So You Wanna Be a Red Teamer

all right i don't see it picking up yet

looks like he went live i see shelby excellent oh you can on the youtube side oh oh they switch channels i think um so they swapped them i don't know i don't know what's going on okay i see amber's over on track one yeah i see that um that should be okay that link that he provided should be streamed yeah i see the three of us on the youtube side uh uh i don't see ops chat

oh okay we're going live okay all right shelster if you want to go three two one go all right uh thank you everyone for tuning in to my talk so you wanna be a red teamer sorry for the technical difficulties if this is not the talk you wanted to be at there should be another channel on youtube all right let's get started so just quick overview of who i am my name is shelby spencer i'm currently a senior red team member at fusion x and i have about 10 years in red teaming and pin testing work in general so today we're going to talk about what skills traits and experience i think are necessary for

people to be good at red teaming and to get into that industry so this will be kind of an overview of those tools and techniques as well as like some advice for people getting started in the industry obviously this talk is my opinions and um it's worth exactly what you paid for it so keep that in mind all right so first the first question you should ask yourself if you want to get into red teaming is should you get into red teaming and particularly do you have the qualities and traits that are necessary to be good at this type of work and a list of those traits that i think are really important are as follows first and this is a

really probably the most important one you need to be efficient at assimilating large amounts of new information you're going to be going into environments all the time with technology that you've never seen before and learning new techniques constantly as the industry changes and you need to be good at taking in all that new information and figuring out how to weaponize it and use it effectively so that would be my my first key trait of a good red teamer i think uh next is consistency if you're going to be doing red teaming you're going to end up doing a lot of the same type of things maybe you find some vulnerability in a client's environment and it's a

very manual process and it's not something that's easily automated and maybe there's 100 servers and you know one of them is related to your objective you might have to sit there and try the same manual technique 100 different times in a row and you need to be the kind of person who can sit there and do that consistently and when you're done you need to be able to be confident that you've covered all of that ground in a consistent manner so that you can tell the client um that for sure whether the vulnerability exists and if and be able to say that with confidence so you have to be able to to not just stop

when it gets hard and that kind of gets into the next point which is tenacity it's along the same lines just being able to be dogged about what you're doing even when it gets boring even when you're writing that 60 page report for the customer uh the next skill set i think that's really useful is adaptability again you're going to be seeing a lot of different technology and using a lot of different techniques that could vary very much from engagement to engagement so one engagement might start as an external web application type test that pivots to an internal windows environment and then the very next engagement you're on might be say a social engineering engagement

where you're doing badge cloning and walking in and attacking mac computers in a zero trust environment so being able to be flexible in the tools and techniques you know and how you apply them is very important the next big one is stress management this is definitely a very stressful job you're going to constantly be going up against new clients where it's really important for you to make a good first impression you're going to have tight deadlines and timelines you're going to have to put together exploits and chain them with very short amounts of time and you've got to be professional during that entire process so being able to manage stress is definitely a key skill and to that note

i notice there's another talk today about burnout which is related and i definitely would recommend checking out that talk later today if you're interested in this kind of work because it's a very real problem in our industry humility is really important and more specifically a lack of ego you're going to run into things that you don't know and you haven't seen before and you need to be the kind of person who knows when they don't know something and can admit that and reach out for help either from your teammates or from the internet at large and just knowing what your limitations are so you don't break something because you'll often be situated in a client's environment

in a place where you can do a lot of damage if you're not careful and knowing when you should stop and when you should take a breath is really important and last integrity um obviously the kind of work we do in any other scenario would be incredibly crooked would be incredibly dishonest and and bad uh so it's important to maintain a good sense of integrity and honesty and about what you're doing you're going to be in environments where you could do a lot of damage or potentially still millions of dollars and it's important to keep the ultimate goal in mind which is to help customers get better at preventing real bad guys so if if that's not you

again don't do this type of work because there's going to be a lot of temptation there so now that we've covered these basic traits that are not so much skills but just features of you that that are necessary or will help make you a better red teamer let's start talking about specific skills that can help you on your path the first skill is programming to be a good red teamer you need to be a good programmer you will constantly be in an environment where you need to quickly hack together tools maybe modify existing tools to help you build payloads or even just writing quick parsing scripts to parse large you know gigabytes or even terabytes of data to

find the information you need so the first set of skills that you should be building if you want to get into this industry is that you need to be proficient with both linux or unixe type tools and windows command line scripting so on the the unix linux side that's things like bash and aux set grab cut tr those type of commands uh there's of course many others that i didn't mention here less head alt tail all of those type of things that you'll you will need to use but basically pick at least a couple of those tools that allow you to quickly parse text documents and pull out specific values and get very proficient at doing

that a good way to learn this stuff is just pull down large data sets that are public and try and filter and cut out specific pieces of information until you can do that very quickly and effectively on the windows side you really don't have any other options in powershell the good news is on both sides these scripting languages are everywhere and they can also be used offensively so not just for parsing stuff it's also useful for from the offensive side to have a good handle on these languages the next thing is you should have at least one popular general purpose programming language that you're very proficient at so that would be a language like one of these i've kind of label listed

