Do You Miss Being a Red Teamer?

It is a question that gets posed to me pretty frequently: “Do you miss being a red teamer?” If you came all the way to my blog to see the answer, I will save you some time and from reading a couple hundred words – No. The real meaning of this post is not in that single word answer, but rather it reveal itself when you consider the question “why don’t you miss it?”

First, we must rewind for a quick recap: In 2014 after separating from the USAF, I joined a small-ish (at that time) team of folks to do consulting, specifically as a penetration tester and red teamer. For three years, I was lucky to work with brilliant coworkers / researchers / hackers  who pushed me every day to excel in the offensive space and encouraged a unique creativity that seemed natural when solving hard problems. I had the fortune of leading a multitude of engagements from program development work with corporate red teams to external red team assessments for a variety of companies. I was also lucky to share my passion of offensive work as  a trainer at BlackHat where the days were long but seeing the joy people had in problem solving made it all worth it.

In 2017, there was a natural fork in the road and I decided to take a different path. I went to work for a product company doing network forensics and threat research work. When I made the change, there was a chain reaction that I did not fully anticipate – consistent challenges from people who sought to understand why I would take this new path. Over the past year, at conferences, on social media, and in hallway conversations, people have always found a way to ask the same old question: “Do you miss being a red teamer?” Often times it is innocent curiosity that leads to the question but sometimes people have been more direct, they think I made the wrong decision or can’t understand why I would make the change. At times, it has been challenging but I have always been open to sharing this response and now, I wanted to do it in a more open forum.

The Answer

Simply put – I don’t miss being a red teamer because I still feel like one. I still use my offensive skill set and contrarian personality to solve challenging problems in creative ways. I still get to emulate threats, study techniques and build malicious tools (just for a different purpose). I still get the satisfaction of helping people defend their networks and improve their security. I still get the thrill of competing and taking operational actions against adversaries who have their own objectives to accomplish. Every day I get to study the past, think outside the box, and learn something new. Many of the characteristics and qualities that made red team work enjoyable for me are present in my current blue team role. Many might disagree but I still consider myself a red teamer – just one that is living in a long-term purple team exercise. I often wonder if there are others who feel like this and enjoy the mix. 

I do not regret the path I have taken, on the contrary, I have thoroughly enjoyed it. I would encourage people who are curious on either side to apply your domain specific knowledge to the competing domain. If you are a red teamer, go hang out with the IR / Intel / SOC / Malware / Ops folks for the day. If you are a blue teamer, ask the red team to do a ride along during an engagement and make sure you are there for the campaign prep. For those who simply can’t “ride along”, there are other ways to do this: personal research, job rotations, technical exchanges, conference villages, CTFs etc. Being able to attack problems from both angles is extremely rewarding and I promise you, having inside knowledge with a diverse skill set will force you to consistently seek improvement. There isn’t a day that goes by where I don’t reflect upon some offensive action I took in the past knowing that I could have done so much better if I only had the knowledge I have now.

Collaborative Distributed Scanning with Minions

*See the slides here*

As the art of red teaming evolves, more and more emphasis has been placed on team based solutions to common problems. Authors of capabilities or support tools are now focused on building in a collaborative approach to using their project. It is no mystery why this has happened – during engagements or assessments, people work as a team (duh). Need examples of capabilities moving this direction? Check out MSF Pro, Dradis Pro, Silent Break’s Security’s Throwback, Cobalt Strike, etc.

Over the years, I have been able to witness the collaborative approach to hacking first hand at various red team events and at my job. No longer are people stuffed into their own corner trying to individually tackle hundreds of systems, no longer are people screaming across the room to clumsily pass shells in Metasploit, and no longer is data being hoarded by a single point of failure. It is quite beautiful.

While the tools in use today are a much better step forward and have components built for scanning, I find people still rely on individualized NMap setups for pentesting. Testers often times do not even scan at all for fear of tripping sensors during more advanced engagements. With this approach, people are going back to the limited sharing of data and often missing exploit opportunities. I was inspired to find a solution that would work for my engagements but first…

Continue reading