Despite the madness that is Covid-19, I have been in the fortunate position to be hiring Red Teamers to join the amazing team I have the pleasure to work with. When hiring, people regularly reach out to me asking what I am looking for. Aside from pointing them to the corporate job spec it can sometimes be hard to articulate it, so in this post I am going to aim to do that. This will also help remind me what I expect of myself and to lead by example.
I should also state, this post is somewhat inspired by Chris Nickerson’s honest post on LinkedIn for his recent search for new people to join his work family. Its great to be able to be honest about your expectations up front in a non corporately correct manner sometimes 🙂
What Am I Looking For?
Hierarchy exists in all organisations, but I favour a Get Shit Done (#GSD) approach regardless of grade / position. So if you can leave your ego / rock star mentality at the door, please read on.
I am looking for collaborative and confident individuals, who want to push themselves to do their best, who can deal with challenges and use this to fuel them and try harder next time and make impactful contributions.
I am interested in people who take pride in what they do and how they do it, and have an interest in helping and developing themselves and the team around them.
You need to have a good ethical and morale compass, dependable, and being organised in how you operate and present yourself (essentially have your shit together and be professional). We like to have fun and a laugh, but you need to know the time and place for professionalism and fun and games.
TEAM is important, everyone brings their own knowledge, skills and life experiences. Its a diverse team, with collaborative thinking that makes a Red Team great. The majority of the team works remotely, so its important to be self starting and a good communicator, so your team mates are not left in the dark.
You should be someone who is a problem solver and can thinking outside the box. I don’t mean this in just the “hacking” sense, but in your general approach to things. If there is a way we work that you don’t like, help do something about you. You are empowered to bring about change, be part of the solution, not just someone moaning about a problem waiting for someone else to come along and fix it for you.
Got skills?
Prior Red Team experience is preferred but not essential. What we do need is someone who can think and act like an attacker. Maybe today you are a defender, a developer, a consultant, etc. However, you have that hacker mindset and think you have something to offer an adversarial threat emulation team. Then consider applying and communicating what that something is and be able to demonstrate it.
What experience do you have, or ideas about operating across physical, people, process and technology. How can you use blended attacks like the real adversary in the attempt of achieving objective based outcomes.
A great ability to log, track and document your activities. A knack for communicating in a way senior (often non technical) leaders can understand your findings and reporting, so they can make more informed risk decisions.
No one likes reporting, but its an IMPORTANT part of the job and its often how the weeks / months or work is “valued” by the customer. So you need to have excellent written and spoken communication skills. Attention to detail is also important, thinking things through and taking informed actions (bit like what my grandad used to tell me, measure twice, cut once).
Knowledge of attack frameworks is important, along with the ability to execute tested and controlled attacks manually, no spray and pray mentality. Familiarity with MITRE’s ATT&CK Framework will also be advantageous, and how the various TTP’s link together. You will also be aware of the consequences for the actions you take, when to be silent and when to be noisy.
It will also be an advantage to have awareness of different threat types, what motivates them, how do they operate and where from, and how can you best emulate this. When does it make sense to move to an assumed breach? What knowledge does an insider have over an external adversary, etc.
Knowledge of persistence and lateral movement techniques. How do you overcome defensive controls, can they be disabled or bypassed, how can you live off the land or do you need to find ways to establish your own tools and how you would go about that.
No one is expected to know everything, and thats the beauty of a team (you have others that know stuff and are awesome). However, you need to be up for learning, mucking in, doing what you can, and sharing the knowledge you have.
Certifications are important to many and thats great and will be supported where possible, but what most important is an ability to DO, to TRY and FAIL FAST and help us make continued ITERATIVE IMPROVEMENTS. If you have zero certs to your name, but can do that, I am more than interested.
In terms of skillset / domain expertise, I am not looking for any one thing over an over, but if you have demonstrateable knowledge in one of more of the following areas, you potentially have value to add to an Adversarial Threat Emulation capability.
– Social Engineering
– Open Source Intelligence Gathering
– OSX Attacking / Post Exploitation
– Linux / Unix Attacking / Post Exploitation
– Windows Attacking / Post Exploitation
– Network Attacks
– Web Attacks
– Application Attacks
– Database Attacks
– Wireless Attacks
– Mainframe Attacks
– Physical Security Attacks
– Exploit Development
– Password Cracking / Machine Learning
– Reverse Engineering
– Dev Ops Skills
– Hardware Hacking
