eBook - ePub
Tribe of Hackers Red Team
Tribal Knowledge from the Best in Offensive Cybersecurity
Marcus J. Carey, Jennifer Jin
This is a test
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Tribe of Hackers Red Team
Tribal Knowledge from the Best in Offensive Cybersecurity
Marcus J. Carey, Jennifer Jin
Book details
Book preview
Table of contents
Citations
About This Book
Want Red Team offensive advice from the biggest cybersecurity names in the industry? Join our tribe. The Tribe of Hackers team is back with a new guide packed with insights from dozens of the world's leading Red Team security specialists. With their deep knowledge of system vulnerabilities and innovative solutions for correcting security flaws, Red Team hackers are in high demand. Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity takes the valuable lessons and popular interview format from the original Tribe of Hackers and dives deeper into the world of Red Team security with expert perspectives on issues like penetration testing and ethical hacking. This unique guide includes inspiring interviews from influential security specialists, including David Kennedy, Rob Fuller, Jayson E. Street, and Georgia Weidman, who share their real-world learnings on everything from Red Team tools and tactics to careers and communication, presentation strategies, legal concerns, and more
- Learn what it takes to secure a Red Team job and to stand out from other candidates
- Discover how to hone your hacking skills while staying on the right side of the law
- Get tips for collaborating on documentation and reporting
- Explore ways to garner support from leadership on your security proposals
- Identify the most important control to prevent compromising your network
- Uncover the latest tools for Red Team offensive security
Whether you're new to Red Team security, an experienced practitioner, or ready to lead your own team, Tribe of Hackers Red Team has the real-world advice and practical guidance you need to advance your information security career and ready yourself for the Red Team offensive.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Tribe of Hackers Red Team an online PDF/ePUB?
Yes, you can access Tribe of Hackers Red Team by Marcus J. Carey, Jennifer Jin in PDF and/or ePUB format, as well as other popular books in Ciencia de la computación & Criptografía. We have over one million books available in our catalogue for you to explore.
Information
1
Marcus J. Carey
“Today, open source tools dominate the red team space, making it possible for more people to get familiar and practice.”
Twitter: @marcusjcarey • Website: https://www.linkedin.com/in/marcuscarey/
Marcus J. Carey is a cybersecurity community advocate and startup founder with more than 25 years of protecting government and commercial sensitive data. He started his cybersecurity career in U.S. Navy cryptology with further service in the National Security Agency (NSA).
How did you get your start on a red team?
The funny thing about my red team journey is I wasn’t technically a paid red teamer until I got fired from a job and had to make ends meet. I picked up work at an East Coast consultancy doing penetration testing and product development.
I was able to gain red team skills by working at the Defense Cyber Crime Center (DC3). There I did research, taught, and did course development. Amazingly, I had access to all the red team tools that you could imagine, plus every digital forensics tool on the planet. I also had the pleasure of working with a guy named Johnny Long who was quite the hacker and red teamer himself.
I’m extremely lucky to have been in those positions to prepare me for a red team role. Today, open source tools dominate the red team space, making it possible for more people to get familiar and practice.
They say luck is when preparation meets opportunity. It sucks that I was laid off, but it was a blessing to have red team skills to pay the bills.
What is the best way to get a red team job?
It is uncommon for people to start directly into red team jobs. The best way is to have or gain a skill such as internetworking, system administration, or software engineering and start out in a blue team role. Getting into a blue team role will allow you gain cybersecurity experience and network with people in your dream role.
You can network internally and externally from your organization at local events and regional cybersecurity conferences. There are a couple of certifications tailored to red teaming that can get you noticed by red teams looking to add some human resources.
How can someone gain red team skills without getting in trouble with the law?
I recommend downloading virtual machines and web applications that have vulnerabilities on them when trying to learn at home. There are plenty out there; just be careful and don’t put them on the internet because they will be compromised in short order.
If you don’t have permission from the system owners to test or run tools, you are probably violating some law. If you are trying to get into red teaming, try to exploit only the systems that you own or systems that you have explicit written permission to exploit.
Why can’t we agree on what a red team is?
