?