[00:00:05] CS: Welcome to our second episode of Cyber Work Live by Infosec. As you may know, from our weekly Cyber Work podcast, we’ve talked with over 150 different industry thought leaders about cybersecurity trends, the way those trends affect the work of infosec professionals, and offered tips for breaking in or moving up the ladder in the cybersecurity industry. And today, it’s all happening live. I am Chris Sienko, Cyber Work Live host and Infosec Director of Online Content. And as you can see, today’s topic is red teaming, the fun and the fundamentals.
I’d like to introduce you to our guests in just a moment. But before we get started, I have a few notes for our live audience. You are all set to listen-only mode. That means that you are muted, but you’re still welcome to ask questions using the QA panel provided on your control panel. We had plenty of great questions in the weeks leading up to the event, but if you have any additional questions, feel free to ask and we will do our best to answer them during the program. And with that, I’d like to introduce you to our esteemed panel of guests today.
Amyn Gilani is the Chief Growth Officer at CounterCraft, a deception-driven threat intelligence firm. Previously, he was Chief Technologist at Booz Allen Hamilton, where he provided expertise to federal and commercial clients, focused on incident response red teaming, threat hunting and cyber security operations engineering. Prior to joining Booz Allen, Amyn was a Vice President of Information Security at Goldman Sachs, where he led red team operations and emulated sophisticated attacks against securities trading platforms and payment systems. He began his career serving in the United States Air Force as an intelligence analyst and supported the National Security Agency and United States Cyber Command. Amyn holds a bachelor’s degree from University of Maryland and a master’s degree from John Hopkins University. Amyn is also a visiting fellow at the National Security Institute at the George Mason Law School.
Curtis Brazzell is a longtime information technology and security enthusiast. Over his career, he has obtained professional experience in both defensive blue team roles as well as offensive red team positions. He has created and maintained many security related passion projects, including a security awareness phishing toolkit, MDR solutions, and a cybersecurity ABC book series for young children, which we’re talking about before the show here. Over the last seven years, in his last position, he built up and led a red team and is now currently a managing security AppSec at GuidePoint Security. He loves to research and blog on new vulnerabilities, attack techniques and other security topics in his spare time.
Amyn, Curtis, welcome to Cyber Work Live.
[00:02:33] AG: Thank you.
[00:02:33] CB: Thank you.
[00:02:34] CS: So, yeah. Let’s start out. We have a lot of questions for the audience today. But I do want to talk to you both about your red team backgrounds. You both obviously have some pretty great on a few days. So what are some of your favorite into stories, your red team experiences? Can you tell us a little bit about some of the fun things that you’ve done in your time as red teamers? Let’s start with Amyn. Okay.
Okay. Curtis, do you want to start?
[00:03:07] CB: Yeah, that’s fine. Yeah, where do I begin? Just working for different consulting companies, you have a lot of stories in the trenches, if you will. And a lot of them come from physical red team assessments, phishing assessments. Sometimes you pair them up with a pen test, like a true red team, where you’re doing a physical component in addition to the penetration testing, the electronic digital component, if you will.
I think one of the ones that come to mind that is most interesting to me is when you combine those elements together. And so you’re doing a red team assessment, but you’re also trying to break in through their perimeter. See if you can phish in and get credentials and compromise the perimeter. There’s this one scenario in mind where we’re trying to gain physical access. So first, we start with a pen test, and we’re scanning the perimeter. And you gain access through an outside vulnerability. And then, internally, you find physical access controls for the doors. You find sensitive documents that show where everybody sits, what their names and their roles are, contact information. And then you can relay that to your physical red team and say, “Here’s all the information you need. Here’s the passcode on the front door to get in.” Maybe you can disable the webcams too, because you have access to those. So I think, for me, anytime – And I’ve got a lot of stories like this, but anytime you can combine all of those different elements, it seems more like the movies or something, right. For me, those are the most fun experiences.
[00:05:03] CS: Yeah. Amyn, do you have anything similar to that or any other exciting things that happened?
[00:05:07] AG: Yeah. Actually, back when I led red team operations at Goldman Sachs, I thought that it’d be just like that, right? You’re doing all the reconnaissance, understanding who is putting out information about what critical assets that they’re working on on behalf of the firm. So definitely, the reconnaissance phase is super fun when you talk about the kill chain. Seeing like who the adversaries would really target, right? And I think there’s a fundamental difference between just pen testing and then red teaming. Red teaming, you really put the lens on as an adversary, as a sophisticated adversary, to be a nation state. And you really have to approach those objectives as the adversary as well, right? Of course, you need a lot of approvals. So those are some of the things that you’ll always ask for too. Being part of the red team, always looking for approvals for making sure that you’re sponsored by the correct entities so you don’t get in trouble when eventually when you do break something or gain access to something that you shouldn’t have.
But one of the most fun things that I did at Goldman was really emulating the SWIFT payment platform breach. So whenever – I think it was 2016, whenever, the Bank of Bangladesh was heisted for over $80 million through a SWIFT payment fraudulent activity. And so once that happened, red team became a real priority for that firm. And we started to emulate attacks like that. And so there’s a lot at stake. You won’t believe the insane amount of money that goes through SWIFT on a daily basis. And so being a part of pen testing, or actually red teaming it, you want to make sure that you do it appropriately right, because if you were to take down the SWIFT payment platform, it’d be tens of billions of dollars that just wouldn’t get transferred. And money needs to be in certain places at certain times, right. So I think those are some of the more – You do play some high stakes poker at times whenever you really want to do a pen test correctly, right? And so that was fun.
But, also, there’re different elements to red teaming that I found fun, which is also war gaming. So doing tabletop exercises with stakeholders. And really getting the PR folks involved, communications operations, all these random people beyond the technical side that would be a part of the operations. I think that’s a lot of fun too, because you really get to understand how an incident is played out with a lot of great people in the company, in the firm. So I think that’s one of the great things about red teaming, and it goes beyond just your technical chops. It really does challenge the entire organization of how to really respond to adversaries within your network.
