How to break into red teaming
Avoid the two behaviors that make it harder to get into red teaming, and engage in five learning activities to support your path to red team.
Breaking into red teaming is hard. That's not entirely a bad thing, but as I've talked to applicants and students trying to get into red teaming, and as I've read lots of advice on getting red team jobs, I'm concerned that folks are giving and getting bad advice. I'm hoping to clear up some of the misunderstandings I regularly see, and provide some better guidance to aspiring red teamers.
When I talk to people trying to break into red teaming—usually coming from pentest, or just looking to get a start in cybersecurity—they are generally well prepared for the challenges of bad hiring markets, low demand for entry-level positions, and difficulty legally practicing how to hack. But while they have worked hard to prepare for those hiring challenges, they have inadvertently done so in a way that often makes them poor candidates for a red team.
1). They misunderstand the relationship between Red Team and Pentesting, and then
2). They build the wrong muscle memory.
I'm writing this guide to provide a rough roadmap for folks trying to break into red teaming by:
- Explaining and correcting those two mistakes;
- Recommending some concrete courses of action that lead to better outcomes.
Misunderstandings
Red Team vs Pentest
The base misunderstanding I see is that people view red teaming as a more advanced security discipline than pentesting—that the best pentesters graduate and become red teamers. This progression can be conceptualized as a pyramid, like in the image below:
Now, sure, I love red team, but that conception just isn't true. Red team and pentest (and various flavors of blue team) are equally 'apex' security disciplines; and while they are both offensive security disciplines and therefore have some intrinsic similarities, they require different skillsets. Think "dentists vs orthodontists": they are both doctors dealing with oral health, but use different skills and tools. The correct understanding is more like the image below, where the transition between the two disciplines is lateral (and can occur at any level):
What is the difference?
I'm not going to go into a comprehensive definition of Red Team and Penetration Testing (I've linked those terms to some definitions I like, which come from this book I recommend), but a grossly simplified comparison is:
While pentesting prioritizes speedy and comprehensive identification of vulnerabilities, red teaming prioritizes stealth and understanding of how 'noisy' (how many artifacts they create for defenders to observe) a given offensive action is.
Pentest doesn't require that knowledge, and pentest trainings don't cover that information.
Muscle Memory
In order to avoid building the wrong muscle memory, aspiring red teamers need the correct understanding that pentest and red team are different disciplines. Otherwise they will over index on pentest-focused trainings.
Too often I see applicants for red team roles touting how many machines they've pwned in HackTheBox (HTB) or similar environments, or highlighting their OSCP as proof of their capability. Those are meaningful accomplishments, but they overwhelmingly build pentest-relevant muscle memory, rather than red team-relevant muscle memory.
As a result, these convenient, consumable, and (relatively) low-cost training/education avenues—that most beginners are pointed at—necessarily build habits that have to be unlearned on a red team.
For example, someone trained on HTB or OSCP will have learned how to use linpeas or winpeas for identifying privilege escalation opportunities, but won't know that they are very likely to throw alerts. Even worse, that person probably won't have received any guidance on HOW to evaluate a tool for safety and stealth.
So, if the standard learning paths for offensive security don't work well for breaking into red teaming, what can you do? In the next section I'll recommend a concrete set of steps you can take that I think will provide a much better foundation for breaking into red team.
How to prepare
This set of actions is not intended to be a foolproof, one-size-fits-all path to becoming an excellent red teamer; instead, my goal is to provide a structured learning path to help correct some of the learning mistakes I consistently see aspiring red teamers make. Even if you are just interested in security in general, this should be a fairly effective path for you.
If you already know something that I address here, awesome, skip ahead! In particular, if you already have pretty good exploitation and post-exploitation skills, then skip ahead to the capstone portion at the end, which is where I dig into the most red team specific training.
First, learn Linux and Windows (free)
Linux and Windows are two common operating systems, and you'll need a solid understanding of both to be an effective red teamer.
To learn Linux basics, go through OverTheWire's Bandit.
To learn windows basics, you can do something as simple as search learn windows fundamentals and you'll get results from tryhackme and from letsdefend, both of which appear to be free and fairly decent.
Second, learn absolute basics of virtualization (free)
Having learned the basics of Linux and Windows, you need an environment where you can dig into more intermediate challenges. Virtualization (taking the resources of one physical computer, and subdividing them logically—as opposed to physically—to run virtual computers) permits you to create that environment for free.
By creating virtual machines (VMs) on your existing computer you'll be able to:
- Avoid having to pay for cloud computing resources anytime you want to test things out.
- Avoid having to use HTB pwnboxes or other expensive platform-based machines.
- Run untrusted software more safely, and play around with risky actions in your VM that would otherwise potentially jeopardize your data on your host machine.
Additionally, virtualization is a core part of modern infrastructure, and getting even a basic exposure to virtualization will help your understanding there.
VirtualBox is free software that allows you to create VMs on your computer. Ubuntu provides a great overview of how to set up a VM with virtualbox, and VirtualBox provides a far more detailed manual on virtualbox.
Third, use HackTheBox (low cost)
HackTheBox (HTB) is a training provider offering a wide variety of courses and ranges, at a variety of price points. HTB is a tool that can be used well or poorly. And as I've warned earlier, it is a poor tool to choose for meeting all of your red team training needs. However, HTB can be an excellent tool for getting some modular training on security-focused topics.