them from left to right in the in terms of which ones i think are more valuable to know but that's definitely personal opinion you will find in the red team and pin testing world that python is kind of ubiquitous and it's also installed in virtually every linux system you run into so it's a very good tool set to have uh ruby is obviously an interpreter and that whole meta split framework is written in ruby so it's still pretty popular though i think recently python's been gaining a lot more usage pearl is a good one just because it's it's been around forever and again it's on pretty much every linux unix and bsd box you'll ever run into

uh and lately i've been seeing a lot more tools being written in node so pick one of those at least and become very good at it and generally having a good sense of the other languages that i mentioned here is a good idea and then lastly make sure that you're proficient in at least one cross-platform compiled language so that would be these type of languages you should definitely be able to find yourself find your way around c and c plus plus c sharp is really good for windows exploitation and also you can of course run it in a linux environment using mono golang is great because it's hard to reverse engineer and it's cross-platform it's very easy to write code that will

work everywhere and that could be a really valuable tool when you're breaking into various environments and then lastly rust is starting to gain subtraction so that's possibly another good route to go so after programming let's talk about kind of another more general skill which is generalizing your knowledge the majority of red teaming in my experience is knowing how to ask the right questions and then where to find the right answers there's just too much information for you to know you can't know everything about what you're going to face so being able to find what you need to know on the internet and ask the right questions is really important and the more tidbits of general

knowledge you have the more programming languages you understand the more systems you understand the easier it is for you to ask the right questions so again instead of focusing too much on knowing all the details of a couple things try and learn a little bit about everything that's related to your industry uh kind of the opposite of that it's a good idea to specialize in a couple areas and that's particularly useful when you're trying to get a job uh the reason for that is companies love to have people that are very that are experts in very unique areas that they're likely to run into and it greatly increases your value in an environment to an employer if you

can look at if you if they can go to you for one or two areas that are likely to encounter and some of those areas might be one of these there are others but here's kind of a list of of things that you might want to specialize in so again if you if you look at this list these are definitely areas that not every red teamer has a lot of skills in but you could make a name for yourself in and that you're likely to run across and this is again one of those kind of general things that i've been kind of hitting on before this is generally a good life lesson or skill set but it's very important in

red teaming you should always be asking yourself what do i have and what do i need those two questions will help you chain together your your various exploits and environment and help you be effective at achieving your goals i'm not going to get too much into the differences between pin testing and red teaming but definitely in the red teaming world you're very much more goal oriented it's not own everything it's find a system of weaknesses and vulnerabilities that you can chain together to get to your objective so being able to think tactically like that is a very valuable skill set and these questions will help you do that all right the next skill set hacking the

human hacking systems and finding vulnerabilities in software is a lot of what we do but honestly we probably spend three quarters of our time going after people because humans don't get regular firmware updates uh so they're a lot easier to go after so what i mean by that is learning how to exploit human psychology so that includes things like understanding how people pick passwords and particularly how they pick weak passwords how people tend to take passwords and duplicate them across environments building effective fishing lures and all of this requires you to make peace with the fact that hacking humans is not nice you're taking advantage of psychological vulnerabilities that we all have you're taking advantage of pressure

points and you need to be able to make peace with that that idea that you're doing something that's fundamentally kind of sleazy but you're doing it for good reason so along those lines you need to be able to build rapport that could take the form of multiple emails back and forth building you know building some camaraderie with a potential victim victim before you send them a payload that could be being friendly and setting someone at ease if you're doing a physical penetration test so learning those skill sets and being able to make people feel comfortable around you and feel like they can open up to you is definitely a good skill set to be developing along those lines

you need to be able to have empathy for people you'd not only does this help you abuse the psychological weaknesses that we all have but also it's good to understand the psychological impacts of that kind of work so that you don't do more damage than you have to and also so that you could have compassion for people who are that you're exploiting all right the next skill set and this is particularly important as we'll see in getting a job but professionalism is very important and there's really three intersecting areas that it comes into play in red teaming the first one like i said is the job interview an employer relationship being able to be professional in an environment where

there's a lot of stress is very important to being in this industry very long there's going to be lots of opportunities for you to want to tell a client or a customer or or even your boss to screw off when you're stressed out and they're making a quote-unquote unreasonable request so learning to be professional in that environment is a good skill and one that i fail at sometimes we all do the next one is customer interaction if you're going to be presenting your findings to customers on a regular basis so your boss needs to be able to be confident that if you put you in a board room with a ceo that you can conduct yourself in a