[00:07:49] CS: I love that. Yeah. And I think we’re going to talk more about that communication aspect and the sort of practical hands-on aspects of it. So we have a lot of questions from visitor, or from people who sent questions in today. So I want to start with real simple, because I think a lot of people, there’s that difficulty of like how do I – If I’m just starting now, how do I get to that point where I’m emulating the SWIFT payment system? I’m breaking in and getting people’s seat assignments and so forth. So, Andrea asks, “Hi, this is Andrea. My question is, what’s the best way and certification to start a career in cyber security?”
Now we had a bunch of related questions that I think are worth answering kind of all as a bouquet. User Peacekeeper7trap says, “Our CompTIA course is like A+, Network+ and Security+ good enough to get your foot in the door? User Hamza says, “What about the programming languages? Are these needed in cybersecurity or an offensive security roles?” And I mentioned this one as well, user MarkBarrow1 says, “Do you have to be a fast typer to do cyber security?” I mean, we all kind of smiled at that. But I think it’s worth like breaking this down to the absolute bare minimum, because I think people see hackers on TV doing the clickydy-clickydy-clickydy with the computer and think that it’s some sort of like a speed game. But for people who are right at like point zero and are attempting to get into this, what recommendations do you have in terms of where to start? What are your fundamentals? Do you do A+? Do you get right into Security+?
[00:09:23] AG: Yeah, I can pick that one first. And I think certifications I feel like for everyone is probably like the barrier of entry, right? Like they need certifications to get that job. And sometimes that is the case. Let’s say if you’re working for a consulting company or like an integrator on the defensive side or like for the federal government, typically it is required that you do have a Security+, or network+, or GCIH. There’re so many different certifications that kind of qualify you for a role, which is the bare minimum.
So when you talk about cybersecurity, how do I break into the cybersecurity role? It also depends on what role within the cybersecurity like vertical as well, right? There’re so many roles. You can do triaging. You can do monitoring. There’s incident handling. There is threat intelligence, pen testing. There’re so many different roles. So I think that for – I think it’d be great for new people who aspire to be in cybersecurity to really understand what actually is the most – Like things they’re most passionate about, and then go for that instead, right?
I mean, it’d be great to have a good understanding of the network as well as having the Security+. Those certifications really give you the foundational work to get started. So there’s no one specific, one I would recommend. But I would say that there’re a lot of different ones out there that you can still get your hands into cybersecurity. So really understanding what is the most passionate thing that you are about cybersecurity and pursue that instead.
Regarding languages, I think it is very helpful for people to understand programming languages, especially if you’re doing product security, right? That’s another security aspect of it that we don’t talk about. Whenever people think cybersecurity, you’re probably thinking like you’re in the SOC somewhere, right? So that’s more organization there. But there’s also a growing demand for product security. So understanding languages like PHP, Python, C, C++. Like all these languages are definitely helpful in understanding. So not one that I’d recommend, but I think along those lines, having a strong fundamental around that would definitely help you understand the full aspect of a product as well. Software product is what I mean. Curtis?
[00:11:42] CB: Yeah, those are great points. I agree 100%. And speaking more to the path part, then the certification part, I think a variety of different people from different skill sets and different backgrounds. makes for a better team. I don’t think that there’s one correct path, I think, and I’m a strong believer that people from different areas of IP make really good pen testers. Sys admins, developers, architects, network engineers, people from varying different backgrounds can come together and form a really comprehensive red team, because you know how to attack it, right? If you know how to defend it and set it up, you’re just naturally going to understand how to attack that network better. So I wouldn’t get hung up on one specific path. I think the more expertise you can have, just in general, from my experience is a good thing.
And then, yeah, going back to the programming, you don’t need to be a developer by any means. But I do think that there’s some value in scripting, especially as a pen tester. Python does client side programming languages. And then depending on if you get into AppSec, having development, or at least some coding experience is going to be helpful to you and your career.
[00:13:08] CS: And fast typing?
[00:13:11] CB: Oh, yeah. That’s good for writing reports. I don’t know so much. I was telling the guys earlier, fast typing can help me sometimes if I’m trying to get in from a phishing campaign before the actual user can enter their credentials, or beat them to their multifactor pen or something like that. So I think it just comes with the passion, being a fast typer.
[00:13:34] CS: Right. Yeah, I think that also sort of speaks to the aspect of like you can start wherever, but if you’re really passionate about this stuff, you don’t necessarily need A+, Network+ and Security+ to get started. But once you’re in, I’m guessing, you’re probably going to want to sort of go backwards and learn as many things as you can. One of the consensus things that I hear from so many guests is, if you know networking inside and out and backwards and forward, you’re going to be a better pen tester. If you know every aspect of the system, you’re just going to be better at this. But that doesn’t necessarily mean you have to sort of collect it upfront or there’s a barrier, or a gatekeeper.
So I want to move to the next question here. User Pablo says, “Is ethical hacking the same as penetration testing? And how do they differ from offensive security and red teaming?” So these terms all are sort of squishy in the popular consciousness. So can we do the basic breakdown of red team, blue team, versus ethical hacking, versus other things that are in that realm? Curtis?
[00:14:41] CB: Yeah. I’m happy to jump in again. Sorry. I mean. I’ll get it back here in a second. Yeah. No, I would consider like reporting of vulnerability through responsible disclosure. Say through a vulnerability disclosure policy or a bug bounty program, for example. That’s ethical hacking in my book, but may not be the same thing as pen testing. It’s all for the same purpose or goal. And that’s to help a client better their security posture. And I think any effort to simulate a real world attack is really when like a black hat may do. I would consider that red teaming. So when we talk about red teaming, when we talk about, specifically, what that means, my mind jumps to simulating a real world attack. But there’s certainly some overlap between the two terms. People use them interchangeably a lot. And they definitely can be interchanged like that.
