in Uncategorized

Do You Miss Being a Red Teamer?

It is a question that gets posed to me pretty frequently: “Do you miss being a red teamer?” If you came all the way to my blog to see the answer, I will save you some time and from reading a couple hundred words – No. The real meaning of this post is not in that single word answer, but rather it reveal itself when you consider the question “why don’t you miss it?”

First, we must rewind for a quick recap: In 2014 after separating from the USAF, I joined a small-ish (at that time) team of folks to do consulting, specifically as a penetration tester and red teamer. For three years, I was lucky to work with brilliant coworkers / researchers / hackers  who pushed me every day to excel in the offensive space and encouraged a unique creativity that seemed natural when solving hard problems. I had the fortune of leading a multitude of engagements from program development work with corporate red teams to external red team assessments for a variety of companies. I was also lucky to share my passion of offensive work as  a trainer at BlackHat where the days were long but seeing the joy people had in problem solving made it all worth it.

In 2017, there was a natural fork in the road and I decided to take a different path. I went to work for a product company doing network forensics and threat research work. When I made the change, there was a chain reaction that I did not fully anticipate – consistent challenges from people who sought to understand why I would take this new path. Over the past year, at conferences, on social media, and in hallway conversations, people have always found a way to ask the same old question: “Do you miss being a red teamer?” Often times it is innocent curiosity that leads to the question but sometimes people have been more direct, they think I made the wrong decision or can’t understand why I would make the change. At times, it has been challenging but I have always been open to sharing this response and now, I wanted to do it in a more open forum.

The Answer

Simply put – I don’t miss being a red teamer because I still feel like one. I still use my offensive skill set and contrarian personality to solve challenging problems in creative ways. I still get to emulate threats, study techniques and build malicious tools (just for a different purpose). I still get the satisfaction of helping people defend their networks and improve their security. I still get the thrill of competing and taking operational actions against adversaries who have their own objectives to accomplish. Every day I get to study the past, think outside the box, and learn something new. Many of the characteristics and qualities that made red team work enjoyable for me are present in my current blue team role. Many might disagree but I still consider myself a red teamer – just one that is living in a long-term purple team exercise. I often wonder if there are others who feel like this and enjoy the mix. 

I do not regret the path I have taken, on the contrary, I have thoroughly enjoyed it. I would encourage people who are curious on either side to apply your domain specific knowledge to the competing domain. If you are a red teamer, go hang out with the IR / Intel / SOC / Malware / Ops folks for the day. If you are a blue teamer, ask the red team to do a ride along during an engagement and make sure you are there for the campaign prep. For those who simply can’t “ride along”, there are other ways to do this: personal research, job rotations, technical exchanges, conference villages, CTFs etc. Being able to attack problems from both angles is extremely rewarding and I promise you, having inside knowledge with a diverse skill set will force you to consistently seek improvement. There isn’t a day that goes by where I don’t reflect upon some offensive action I took in the past knowing that I could have done so much better if I only had the knowledge I have now.

Write a Comment

Comment

  1. You’re doing Red Teaming Analysis with Digital Forensics and Incident Response. I call it RTA with DFIR. It’s the Zen of Cybersecurity Maintenance. There is nothing Purple about it.

    I can totally feel where you’re coming from with regards to this post — I also left penetration testing to do malware analysis at some point in my career. Now I’m back doing offensive security research. The one thing I learned in this process is that the people you love (your colleagues) appreciate the adversarial style, while the organizations (your coworkers) do not yet fully appreciate it — or it’s always an uphill battle.

    On the other hand, I feel that our industry needs to get out of the trenches and climb the hill. We need good leaders in all camps to do that. Keep it up.