How to break into red teaming - Part 1

Breaking into red teaming is hard. That's not entirely a bad thing, but as I've talked to applicants and students trying to get into red teaming, and as I've read lots of advice on getting red team jobs, I'm concerned that folks are giving and getting bad advice. I'm hoping to clear up some of the misunderstandings I regularly see, and provide some better guidance to aspiring red teamers.

When I talk to people trying to break into red teaming—usually coming from pentest, or just looking to get a start in cybersecurity—they are generally well prepared for the challenges of bad hiring markets, low demand for entry-level positions, and difficulty legally practicing how to hack. But while they have worked hard to prepare for those hiring challenges, they have inadvertently done so in a way that often makes them poor candidates for a red team.

I'm writing this guide to provide a rough roadmap for folks trying to break into red teaming by:

1. Explaining and correcting those two mistakes;
2. Recommending some concrete courses of action that lead to better outcomes.

Red Team vs Pentest

The base misunderstanding I see is that people view red teaming as a more advanced security discipline than pentesting—that the best pentesters graduate and become red teamers. This progression can be conceptualized as a pyramid, like in the image below:

Now, sure, I love red team, but that conception just isn't true. Red team and pentest (and various flavors of blue team) are equally 'apex' security disciplines; and while they are both offensive security disciplines and therefore have some intrinsic similarities, they require different skillsets. Think "dentists vs orthodontists": they are both doctors dealing with oral health, but use different skills and tools. The correct understanding is more like the image below, where the transition between the two disciplines is lateral (and can occur at any level):

What is the difference?

I'm not going to go into a comprehensive definition of Red Team and Penetration Testing (I've linked those terms to some definitions I like, which come from this book I recommend), but a grossly simplified comparison is:

While pentesting prioritizes speedy and comprehensive identification of vulnerabilities, red teaming prioritizes stealth and understanding of how 'noisy' (how many artifacts they create for defenders to observe) a given offensive action is.

Pentest doesn't require that knowledge, and pentest trainings don't cover that information.

Muscle Memory

In order to avoid building the wrong muscle memory, aspiring red teamers need the correct understanding that pentest and red team are different disciplines. Otherwise they will over index on pentest-focused trainings.

Too often I see applicants for red team roles touting how many machines they've pwned in HackTheBox (HTB) or similar environments, or highlighting their OSCP as proof of their capability. Those are meaningful accomplishments, but they overwhelmingly build pentest-relevant muscle memory, rather than red team-relevant muscle memory.

For example, someone trained on HTB or OSCP will have learned how to use linpeas or winpeas for identifying privilege escalation opportunities, but won't know that they are very likely to throw alerts. Even worse, that person probably won't have received any guidance on HOW to evaluate a tool for safety and stealth.

So, if the standard learning paths for offensive security don't work well for breaking into red teaming, what can you do? In the next section I'll recommend a concrete set of steps you can take that I think will provide a much better foundation for breaking into red team.

Interest piqued? Disagree? Reach out to me at TwelveTablesBlog [at] protonmail.com with your thoughts. Or better yet, comment below!