[00:15:42] AG: Yeah, I would totally agree. And, yeah, there’s definitely a difference in ethical hacking, whether it be a course or webapp pen testing and red teaming, right? I think, like some ethical hacking certifications are typically not hands-on. It’s more concepts and theories to operate on. And I think more valuable skills would be things like actually having hands-on keyboard and practicing those things, whether it’d be learning Kali Linux, and Metasploit,and stuff like that, right? So I think that any certification or any way to actually do any kind of hacking, I think hands-on tools are more preferable. And like we said earlier, like Curtis said, real world attacks is really the red teaming side of it, right? It’s like a no holds barred match that has been approved. There are certain objectives that your firm has approved of doing and you operate that way, right? And so there’s definitely a difference, whereas let’s say, for example, webapp pen testing, you’re looking for flaws, right? You’re trying different tools against your applications to ensure that it is secure. Whereas red teaming, there’s more objectives. It’s not just breaking in. It’s about achieving more objectives, whether it’d be false payments through this web payment platform. And it’s a lot different. But what pen testing I think is, it’s a very fundamental practice that has to be done before you do red teaming.
[00:17:19] CS: Yeah.
[00:17:19] CB: Yeah, well said.
[00:17:21] CS: Yeah. So I think that’s great that we’ve defined our terms pretty well here. Because this is, of course, Cyber Work, and people are thinking in terms of these concepts in terms of getting work, getting into work, moving up the ladder, and so forth. A lot of the questions have been about their study path and whether or not they’re on the right path. So our next slide is from Mulani Tamashiro, who says, “I’m trying to become an ethical hacker. What educational path do you recommend that will teach me the basics from the beginning to the end? What classes, certifications, or training do I take? Do I need an apprenticeship or boot camps?” And they mentioned, “I attend Divergence Academy with a major in cyber security and pen testing, as well as university in computer info systems, concentrating in computer forensics, and I’m confused about what I should really be taking. I’d also like to know if there are other internships or work studies.”
So this comes up a lot. I think this is sort of common with new students, is I’ve chosen a path, but what if I’ve chosen the wrong one? So obviously there’s no one specific right path, but a lot of the – There’s that that concern of like what if I choose a path that completely ruins my career for the rest of my life, which I think most people have said is pretty likely impossible. But I wanted to talk to you both about this. Do you have thoughts on studying ethical hacking and what your sort of recommended course or pathway would be to sort of get in once you’ve gotten past the security fundamentals?
[00:18:59] AG: Yeah. I think, a couple of courses, and we’re not sponsored by any of these organizations. But I will say that I think the GPEN course that I think SANS has is actually been very helpful from what I’ve seen, because they also do labs. And OSCP is kind of like the gold standard for good penetration testers, right? And so I think that those two, the thing that’s common is that there’s a lot of practical experience. There’re labs, there’s a bunch of different tools that you can deploy and start using. And I think that’s really where you’re going to learn more of the tradecraft than anything else. And so I think I would kind of progress that way. But I don’t think anyone can really just jump into OSCP without any kind of basic knowledge, right? And so I think like having like building blocks, whether it’d be certifications. Or my favorite, YouTube videos, is where I’ve learned so much from, right? There’re always friends, there’s always new attacks that you can just learn about and just understanding I think just like the general landscape of tools, but as well as the current attacks that are happening. And so it’s a variety.
And I think these certifications and becoming very expensive. And if your company is not sponsoring you to do it, it’s a lot to put up. And it’s a lot of pressure personally to fork up $5,000, $6,000, $7,000 and expect to pass it, right? And hopes that you get a job after that, right? And so it really is a gamble sometimes. But I think when it comes at least learning it, I don’t think there’s any type of waste in learning that. But my favorite, of course, organizations like yourself, Chris, at Infosec, but as well YouTubing a lot of things is really helpful to at least get your skill set started.
[00:20:50] CS: Yeah, Curtis, any thoughts?
[00:20:52] CB: Yeah. Yeah, I agree. I mean, you said it perfectly. As a hiring manager myself, I personally gave less weight to the formal education and training than I did somebody coming in the door getting started and security that they had an interest in a willingness to learn. And I think some of that’s pretty self-evident with do they do home labs? Do they do capture the flag challenges?
So my advice would be it doesn’t really – I would say there’s not – Again, like my last answer, there’s not a specific right way to do it. If you have an interest in this field, there are a lot of great online free resources, cheap resources, even other resources as well. But if you’re interested in AppSec, for example, there’s a lot of like capture the flags such as Try to Hack Me, Hack the Box. DVWA, Burp. Or PortSwigger has Web App Academy. SANS puts on a holiday hack challenge, which is more a general type of challenge, but there’s tons of capture the flags out there. So that’s a really good way to get practical experience in my opinion, and show, and demonstrate that you’re actually working towards this profession. So hopefully that helps. I’m with Amyn on the offensive securities, OSCP. I really like those hands-on certifications. I didn’t even pass the OSCP on my first try. I was one machine short. But I learned so much in the process just by taking the labs. So I would highly recommend, if not that one specifically, anything where you can get some hands-on experience.
[00:22:44] AG: And I think like a lot of your skills that you like obtained from these certifications, or even just going through CTFs and stuff like that, I think that the command of the knowledge will show in interviews, right? So even if you didn’t have any certifications, but you can say that you configured your own personal firewall, or you attended the CTFs, like that shows, first of all, it shows passion. It shows like passion in the field. It shows the command of the knowledge. And I think that is really what rises to the top in interviews.
[00:23:17] CS: Yeah, I think that’s excellent advice. And, Curtis, we’re definitely going to be tapping your hiring manager experience later on in the talk here. We definitely have some questions about that. So moving on from harder skills, user Celeste asks, “Besides technical skills, or certifications, what are some personal qualities or characteristics that make somebody a good candidate for a red teaming role?” And I think most cybersecurity positions that we hear are not simply hardcore engineers. Like there’s always going to be a need for writing for communications. Can you talk a little bit about what some of these soft skills would be especially useful in red team roles?
[00:24:01] CB: Yeah, I’d be happy to jump in on this one too. Obviously, customer service experience, a lot of what we do involves relaying technical jargon to sometimes the less technical audience, even a technical audience sometimes, but being able to communicate that in a way that’s helpful to the client. A lot of my background again is consulting. So I’m used to working with numerous different clients, and just making sure that they understand everything. And so a lot of that is customer service.
