By Felipe Ruiz | January 08, 2021
47 is the number of red teaming experts we can find in the book Tribe of Hackers Red Team written by Carey and Jin (2019). And we only have published three entries about it, each one dedicated to an expert in the following order: (1.0) Carey, (2.0) Donnelly, and (3.0) Weidman. So, why not make room for a fourth entry? Or, is this starting to look like The Fast and the Furious? I’m just kidding!
Here I want to show you another standpoint on red teaming (another expert answering the same questions), with the corresponding recommendations for any of you, that’s all. The previous post displayed what we could consider, to some people’s astonishment, a 'strange' case. I mean, I presented one woman’s ideas and advice related to ethical hacking, and that’s rare because, unfortunately, at present, it’s not common to see many girls practicing this profession.
Now, it would be interesting to read (why not to learn) about the opinions and recommendations of another 'curious' case. On this occasion, a person who does not appear in the referred book with his 'real' name. And, contrary to most of the experts interviewed, a person who does not display a picture in his section. Yes, apparently, it’s a man and uses the alias "Tinker Secor."
Let’s see what we can get from this guy who served in the US Marine Corps, has worked as an intrusion detection analyst, and now is a "full-scope penetration tester with experience in testing and bypassing the security of logical, physical, and social environments."
Tinker was recruited and trained to become a red analyst after gaining some blue experience and some reputation, especially giving talks concerning defense operations in the US Marine Corps. But we already know that it’s unnecessary to have gone through a blue team to belong to a red one. Indeed, as Tinker accurately says —when asked about the best way to get a red team job—, it is "just like getting any job, you split your time between building up the skill sets required and networking." There you are!
So, what does Tinker recommend you to build up your skill sets? First, "study the following: systems, networks, virtual environments and cloud, [thick/web/mobile] applications, scripting, physical environments, social exchanges, [and] basic attacks [and] defenses." A lot of things to absorb, huh? Well, here’s what he puts forward about practicing: "participate in scripting challenges, build a virtual lab inside your cheap laptop and install systems and connect them together through networking, and do capture-the-flag exercises online or at conferences."
Conferences and meetups, that’s the kind of events Tinker suggests going to for setting up a network and "hunting for a job" (beyond the typical but not negligible online application). He even recommends volunteering at such events and, if it’s possible, organizing some of them. Of course, don’t forget to "join some reputable online groups"!
Tinker boils "red teaming down to quality assurance." As simple as that. Therefore, when you intend to offer your services to some reluctant or nontechnical clients (reflecting no need for security), use some assessment as a demo, and prove to them that red teaming is really necessary nowadays if they want to guarantee quality in their systems not only for them but also for their customers or users.
A well-established red team should possess a clear as a day understanding of each of its members' particular skills. As Tinker says, it is common to see, in these groups, people who "can do a little bit of everything." However, mainly in large projects, the leaders could delegate tasks according to the team members' special abilities and bring them together to discuss their evaluation and reporting activities at certain times.
Regarding what the client has to know after the red team obtains results in an assessment program, Tinker expresses the following: "The biggest thing is to go through the attack methodology and show what worked […] and what did not work in the attack." The idea is to let the client know the details of the path followed by each analyst together with the procedures carried out. Furthermore, apart from reporting vulnerabilities, Tinker recommends the delivery of information related to positive findings. "Positive findings will include the security apparatus that prevented specific attacks as well as times where the blue team detected, responded to, and contained the attacks."
"Security quality assurance assessments and penetration tests can and should be conducted at all stages of a security maturity model." That’s the answer Tinker gives to the question of when to introduce a red team into an organization’s security program, for you to keep in mind. (You should not forget the term DevSecOps.) After that, if it’s possible for your company, following Tinker’s advice, it’d be excellent to have a dedicated person or a team that continuously conducts ethical hacking in your systems. (Have you heard about our main service of Continuous Hacking?)
In addition, Tinker believes that for the sake of your firm, you should not employ only vulnerability scanners. It is better when you mix penetration tests with them. As he says, the two "cover different areas and have different strengths and applications, and companies should employ both." According to him, it’s typical to see firms implementing vulnerability scanners from top providers and using them to detect security issues, for then, after several months, remediate only some of them, usually ignoring medium and low severity findings. There is no creation of programs for managing and repairing vulnerabilities, and in subsequent analyses appear more extensive vulnerability lists, on which, again, no proper action is taken. (Now, I repeat the question for those companies that have fallen into that error but recognize it as such: Have you heard about our main service of Continuous Hacking?)
Of course, you can access the complete information of the interview
in Carey and Jin’s book.
Here I have just shared some highlights of the answers given by Tinker Secor,
one of the 47 red teaming experts you can find there.
On the other hand, if you want to be part of the
Fluid Attacks team,
you can check out our Careers page,
and if you require information about our services
and solutions for your company,
please click here to contact us.
Corporate member of The OWASP Foundation