Creating an account is free, but accessing Academy modules (the discrete building blocks of learning in HTB) costs 'cubes' (HTB's weird platform currency). You get a small amount of cubes by completing some initial tutorials, and you get a larger monthly disbursement of cubes by paying for a monthly subscription. If you have a student account ($8/mo at the time of this writing) you basically get unlimited cubes.
Here are my recommended HTB modules (throughout I'll link directly to the Academy Modules, which you'll need to be logged in to view. You can just search the course name and htb to find the public-facing details on the courses):
Linux Fundamentals
Linux fundamentals is 10 cubes, which means you can do it right off the bat for free (you get over 60 cubes just for signing up and going through some basic tutorials).
Windows Fundamentals
Windows fundamentals is also 10 cubes.
Intro to Sliver
Sliver is a common Command and Control (C2) tool. It is free and open source, which makes it an excellent choice for training. HTB's Intro to Sliver course that walks you through much of Sliver's capabilities for 500 cubes (which means you need a subscription to access it, unfortunately).
Having a basic understanding of Sliver will help you as we move into more advanced training elements.
Introduction to Threat Hunting & Hunting with Elastic
HTB's threat hunting introduction course is 100 cubes and provides basic instruction on how to find bad activity. This helps you gain an understanding of how defenders find malicious activity, and what kinds of activity are easiest to see. This is where you start to deviate from pentest and shift into red team-specific knowledge.
Security monitoring and SIEM fundamentals
Security monitoring and SIEM fundamentals is 100 cubes. A SIEM (Security Information and Event Management) is how most security teams monitor for malicious activity in their environments.
Like the Threat Hunting course, this will help you start to learn how to look for malicious activity.
Fourth, learn Python basics (free)
Learning at least a little bit of a basic programming language will help you immensely! Python is a beginner-friendly language that is also used heavily in security work, which makes it a great choice.
Kaggle's python course is my favorite of the free coding courses I've seen online. They use jupyter notebooks so you don't have to set up a local development environment (although now that you have a VM running you can do so!), and the content is very good. You'll also get familiarity with the kaggle platform, which has many other high-quality tutorials.
Capstone: Ludus (free or ~$300) and CRTO ($500)
This is the part that I get really excited about! Up until now you've focused on learning raw building blocks, but this is where you get creative and put everything together.
Ludus provides the environment and monitoring, and if you would like more structure for your training you can also buy the unaffiliated Certified Red Team Operater (CRTO) course to provide that structure.
Ludus
Ludus provides free sets of templates to automatically deploy multiple machines. You learned how to deploy Virtual Machines (VMs) manually earlier, but Ludus uses Infrastructure as Code to deploy multiple VMs and configure them so they can connect and interact with each other.
Ludus deploys in a few different ways, including on VMs hosted in Azure (expensive, at over $250/month), or on hardware that you own. My preference is to install proxmox first, and then follow Ludus' instructions for Proxmox. Either way, the most cost-effective solution is to buy your own hardware.
Buying a machine with better hardware will result in a snappier and less frustrating lab experience—John Ruskin's quote applies here—but I'm trying to price out a shoestring budget approach to building experience to become a red teamer. If you can afford better hardware, you'll enjoy it. In any event, do some research on hardware before you buy anything. reddit's /r/homelab and their discord can help you with that if you don't know what to look for.
Once you have Ludus installed, I recommend merging the GOAD NHA (Game Of Active Directory Ninja Hacker Academy) template with the Elastic template (you'll need to merge the templates, including adding the ansible roles for the elastic agent to all of the machines from GOAD NHA).
As you experiment and practice in Ludus, take good notes on what actions are noisy (and why), and figure out how to accomplish your goals more quietly.
For example, if you want to find paths to escalate your privileges on a machine, try running winpeas and then see what happens in Elastic. You'll see that there are many alerts! You might research quieter options than winpeas and come across PowerUp and SharpUp. Run both of those and compare the alerts you get. You could then do research on detecting powershell, and search for quieter methods of execution. After that you might try using SharpUp via sliver's execute-assembly command and seeing how that looks in Elastic. That will lead you to see how the fork-and-run approach for execute-assembly can be very noisy, and as you search for better choices you'll hear about "BOFs" and discover TrustedSec's SA BOFs. Now you have a much stealthier way to find privesc opportunities (although it is much more manual).
1. Start to give you a feel for how visible your actions are to defenders;
2. Start to give you an understanding of how to prevent/detect/respond to malicious activity;
3. Give you some framework for learning how to understand how noisy a given action might be.
Having an experienced red teamer to mentor you will make this much less painful, but in the absence of a mentor you can take advantage of discord and slack channels like TrustedSec's discord or SpecterOps' slack.
CRTO
If you need more structure than just playing around in Ludus, Zero Point Security's CRTO course is ~$500 and walks you through many of the core parts of a red team operation. If you go through CRTO while replicating what you can in Ludus and learning how noisy a given action is, you'll learn much more than by merely taking CRTO on its own.
Go learn
There aren't any foolproof paths to red team; it's a niche sector with very few entry-level roles available, and luck still seems to be the driving factor in getting into red team. But I think that you'll find more luck if you follow this general path and:
- View red team as a separate discipline from pentest rather than a more advanced discipline;
- Build the right muscle memory by prioritizing an understanding of all of the artifacts your actions produce, rather than prioritizing access to new systems.
Good luck, and go learn!
Interest piqued? Disagree? Reach out to me at TwelveTablesBlog [at] protonmail.com with your thoughts. Or better yet, comment below!