Going back to what makes somebody a good candidate. I like to look for people that – Again, going back to do they do home labs and things like that. Even if they set up a pihole at home, or a security onion, or something like that, that that shows me a lot kind of what Amyn was just saying. It shows me that there’s a commitment and the passion for the field. GitHub repos make a really solid portfolio, blogging. And it doesn’t have to be groundbreaking research. Again, if you’re doing that pihole set up at home, and it’s been documented a million times, just writing a blog on that process and sharing it with the community really goes a long way in showing your commitment to the field and the community at large.
[00:25:28] AG: Yeah. I’d also say, like being in position of red teaming, like once you’re there, I think it holds a lot of power, right? You have like the power to show vulnerabilities, but also vulnerabilities with your own teams who could be blue teaming, right? So one of the things that I would – One of the characteristics, I’d say being humble is a very important characteristic of being a red teamer, because the last thing you want to do is tick off a lot of your teammates to showing that they didn’t catch certain things that the red team was doing, or even just kind of you don’t want to berate any of the infrastructure people or advisory people that have actually configured all the tools or the network either, right? So you want to be careful of how you are finding these vulnerabilities and relaying it into a positive way to make it constructive. Because the last thing you want to do is really become the real adversary, right? Like the red team, the blue team, they’re all a part of the defense of your stakeholder, right? So that’s a very important aspect, because it’s not about embarrassing people or organizations. It’s really about strengthening and hardening your org than anything else.
[00:26:45] CS: Yeah, that’s a great point in terms of talking about sort of etiquette between red teams and blue teams here. I think it’s becoming more apparent that this isn’t the case. But it seems like the sort of first wave of people who were interested in red teaming really thought, “Well, this is as close as I can get to being a real hacker and without any sort of boundaries, and no holds barred, and everything’s up for granted, and everything’s up for grabs. And let’s kidnap the CEO. And let’s smash a window,” and all this kind of stuff. But I think that’s worth noting. And, i mean, you guys can speak to it a little bit more, that this is a collaborative process. And even though you can be aggressive, you’re still on the same team, and that you’re still going for the same goal. And that even just like in basketball, or whatever else, like being a hot shot isn’t necessarily going to make you stand out on your team in the way that you want it to.
[00:27:39] AG: Yeah, and I have some bad news for red teamers as well as, people who want to get into red teaming. A lot of it is program management, right? I don’t know how much percentage, half maybe, more than half. A lot of it is setting expectations. It’s the preparation of what objectives you want to achieve. I don’t know if we’re going to go into this later, but just wanted to mention it, but a lot of is preparing and decoupling exercises that have already been done, right. So if you looked at the entire kill chain phase, or any other framework that you would look at, if certain things have already been tested, you have a new starting point to go after, right? So de-conflicting that with other penetration testing teams in the organization, I think that’s also a really big thing, because you don’t want to spend extra resources on testing things twice, right? Because all that results in more alerts for your SOC. And there’s just a lot of different things that you have to consider.
Also, goal setting is a big thing too, right? And so, depending on what level of the red team you are, whether it’d be senior manager or the tester, I think that you really have to understand what are the goals of the firm to achieve anyway, right? What are the long term goals? What are you trying to achieve? And having those planned out is really helpful, because then you really understand like the resiliency of your network. So I think a lot of it is preparation, unfortunately, for red teamers.
[00:29:08] CS: Yeah. Okay, that moves nicely into our next question here about sort of what skills are really valued in red teaming at this point? Sean EllisMS and Cybersecurity BCSCCD1 says, “I’ve recently completed a master’s in cybersecurity, and Veterans Affairs has granted me a little bit of extra funds to expand my cybersecurity skill sets. I’m interested in gaining more hands-on practice with red teaming. I’ve investigated the Offensive Security Pen-200 course, but it is a little overwhelming to determine what skill sets are required to be beneficial in the industry. I’ve noticed an increased demand for cloud security and compliance. But I’ve also noticed a serious lack in penetration testing capability across the board. Of course, I’m attempting to get sponsorship from my own company. I may have to take this on as a personal journey. I have the academic part down, but I’m unsure how to build my hands-on skills.” So I think this is kind of a nice position to be in. “You’ve got a little extra fundage to expand your cybersecurity skills, but you also want to, again, make your shot count here. So do you have any thoughts for Sean here in terms of what is actually being looked at in terms of red teaming? Are you seeing more cloud security and more compliance and less penetration testing? Or is that varied from position to position, do you think?
[00:30:29] CB: I haven’t noticed less penetration testing. Obviously, there’s more of a focus on the cloud than ever. A lot of what we do in pen testing supports regulatory requirement. So sometimes you’re doing pen testing and things like that to support some kind of framework. So there is that. I hate to see people get discouraged though, especially if you have that academic knowledge. I hate to say just do it. Just jump in. But sometimes, if you have that, if you have that experience, or if you have that knowledge, then again, I know I said it before, but identifying those weaknesses and then trying to use those online resources at your disposal, YouTube, any kind of interactive training. If you do identify weaknesses, you can brush up on those. And then jump into whatever course you want to take. And I would just encourage you to do what you can and then jump in when you’re ready.
[00:31:39] CS: Yeah. Amyn, any thoughts?
[00:31:41] AG: Yeah, I would agree with that 100%. Nothing to add.
[00:31:44] CS: Yeah. So we are getting some good questions in from listeners. I’m going to maybe sort of pepper in a few of these here. Speaking to a previous question, we were talking about capture the flags as being a good hands-on exercise. Russell asks, “Do you find that competitive red team, blue team exercises to be more realistic than capture the flag exercises?”
[00:32:09] AG: Yeah, I would say so, only because you’re working on your environment, right? On a real environment that’s actually – I mean, yeah, most likely a production environment, right? And being able to have the feedback and being able to point out like the real flaws or security uplifts that you want to recommend. Like those are a lot more real, right? And so I think CTFs are sprints, whereas red teamers, blue team can last weeks, even months alone.