I think it’s human nature to want to differentiate from each other, especially in a competitive environment like the cybersecurity community. What I have learned is that there are only so many ways to solve problems. Many times we end up with the same solutions to the same problems we see. We end up having different names for the same thing. The old saying “There are no new ideas under the sun” is proven right every time I talk to people trying to solve the same issues.
What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?
There is a natural conflict between the red team and the blue team caused by a mixture of bad experiences and misunderstandings. I think the toxic bit sometimes comes from people making mistakes like taking down servers or leaving malware on endpoints. The problem is that everyone hears red team horror stories, and there isn’t a lot of data that backs anything up.
When should you introduce a formal red team into an organization’s security program?
I believe that everyone in information technology and software engineering should know how to build, secure, and hack anything they are in charge of. My crazy vision is everyone always threat modeling and red teaming everything they do. You don’t need to have red team as your title to utilize red team skills. I always say, “Hack more. Worry less.”
How do you explain the value of red teaming to a reluctant or nontechnical client or organization?
I believe the best way to do this is to explain that even though the red team has an adversarial role, internal and external red team goals are aligned in the sense that we all want to protect sensitive data and critical systems. To keep the trust over time, red teams should always avoid showing up blue teams and internal stakeholders. You can only do this by working closely as a team. It takes only one bad experience to potentially ruin these relationships.
What is the least bang-for-your-buck security control that you see implemented?
Antivirus.
Have you ever recommended not doing a red team engagement?
I certainly have. I recommend that the organization start with vulnerability management and getting policy and governance into play. I see too many organizations out there getting “penetration tested” for compliance. I put those words in quotes because organizations are typically getting a limited-scope vulnerability scan.
What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?
I’m going to go with restricting administrative privileges for end users. I’ve seen first hand how this drastically reduces infections on a network. This simple control applies to organizations of any size. Restricting privileges is easy to implement and scale.
Why do you feel it is critical to stay within the rules of engagement?
The only difference between a good person and a bad person is that the good person follows the rules. Violating the rules of engagement breaks the trust between teams. If you violate the rules of engagement, you may be breaking the law as well.
If you were ever busted on a penetration test or other engagement, how did you handle it?
One of the most embarrassing things I ever did related to red teaming is owning a USB thumb drive with a volume name of Marcus Carey. I ended up using the thumb drive in a server, and the forensics software detected the device that had my name on it.
I’ll never make that mistake again. I’m sharing this story so it doesn’t happen to you. Sharing is caring!
What is the biggest ethical quandary you experienced while on an assigned objective?
The biggest ethical quandary is being intentionally deceptive in spear phishing and social engineering. This is primarily because you could cause actual harm to people and their livelihoods on the other side of the phish.
One of my mentors would always ask for a few executives to be in scope in every engagement so management couldn’t blame it on their staff. He wasn’t satisfied until an executive was compromised. Sometimes he’d conceal the identity of the person whom he compromised so they wouldn’t get in trouble.
How does the red team work together to get the job done?
If you are working with a team, communication is the most important element. Split up work and ensure you document everything that you do on an engagement. Trust is important as well, because I’ve seen situations where team members lose faith in their teammates.
I recommend using collaborative tools so everyone can see what their teammates are doing. Transparency always wins. One more thing, don’t be afraid to ask for help; that’s what teammates are for. If your teammate is an expert at a certain thing, simply ask for help.
What is your approach to debriefing and supporting blue teams after an operation is completed?
Professionalism is the key. Since we are all human, feelings can come into play when debriefing to internal and external blue teams. Always let them know you are on the same team as far as the big mission goes. If you do it right, they will have a detailed plan for how to correct any issues you discovered.
The hard part is when you help someone and then come back in the future and find that the same issues exist. Don’t get mad. Try not to get burnt out. Stay professional and try to help. You can lead a horse to water, but you can’t make it drink.
If you were to switch to blue team, what would be your first step to better defend against attacks?
I’m blue team for life, but I occasionally red team. The first step to being able to defend against attacks is putting policy in place and following it. I repeat, follow it.
People don’t implement policies because it feels cumbersome. Security policy should be looked at like a map. You may not be where the policy says you are, but if you don’t have a map, you’ll never reach your destination.
What is some practical advice on writing a good report?
My advice is to ...