professional manner and lastly fishing and social engineering if you understand what is expected in a professional environment if you if you understand the social norms you can learn how to subvert those and take advantage of that when you're doing your fishing and social engineering and kind of a side note and related thing that i think is very under talked about in our industry your public image matters and it matters more than in most industries and i'm talking about things like facebook and twitter and those type of places you might feel that it that we should i don't know eat the rich but that's probably not a good sentiment to be expressing on twitter if you're trying to get a job in an

industry where you're very likely to find yourself in a position to completely burn down a fortune 10 company both your boss and those customers need to feel like they can trust you with that level of power and if you're constantly posting things on twitter about i don't know eat the rich again as the example it's going to make it much more difficult for you to get a job in this industry so think about that kind of stuff especially if you're new to the industry start building that for that professional image outside of work as well uh the next skill set is good report writing this is another one of those things that i think gets

under talked about in our industry but report writing skills are critical and as my first boss used to repeat over and over again what you do on a red team engagement is of absolutely no value if you cannot clearly and concisely explain that process and the impact customers through a report i've memorized that phrase because i've heard it so many times but it is really true the report is ultimately what the customer is paying for so keep that in mind if you don't have good report writing skills now is a really great time to start building them it's important in this industry in general but more so in red teaming than pin testing even in pin testing a lot of pin testing is

kind of check boxy and kind of a mad lib so i found this exploit this vulnerability and i reported it across the the i have reported it across the environment everywhere i found it and you just slap in a general finding about it in red teaming you're going to be doing more and more one-off customization and so your impact is really going to be writing up these customized findings and helping the customer fix them and and so being able to do convey that very well and carefully in a report is is a very important skill to have keep your knowledge current there are several tricks for this but the industry is constantly changing you need to know the

tools and you need to know where to keep your knowledge current one of your big tools in this in this area is rss feeds they're your friend i highly recommend checking this link out it's a current list of all my rss feeds that i use and it's a really great way to stay on top of things with an rss feed aggregator obviously netsec on reddit is a great tool there's lots of good stuff that gets posted there and finally infosec twitter i mean you can say what you will about infosec twitter but it's definitely one of the first places a lot of great new techniques and tools come up so let's talk about interviewing this is

information i wished i would have known when i first started so if you're getting started in the industry here's some useful stuff you should know before you walk into into an interview know how to fish know what tools currently work and what techniques this is hard if you haven't been doing it but just read as much as you can on that kind of stuff if you're still talking about how you use word macros in 2020 2021 you're probably going to get some eye rolls talk about how to evade a b and edr and this is just no know the general techniques you don't know how to have to know a lot of specifics but it's a good idea to know

some of some specific techniques that work against specific avs as well it gives you something to talk about and shows that you have some you've thought about it this last one here is really important have some well-rehearsed vignettes of exemplary prior work that you've done and if you don't have industry specific work try and pick some things that you've done in related industries and then have some strong tie-ins to how that knowledge or learning experience can help you in this industry that gives you a way to demonstrate your value outside of whatever you know can questions they have for you and it also gives you a way to kind of filibuster if you get to a question or area that

you just don't really know what you're doing if you can tie that into some related experience and talk about how that knowledge could help you in this instance or teach you how to do this thing that could be really helpful and always admit when you don't know but also don't stop there describe how you would find out uh a lot of times you're not gonna know the answers and that's that's okay we as red teamers we never know all the answers when we go into an environment so know when you don't know be willing to admit that but then also explain how you would go about finding that information be passionate this work is hard and it's

soul-crushing sometimes and it's really important to demonstrate to a potential boss that you have a desire and a real hunger to do this kind of work because otherwise they know you're going to get burned out quickly and so it's really important to show that passion in an interview and then last kill your ego bury it in unmarked grave no one wants to work with somebody who thinks that they have all the answers because they don't and they're going to do crazy things that are that are going to cause problems uh and egos cause problems in a team environment when your team's really important so try and work on being open to admitting when you don't know things

and working with your your co-workers and asking for help and demonstrating that in an interview a lot of times we have dismissed people who are otherwise talented in interviews simply because they would lie about knowing stuff they clearly didn't know and pretend that they had more skills than they obviously did so again back to admitting when you don't know all right i know we're kind of tight on time here so i'm going to kind of blaze through some of these slides quickly but advertise yourself linkedin seriously uh that's where i've got most of my work you'll constantly get head hunters it's kind of annoying but it's a good way to find work uh infosec twitter if you have

build a following there feel free to reach out to people and tell them that you know hey i'm looking for a job anybody have anything talk to your local hacker community make those connections a lot of times those people will have open job wrecks that they're trying to fill and they can hook you up and then consider related work things like pintest puppy mills are also an option it's a good way to see lots of new tools and techniques and and not lots of new environments and build those those uh professional muscles in an environment where you get is stressful but you get a lot of work so finally good luck it's a hard industry to get into but it's a very

rewarding interest industry i have a question slide but apparently we don't have time um but feel free to reach out to the committee and i'm sure they can get them in contact with me they can get your questions to me and i'd be happy to answer them so thanks everyone for your time i appreciate you listening to my talk