[00:32:38] CS: Okay, that’s interesting. Okay, so I want to move on from there to talking a little bit about methodology on the client level here. So one of our TechExams users, Severine says, “What are some key points that should be discussed and asked of suppliers to confirm whether their approach towards the red team assessment is the most suitable?” I think this sort of speaks towards the idea of what is actually on and off limits. And again, this sort of speculative fantasy of red teamers as being these no holds barred tech barbarians and so forth. But how can you speak to discussing and asking suppliers their approach towards red team assessments?
[00:33:24] CB: Yeah. So that’s a really good question. I think they should be asking you questions to better understand not just the scope, but what level of security maturity that your organization is at currently. Based on that, I think they should work with you to determine the most suitable approach, right? You shouldn’t run before you can crawl. There may not be a lot of value in doing a full-fledged red team assessment with a physical component and social engineering and everything else if they’re just getting started in their security path. And maybe in that case, a vulnerability assessment, vulnerability management program makes the most sense, because they’re going to just end up wasting money and time and not get a lot of value out of it. Honestly, it’s like shooting fish in a barrel if they have never done a vuln assessment, but you’re starting out with a red team.
I think identifying those customers or those providers that want to work with you and be a partner and help you grow and make sure that, over time, you’re getting more and more value so you can step up those assessments. So I’d be careful the ones that want to just throw everything at you the first time.
[00:34:44] CS: Yeah.
[00:34:46] AG: And just to piggyback on that, I think that was great, Curtis. And, really, the goal expectation, as I mentioned before, right? I think the sponsorship from the CISO and the CSO is extremely important to really define what are some of the operations or systems that are most critical to that organization, right? And for us, like the Goldman story, right? It was the SWIFT payment platform, because if that system were to go down, it would cause a lot of trouble for not just the firm, but also markets that rely on Goldman as well, right? So understanding your crown jewels, understanding your priorities. What are the most fundamental things about your business that just can’t be compromised at all? And having that buy-in and being able to perform an assessment that way I think is very important. So the methodology for us has always been really interesting. Like the key assets that need extra attention.
[00:35:45] CS: Can you to speak to any sort of mental checklists or whatever? Because I think there’s some good points in there about companies being too quick to hire red teamers when they haven’t even gotten their own system right from a from a pen testing perspective. Like how do you know when your assets are solid enough that you’re ready to sort of bring in the big guns so to speak?
[00:36:10] CB: Yeah. I think it goes back to compliance maybe in a more formalized setting. I think companies should have a good feel of how far away they are, how mature their security model is. They should know if they’re just getting started. Or if they feel like they’ve got a pretty good handle on things. But there’re a lot of frameworks out there that they could they could compare themselves against to get a feel for where they sit maturity-wise.
[00:36:38] AG: Yeah, like the NIST framework and ISO framework. If you complete those with good passing scores, you should be in good shape. And I can’t say that’s all you need to get started. But it’s a start at least, right? Yeah.
[00:36:56] CS: Okay. So I want to move on. This one sort of spoke to me, and I think you guys will have a lot to work with here. This was from one of our tech exam users, Birmavic says, “I managed to get myself into a penetration testing position. Doing red team work is something I always thought had the potential to be lots of fun. I knew there would be quite a bit of paperwork, but I figured the thrill of popping a box or domain would more than make up for it. And it does when it happens. But a fair amount of the time, I feel kind of like a fraud, I guess. Most of the external engagements are verifying what the vulnerability scanner already detected, SSL vulnerabilities, or some kind of information disclosure, private IPS, and HTML responses, etc. All in all, it feels a bit cookie cutter or like mass produced version of pen testing. Maybe that’s just how it is nowadays. I’m hoping other pen testers might be able to chime in and give me a better idea if I made an unrealistic version of what this type of job can be in my head or if there’s variation in this type of work. It feels a bit silly now that I’ve typed it out, why wouldn’t there be variation? But I’m still curious, the extent of that variation, I guess.”
So I think, again, I wanted to have this on here, because I think it’s really important to separate myth from reality in terms of what the day-to-day work of red teaming is. Do you sort of get the sort of mindset here where you feel like, “Oh, that was too easy.” Or, “Oh, all I had to do was just sort of read these files or see what someone else had already done?” Is that is that common? Are there variations? Is there sort of a higher level that this person might get to eventually? Any thoughts on that?
[00:38:35] AG: Yeah. So I totally understand this question. And I understand. Let’s say, for example, after our SWIFT experiment was done, like what do you do after that, right? Do you just wait for another trend to come up? And really, a lot of it has to do with the authorities that your organization has given the red team, right? No. It can’t always be like, continue, go hack, and just find exploits, right? And so it’s really not always that. And there’s other ways to get creative in that role once you’re there. And I think it would be writing down that list of main priorities, understanding the stakeholders in your organization and what are the critical assets as mentioned, the crown jewels, and begin to do thought experiments, right? This is at the base level of security of just like wargaming it in your head of what are the most important things and how it can be hacked and being able to kind of set up a methodology of how a certain asset could be compromised, right?
And then you kind of understand like what kind of securities we really have around these assets and going forward from there. So if it can get boring, if those authorities are not there, you can always do thought experiments, which lead to wargaming. And that’s when you really have people and you have a concept of –Like the notional exercise where you pretend there is a breach happening and what happens here at X, Y, Z, right? How do you recover from it? How do you respond? And those are very important things to do, because you’re also creating processes at the same time. So that paperwork thing that user talked about is very true. That is a very real thing.
And so I think just to go back to what I was saying, would be thought experiments, to have like a conceptual idea of what could be compromised. And the second thing would be to actually, once you realize that, “Hey, these certain assets or these processes can be exploited,” then you propose at least a tabletop exercise of wargaming around it. And if there’s enough use cases there, then you just prove the point that this asset actually does need technical red teaming. And that’s kind of like the crawl, walk, run of what to test. And a lot of times it is the red team that should be proposing things of what to test, right? But it’s a bi-directional relationship where the management should also be giving down or proposing main assets that should be considered for assessments.
[00:41:00] CS: Right?
