Question from a reader

Mr. S sent the following question. I answered to him directly, but I thought it would be good to post this here as well.

Question:

I've been wanting to be on a red team for quite some time now. I've developed a skill in lockpicking and besides some of the more advanced security locks, I'm actually quite good. I also have pretty good working knowledge and experience in digital offense, navigating business logic, social engineering and planning. I've read books, I've read the site and I've reviewed a lot of material already at this point. I have an opportunity within the next year to help start a red team. While having these skills and knowledge is good, what is a good way to practically practice all of the above in one package? I've competed a little bit at DEF CON and other conferences and while they are great, waiting for one of these events to come around as training is not helpful. I have thought about doing some urban exploration and there are some ghost towns nearby, but these have some legally grey problems.... Any suggestions?

Answer:

Thank for the email. Let me start by saying this straight. You DO NOT need anything of what you wrote to be a red teamer. They are good skills to have, but that doesn't make you a red teamer. Sorry.

It's all in the mindset. You have it or not. The rest, you can learn and apply. I've said this many many times: it's all about the mindset. You can be the best hacker in the world, yet fail as a red teamer. If you can’t think outside the box, if you can’t find ways to bend the rules, to think like an attacker, to lie, to cheat and to really want to find a way to succeed, then you won’t be able to perform. You have to think like a bad guy. You have to see the six external sides of the cube and the six internal sides. At the same time. You have to be proactive, you have to be right there at the right time.

Having said that, the best way to practice is to go to a friend's company or your own company and run a full assessment. Try to analyze all the aspects, physical, digital and social, as one. Then find the vulnerabilities and try to understand how a bad guy can exploit that. Simulate that bad guy. Become that bad guy. But, try to see which bad guy you want to simulate based on what you are attacking. You can't be all the bad guys at the same time. Beyond the fact that you will get discovered, it won't work. Adversaries have a specific objective based on the organization/company/group they are attacking. They have an end goal. Mimic that. Red teaming for the sake of red teaming is not red teaming. You have to red team yourself and see of you make sense.

I hope this helps. Yes, there is no single, easy answer.