Marcus J. Carey - Tribe of Hackers Red Team

You need to know what your target system does when you’re not around: Plain and simple, you need to actually understand what it is you’re attacking. Perhaps not intensely or in depth, but you should have at least a cursory understanding of everything—every computer, every system, every person you interact with—outside of the context of your run.

If you know these three things, you can do your job, you can do it well, and you can provide the context modifications of your actions to the security team with professionalism and ease.

What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?

One hundred percent self-awareness. You look for the people who make fun of themselves. You look for the people who are willing to ask questions or admit when they don’t know something. You look for the people who correct themselves.

In this field, your ego doesn’t get to decide when you gain access to a computer system. Almost everything we do is reactive. We don’t get to (often) write the vulnerability into the system beforehand. Therefore, you need to be 100 percent able to parse what’s happening around you. That’s what self-awareness is for. You need to be able to track the world without your ego attempting to force its own will on the world around it.

With self-awareness you can understand, control, and react to yourself. This means that you can put yourself aside and focus on the Herculean task of outsmarting armies of engineers and outperforming computers.

You’ll be able to see what I’m talking about when you work on a team with both types. The difference is like night and day. Most people are stuck within themselves. I massively support and affirm those people who are (by right of birth or right of hard work) able to see themselves from a pseudo-objective perspective.

What differentiates good red teamers from the pack as far as approaching a problem differently?

I have met an inordinate number of exceptional red cell members who would almost certainly be considered to be somewhere on the autistic spectrum. If you’ve been in this field for even a brief period of time, you almost certainly have seen something similar. This doesn’t mean you have to be autistic to be good. But it does imply that there is something going on.

It’s probably true that the general autistic cognitive profile performs exceptionally in this field relative to the average or neurotypical cognitive profile: to be able to focus for extremely long periods of time, to be more apt to reason from first principles (axiomatically), to be highly sensitive to the specificity of your environment, and to be able to translate that into task-applied “detail orientation.”

We welcome all types. If you know your stuff and if you can deliver, you belong here. But neurotypicals can in large part survive anywhere. As such, I do think that it’s especially heartening to see neurodivergent people, who in many cases haven’t ever before been able to clearly demonstrate their value to their peers/parents/community, absolutely kill it as part of a red cell. You take the “nerdy” kid who got made fun of for not following viral dance crazes in high school or whatever, you give him a laptop, and suddenly power plants start shutting off for seemingly no reason; it’s beautiful. ■

“Don’t break the law! It’s that easy.”

Twitter:@passingthehash

Alva “Skip” Duckwall started using Linux before there was a 1.0 kernel and has since moved into the information security arena, doing everything from computer/network auditing to vulnerability assessments and penetration testing. Skip spent three years on the U.S. Army red team, where he got to break into military bases and not get arrested for it. Skip’s current work is as an independent security consultant.

How did you get your start on a red team?

I spent nearly a decade as a Unix system administrator before transitioning into the burgeoning full-time computer security arena. Unix sysadmin work routinely involves modifying an access control list (ACL) somewhere, be it a firewall, a file share, or whatever, so the transition to a security-minded role wasn’t bad. I eventually transitioned into a position with the Defense Information Systems Agency (DISA), where I traveled to worldwide DoD sites and audited the sites versus the Security Technical Implementation Guides (STIGs). Having a deep background in day-to-day operations, along with a deep understanding of how various organizations attempted to keep their data secure in accordance with what are generally considered the top security standards, is what ultimately got me a job with the Army red team.

What is the best way to get a red team job?

A deep understanding of how the sausage gets made on a daily basis and how people involved with the process try to get their work done is key. Spending time as a help desk/sys admin really helps to provide the foundational knowledge about how security operates. If you understand how the processes work, from the human level to the computer level, then you can find ways to subvert them. One of my favorite quotes I think highlights the point I’m trying to make: Ronnie Coleman said, “Everybody wants to be a bodybuilder, but nobody wants to lift no heavy-ass weights.” In other words, you have to put in the time and effort to become proficient in the foundational levels before you can move on to the higher stuff.

How can someone gain red team skills without getting in trouble with the law?

Don’t break the law! It’s that easy. But seriously, who knows better how to subvert the functioning of the human body than a medical professional who has to stabilize or fix it daily? They understand that the wrong mix of chemicals/techniques could harm a human being. You have to understand how stuff is supposed to work and know how the whole Rube Goldberg contraption works front to back before you can routinely affect it in a desired manner. Vulnerability scanning, pentesting, red teaming, and so on all rely on target consent. If your target doesn’t give you formal consent, then it’s illegal, full stop. There are plenty of do-it-yourself labs and stuff online that you can use to break into stuff on your own network.

“If your target doesn’t give you formal consent, then it’s illegal, full stop. There are plenty of do-it-yourself labs and stuff online that you can use to break into stuff on your own network.”

Why can’t we agree on what a red team is?

This link is from 1987:

https://www.washingtonpost.com/archive/politics/1987/08/24/navy-stages-commando-raids-to-expose-its-security-flaws/8b400370-92fd-4f6b-aa90-c1e1461ab63b/?utm_term=.d5797b93ae83

It talks about how a team of Navy personnel examined the security of various bases and some of the issues that came up. It also talked about people getting sued because of differing opinions of what the rules of engagement (ROE) were. I bring this up because this particular article is the first one I remember reading about what a red team cell is.

I was a member (as a contractor) of a service red team (Army). We were tasked with acting as a bad guy during military exercises and demonstrating in the most visible way possible how security lapses can affect the overall operations of the good guys. There were some rules in place, but generally we were tasked with a particular objective and not really given too much guidance about how to achieve it. If we were arrested for activities directly related to attaining these goals, we had letters that would (eventually) get us out of jail. As you can imagine, this offers a lot of flexibility about how to solve the problems on the way to completing the objectives. If we were really sponsored by a hostile nation-state, money, manpower, equipment, and time would not really be constrained.