[00:41:03] CB: Yeah. Yeah, great job, Amyn. I agree with that 100%. I’d like to talk about the cookie cutter mass produce pen test, and how it feels like there’s more of that nowadays. I think from my experience, kind of what I’ve seen, are a lot of consulting firms or pen testing places offering, essentially, a vulnerability scan, and then they call it a pen test, right.
So, first of all, I think we need to be careful on what do you define a pen test as. Just validating results from a vuln scan I don’t think qualifies. And I’m not saying that this user that asked the question is saying that at all. But I do want to point that out, because I do think, for compliance reasons, a lot of times customers do tend to – And it makes sense for cost reasons, they want the cheapest pen test they can and get so they can satisfy this requirement and say that, “I did this pen test.” We kind of call that checking the box, right? But it doesn’t have to be, right?
I mean, like a pen test, an actual pen tester, an actual red team assessment, there’s a lot of variation on that. You could take that all the way to, I mentioned before, physical red teaming, or there might be social engineering in scope. So even with regular pen testing, at the lowest level, a vuln scan shouldn’t be the only tool at your disposal. Most pen testers have a variety of different tools that they can use to try fuzzing. Or maybe there’s some exploit development opportunities based on some POCs that are publicly known. So I would just encourage trying to think outside the box and using different methods or different tools. There’re a lot of great open source tools that you can leverage.
[00:43:05] CS: So to speak to Birmavic’s concerns here, just to sort of game it out, do you think that there’s a chance that maybe this person is just in a role right now where they’re being limited and there’s not that much to do? And maybe if this person found like a better red team or a different company, or is it just a matter of like you’re going to go through a number of these sort of boring versions and you’re going to occasionally get like a real hot one? Is there a certain sort of baseline of rote red teaming or pen testing that you have to get to before you get to do sort of higher level exciting things? Or is it more of a thing where you could look at the sort of rote ones that this person has done and say, “Oh, I can name five other things that you could have done that no one either chose to allocate resources or thought to do?
[00:44:02] CB: I know, for me, a lot of times it comes down to budget and how much time you have to dedicate to something. Sometimes you’re going to have those assessments that are just cookie cutter and shorter. And then other times you’re going to have those really exciting ones. I think it just depends. And this could be an internal red team where the environment isn’t changing a lot. Or even in consulting, if you do the same pen test over and over again for the same client. I always try to mix that up by putting different resources on that engagement so that there’s a fresh set of eyes and a different perspective. Even if it’s the same pen test over and over again, how can you spend your time differently each time and focus on a different area? Maybe you focus a little bit more on application security than you normally would, because you’ve tried all these other things before. So I think there’s ways to mix it up, if that answers your question, Chris.
[00:44:57] CS: Yeah, I think so. Any thoughts, Amyn?
[00:45:00] AG: No. Yeah, I totally agree with that. The fact that, yeah, being a part of red team, you are going to have ups and downs, right? It’s not always 100% go time. So, unfortunately, like that is a part of it, right? And I think a lot of it happens. You did an engagement, and you do some paperwork afterwards. You work with your control uplifts folks. And I think that’s just a part of it. And one thing that we didn’t actually talk about is that when you’re doing a red team assessment, sometimes you’ll even find an existing compromise as well. And so that’s one indicator incident responses and other folks are related.
And so I don’t want that question to kind of seem that red team is just a boring part of it. And I think that we have kind of been very transparent on the fact that there’s paperwork involved. There’s assessment. There’s postmortems and stuff like that that have to be involved with. But the value that you’re providing is incredible, right? Being able to continuously secure an environment and really challenging the organization is very good. And so I just don’t want to discourage anybody just because of not boredom, but just kind of like the non-fun stuff that happens.
[00:46:14] CS: Right. Thank you. So the next question here is about sort of picking your battles when learning additional skills. So TechExams user Yoba22 says, “Among the many things I do at my day-to-day Information security job, I occasionally participate in penetration testing. My company has encouraged me to transition from occasional junior penetration tester to full-blown penetration tester. And I wonder if there’s much return on investment in studying for an MCSA, or something like Server 2016, or even Windows 10. I don’t really need this cert from a resume perspective. It’ll be a waste of time. The goal really is to be a better pen tester. And I have a lot to learn.”
I’ll say, personally, I don’t feel like any type of learning is a waste of time. But I think, again, there’s always that question of, “How do I best allocate the limited time that I have to be most effective for,” putting words in their mouth, “the company that I work for?” So do you have any thoughts on these sort of side quests in terms of learning additional skills? Amyn, do you have any thoughts?
[00:47:16] AG: Yeah, I think that – So it really depends on the environment, right? If there’re certain assets that you’re using most, sure, then it would make sense to learn it more, right? But, really, for that specific person, I’m not sure what other skills they already have. But I think one of the things that we did say is that having more hands-on lab, environments part of your testing, or like part of a certification would be more beneficial, right. So whether it’d be a GPEN, or OSCP, or something like that, I would probably steer them that way, unless the things that was mentioned earlier we’re actually a part of the environment that’s a must know, right? So it really depends. I would assess on what your organization really requires, if that’s what you want to get to.
[00:48:06] CB: Yeah. Yeah, going back to what I was saying earlier about diverse backgrounds in this field. I don’t think you can go wrong. I understand that most people, they’re limited by time and money, right? So it makes sense that you want to focus on a specific area. I think learning more about operating systems. You mentioned Windows 10, and Server 2016. And learning how to administer those and how they work, depending on your role in red teaming, I think can come in really handy. But, again, I don’t think there’s any knowledge that’s ever a waste, like Chris said. I have so many examples in my own career where my experience as a systems administrator, or a DBA, or something like that came in handy in a pen test where I never expected it to. So I think just whatever you find most interesting, if you think that’s something you want to go after from a technical perspective, I don’t think it’ll be a waste of time. But that’s just my that’s my opinion.
