One question that I get a lot, whether it’s from students, current or hopeful IT folks or just curious folks who wonder how one gets into this line of work, is “How do / can I get started hacking?” or “How do / can I get started on the red team?”. I’ve heard tons of answers, some right (in my opinion) and some wrong (again, in my opinion). In this short article though, I wanted to give my answer and briefly explain why.
What is the red team? Words have meaning so, before we get into how to get started on the red team, let’s spend a minute defining what I’m talking about when I say red team. Wikipedia defines a / the red team like this:
A red team or the red team is an independent group that challenges an organization to improve its effectiveness by assuming an adversarial role or point of view
I think that’s about as clear and concise a definition as you can get but, what’s a short (TL;DR) definition of red team as it pertains to Information Technology and Information Security; what does Piratica do? Simply put, we work with organizations to help them identify vulnerabilities in their Information Security Program and then work with the organization and their blue team to mitigate those vulnerabilities. We do this through things like vulnerability assessments (a relatively high level at the organization to identify attack surfaces and look for potential vulnerabilities), penetration tests (using the vulnerabilities discovered in a vulnerability assessment to try to breach a system, steal data, etc.) and social engineering (typically things like phishing, vishing or malicious media drops).
Where do I start? In my opinion, if you want to get started on the red team and be good / effective at it, the best place to start is on the blue team. Get a job at a helpdesk, tech support or call center. Work your way from there through the ranks (Junior Admin, Network Admin, Systems Admin, Sr. Sysadmin, Security Admin, etc.) so that you *know* what the blue team does; how they work, how they think, how they react and what they look for. Learn how the blue team thinks and how to think like a member of the blue team. Ultimately, if you have no idea who your adversary is, what they do or how they do it, how can you be an effective or worthy opponent?
The blue team? Why? I said I wanted to be on the red team! The blue teams job, in a very basic sense, is to defend their organizations information assets against attackers (and the red team). The red teams job, in a very basic sense, is to circumvent the blue team and attack those assets to help identify attack surfaces and vulnerabilities and then work with the blue team to mitigate the risk that those vulnerabilities pose. Some of those attack surfaces will be obvious (e.g., you can pick them up on an automated scan like Nessus, Nexpose, OpenVAS, nmap, etc.) but some will be more subtle (If the blue team is making a change to the configs, do they save a backup with a .bak extension, just in case? Do those configs have passwords, hashes, keys, sensitive configuration information, etc.? Do they put those configs on a web server somewhere so that they can download them for safe keeping and, if so, do they delete them after they’ve downloaded them?). Knowing what loot the blue team may have and hide, why and where, will be incredibly helpful on the red team. Knowing how the blue team may respond to events (one port scan versus several port scans, a port scan followed by a closer look at a web server that doesn’t have a DNS entry [or that still has that IIS[6/7/9/10] splash page]) will be equally important. These things are the purview of the blue team.
What could possibly go wrong? Regardless of the suggestions, recommendations (beggings and pleadings) otherwise, direct passage from the uninitiated directly to the red team, bypassing those in the trenches on the blue team, will no doubt continue; this is the way of things. Sometimes it’s similar to the reason a lot of people end up as [Network | Systems | Sr. Systems Administrators], they’re the one person in the office who ‘knows about computers’, that person ‘becomes’ the network administrator. In the red team sense, that person that ‘does the computers’ is volunteered to do a ‘penetration test’ against the organization to satisfy some requirement (investor, owner, regulatory compliance, etc.). Sometimes, it’s the desire of the would-be red teamer to skip the small stuff and get to work [on the red team]. Either way though, the results are often the same. Incomplete assessments / engagements, and those configs are left for malicious attackers to find. Unintended consequences, production systems get knocked over (DoS via nmap anyone?), protected data gets exposed (“… and here, on my unencrypted laptop, is an unredacted database dump that I was able grab from your EMR…”). The value and importance of understanding how the blue team thinks and acts and, in fact, thinking and acting like that blue team, is an invaluable part of being an effective member of the red team.
“If you know your enemy and you know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy or yourself, you will succumb in every battle.“
— Sun Tzu, The Art of War