[00:49:10] CS: Yeah, and I think it’s worth mentioning that unless you are in a part of a very small organization, you’re going to be part of a red team. And the idea of a team is that each team member sort of brings something unique to it. In that regard, it is kind of like the movie Sneakers, where you have people who are experts at different things. And if you become a top to bottom, back and forth expert at Windows 10, and how to exploit it every which way, but loose, like you’re going to be useful to somebody, I’m sure, even if it’s not the team that you’re on right now. So I think there needs to be a question between is this useful to me in the moment? Will this be useful in the in the long term? Is this something I want to push myself toward? Because otherwise it’s like you’re in Home Depot and you’re just looking at tools and like, “Oh, this looks fun. I wonder what I could do with this,” and you don’t have any project. You don’t need to be getting another circular saw.
[00:50:01] CB: It’s a great example.
[00:50:03] CS: So we had a question come in that I think kind of would relate well to this. Thomas asks, “I’m 60 years old with 30 years in IT as a developer and network admin. Got my CompTIA, CySA+, and Pentest+. I’m not interested in an entry level position at a company. Any advice for someone who wants to freelance?”
So I think that’s a really good example of maybe feeling like you don’t want to sort of being a band that plays in bars first until you get your record contract. If you have all this knowledge at-hand and you want to start doing freelance work, is that is that a viable option in this regard?
[00:50:43] CB: Yeah, I think so. I mean, it sounds like the person that’s asking this question has that experience already being a developer too? Did I hear that correctly? Developer background?
[00:50:57] CS: Yeah. Yeah, 30 years in IT as a developer and network admin. Yeah.
[00:51:02] CB: Yeah. So in my opinion, network administrators, ex-network administrators and ex-developers make the best pen testers, and AppSec testers too. So I’ve always strongly felt that way. I came to AppSec kind of in a backwards way. I was never a formal developer. And I always wish I had had that experience. And I know people that came from an engineering background into AppSec, for example, and they understand it. They know the foundation. They know the frameworks. They know the languages. And having that experience is invaluable. So, to me, it sounds like this person checks a lot of those boxes already. So I’d encourage freelancing is what you want to do. Sounds like there’s really nothing holding you back.
[00:51:46] AG: Yeah. And the point about AppSec is super important, because like I’ve been talking about earlier, there’s – I mean, there’s obviously a shortage of cybersecurity professionals. But I found that specifically, and AppSec is critically undermanned right now. So I think there’s a great chance of that person succeeding, finding their freelance work.
[00:52:05] CS: That’s awesome. So I want to move to some interview and resume questions. So our next question is from TechExams, user, Shako37, “I’ll be interviewing for an internal red team position. I want to prepare myself as best as possible. They mentioned, there might be some code review in the interview and/or questions around using Windows and API’s for code execution. And this has me spooked. I expect there to be questions around kill chain, CTPs, MITRE framework, C2 infrastructure, maybe questions. I’m planning and preparing. And I think I could handle all these questions fine. And that worries me, because I can’t think of more topics or questions that I would struggle with.” So I don’t know, maybe that’s a good problem to have. But at the same time, it also suggests that our question asker here is worried that they don’t know what they don’t know. Can you talk about – And I know, Curtis, you’re hiring managers as well. Can you talk about sort of what types of things are asked in interviews and how to sort of prepare? And how to prepare when you don’t know what you don’t know to be asked? What do you do in a situation like that?
[00:53:08] CB: Yeah. So I’m not currently in a hiring manager position. But I have been in the past, a couple of different roles. And so I know as both a candidate and a hiring manager, a lot of times these questions are asked with the intent to kind of brainstorm with the candidate to see what they know. I don’t think there’s ever, at least in my experience, been an expectation for the candidate to know the answers to all the questions asked. So I understand how that can be overwhelming. Even as a candidate, I want to make sure I answer everything absolutely correct. But a lot of these are just to see what you know. Not everybody has a super wide background in security. So they’re going to bounce around and see what areas you do know better than others and make sure that they’re applicable for the job. So, yeah, I would just say don’t get discouraged. Don’t get hung up on any one question if you don’t know the answer. That’s okay. Again, you’re probably not expected to know all the answers. This candidate seems to know of specific things that they might not be as familiar with. So my suggestion there, again, going back to our previous answers, is just to brush up on those things if you’re concerned about that before you go into the interview.
[00:54:25] AG: Yeah. And a lot of things that are mentioned regarding tools, techniques and procedures, the TTPs as well as the command and control stuff that was also mentioned. I think that really, yeah, brushing up on threat intelligence, right? And understanding like the most trending topics, whether it’d be ransomware or certain malware that’s being used especially, I don’t know what industry this is, but it could be in banking. So you could be familiar with Dridex or other malware and kind of the transits going. And I think having a command of that knowledge goes a long way, because, really, those are the types of behaviors that you’ll have to emulate in the red team as well, right? So I think really what the threat intel is providing will be beneficial for painting a story of how an attacker would view this organization. And a lot of times, I think that there’s a lot of scenario playing. Like every time I’ve hired for red teamers, it’s just talking about scenarios and how you think through it. And if you have those critical thinking skills to address a certain red team objective I think is helpful.
[00:55:33] CS: Okay. So as we wrap up today, we’re coming up on an hour here, and this has been super awesome. And thank you both for all of your insights. I want to jump to the last slide here, because I think this is something that’s on a lot of people’s minds. We got variations on this question from a lot of people specifically talking about job loss woes in the age of COVID-19. And so user JCE was here. He had kind of a long question, and I want to read it all, because I think it speaks to the sort of up and down nature of employment right now. They say, “I finished my bachelor in computer science at the end of 2016. I eventually found a job in programming, but it got outsourced within four months of me starting. I decided to double down on my education with an 800-hour cybersecurity boot camp. I loved it, and finished at the end of 2019, just in time for COVID to make job hunting “fun”. I quite enjoy cybersecurity, and I’m here on YouTube watching cybersec videos while filling out applications. I bought myself a lockpick set and use laptop for Christmas to practice with and learn both the software and physical aspects. I finally got a job in August as a DLP triage analyst in a midsized MSP. It supposed to be a foot in the door. Instead, I got laid off along with half of the other analysts at the start of the year when the company was bought out.” The job hunt is not any easier after a year of COVID. Any tips? I’ve seen other advice getting a help desk role. I’m really resistant to that. I did customer service for 10 years to help pay for school. So I wouldn’t have to do that kind of basic customer service work anymore. Is it really the best or even the only way to get into the field? Other people have said people keep saying there’s a shortage of cybersecurity professionals. When I applied to the job, they say I’m not qualified due to years of experience. I have two degrees and some certifications.” And a third user says, “This is the issue. Once you get some training or certification, then companies won’t hire you because they require at least two years of experience, but we don’t get the opportunities. How our company is going to be able to find hackers?”
So, obviously, this has been kind of an extraordinary year and advice that you might have given in 2018 or 2019. Might not be the same advice in 2021. But can either of you speak to the job landscape right now and the frustrations?
[00:57:37] AG: Yeah. So that’s super unfortunate, right? And I really feel like a lot of people can be perfect on their resume, right? Have all the right certifications, the degrees, the experience, but still have trouble landing jobs. And I think that the best thing right now would also be to build your professional network. And I think that that’s been the most critical thing. Like during the time of COVID, like everyone has gone just digital, right? There’s like no networking events. It’s impossible to even get in front of a person. And so what I recommend is using resources like LinkedIn to reach out to people. Reach out to hiring managers. Reach out to companies that you feel like you’d be a great fit at, and seeing if there’s a spot for you there, right? I think that that personal touch right now is actually a great time to build that through direct messaging people that you see on social media or any other professional sites. And I think that’s probably going to be the differentiator there and say that, “Hey, look. This is my situation. And I’m very passionate. I’m willing to learn. I’m fungible,” right? And so I think that’s probably the most important thing is building those relationships and getting in. Because right now, everyone is probably inundated with resumes, and there’re also a lot of jobs available too. So the way in would be to build a personal and professional connection with a real human, rather than just an HR portal where you’re just throwing in resumes.
[00:59:02] CS: Right. Curtis, any thoughts?
[00:59:05] CB: Yeah. No, I would agree. I think, I mean, you said it perfectly. I think networking is key. And, for me, I’ve hired some really great people that show up to the local – here in Indianapolis, we have a local ISSA and local OOSP chapter meet-ups and things like that. Obviously, during the pandemic, those didn’t happen or they were virtual, right. So, you’re right, advice changes a little bit based on the current circumstances. But networking like that is key if you can do it. If not, I mentioned other ways that you can try to get your foot in the door from a technical perspective. I think there’s a really neat opportunity nowadays that didn’t exist when I was first looking. And that’s in the form of bug bounty hunting, for example, if you’re like an AppSec tester, or you want to get into AppSec. Again, just demonstrating, “Yeah, I can do this. And you might get paid while you’re learning too by doing bug bounty hunting, for example. And then you can turn around and show that to a potential employer, somebody that’s looking for AppSec people, which is in demand right now. And you can say, “Look, I do this on the side, and I’m pretty good at it too.” So that’s just one of many examples. But I definitely understand the frustration. And I apologize that you had to go through that.
[01:00:31] AG: Yeah. And unfortunately, I think like those conferences, now that conferences are starting back up, but they’re still very expensive, right? There’s a difference between when a company is sending you and you paying out of pocket, right? And paying out of pocket, it can be outrageously expensive. And so, like you mentioned, there’s local conferences, whether it’d be OWASP, or I guess like the BSides, or any other security conferences that are local to you. There are always people out there hiring as well. So definitely build those networks. Attend those happy hours as much as you don’t want to, and just kind of get your name out there, right? Because in this environment, I think everyone has to kind of be a salesman for themselves as well. So really being your advocate, your number one advocate would be the best advice I can give you for now.
[01:01:17] CS: So thank you very much. That brings us to the end of the questions that were submitted in advance. And we’ve answered a couple that came in during the event. And if we didn’t get to everything, I apologize. I wanted to ask one quick one. I think maybe we can we can get the answer to this as a very practical question. Mona asks, “Many places require top secret clearance. How am I supposed to get that when the company has to sponsor the application most wanted before applying?” Is that chicken or the egg kind of thing that we can sort of figure out right here?
[01:01:50] AG: Yeah, so the clearance process is extremely hard, right? And, yeah, I would say that, yeah, if you’re already a part of that company, then sponsoring would be a lot easier, because they’ve already done background checks and stuff like that. But someone coming in without a clearance ever working in government, it’s really hard to break into it, right. And so I wouldn’t say give up, because there’s still possibility. But just know that you’re going to need a lot of patience in order to get there.
[01:02:18] CS: Okay. With that, I want to say thank you to everyone at home or at work for listening and watching today’s episode of Cyber Work Live. If you enjoyed today’s event, and you enjoyed our guests, I’ll just point out that new episodes of the Cyber Work podcast, hosted by me, are available every Monday at 1pm Central both on video at our YouTube page and on audio wherever fine podcasts are downloaded. You can also check out past guests including an episode each from Amyn and Curtis at infosecinstitute.com/podcasts. If you’re interested in free hands-on cybersecurity training instruction, check out Cyber Work Applied. Tune in as expert Infosec instructors teach you a new cybersecurity skill and show you how that skill applies to real world scenarios. To learn more, go to infosecinstitute.com/learn to experience Cyber Work Applied. We are planning to host Cyber Work Live once per quarter. Our next episode takes place on Thursday, August 19th, and will feature the guests from our first Cyber Work Live episode. They’re coming back. They had so much fun with each other that they decided to become a legion of super friends. Mari Galloway, and Gene Yoo will be discussing changing and updating cybersecurity hiring to bring a more diverse set of professionals to the table to address the diverse challenges of 21st century cybersecurity. To learn more about that event, and many others upcoming, go to infosecinstitute.com/events.
And lastly, I want to thank our wonderful panelists, Amyn Gilani Curtis, Brazzell, for joining us today. And thank you to all of our guests for attending and submitting more great questions than we knew what to do with. If I didn’t get to yours, feel free to resend it to email@example.com And we’ll see if we can get you figured out here. As we end the presentation today, a very quick survey will appear. If you would just take a moment and share your thoughts, it’s very much appreciated and help us to produce more great content in the future. So for all of us, thank you and have a great day.