I receive the questions “I want to become a red teamer” or “How do I get started in pentesting / red teaming?” pretty often. Instead of repeating myself, I’ll write down my recommended path to take if I had to do it all over again. Here we go.
0. What did you do?
Before I dive into my recommendations, let me briefly explain how I got started. I graduated university with a degree in information security. It sounds fancy but it didn’t teach me anything useful I still use today during my assessments. In my spare time I made sure to become very proficient at programming in C# and C. I’ve always had an interest in malware and before I got into an offensive role I practiced a lot of malware analysis which helped me later down the road to write my own capable malware. For those interested I can highly recommend the Zero2Automated course by Overfl0w. In my spare time I started doing HackTheBox and posting write-ups and walkthroughs on this blog and on X/Twitter.
At this point in time I got hired into a red teaming role after completing two internships with NVISO Security. What made me stand out was my interest and skills in malware development. After being hired I received on the job training, took the RTO I & II certifications and continued honing my malware development skills through additional training.
If I had to do it all over again, what would I do in 2024?
1. Build a solid foundation
It speaks for itself that working in the security industry is not necessarily an entry level job. This field is difficult to work in, with hefty requirements put onto you by customers or potential employers. Before making the transition into any type of security role, you need to build a solid foundation. “What does this foundation consist of exactly?” I hear you ask. When I got started I made sure to have:
A solid background in networking
This includes but is not limited to: subnetting, switching, routing, physical network components.
A solid background in Linux systems
It sounds stupid, but building your own Arch Linux box from scratch will teach you a lot about the way things work and get you familiar with using the terminal and bash scripting. Additional recommendations are setting up and configuring Apache web server.
A solid background in Windows systems
Consider setting up your own Domain Controller, configure a web server, configure a DNS server, configure Active Directory Certificate Services. Bonus points for familiarizing yourself with Kerberos, how Windows authentication works and PowerShell scripting.
A solid programming / coding background
I’ve always loved programming but I realize it’s not for everybody. Unfortunately, the core of “hacking” or its commercialized forms “pentesting / red teaming” whatever you want to label it, has always been developing exploits for vulnerabilities and chaining them together to achieve specific goals. Programming is in my opinion a vital skill which every aspiring red teamer should have.
Let me preface that with: you don’t need to be full blown software developer or adhere to all coding standards and principles. No, you need to be capable enough to throw together some code to achieve the objective and not fall apart entirely in a production environment. Over time your programming will improve the more you do it.
So what are my recommendations?
- Get comfortable with at least 1 high level language such as C#, Go, Nim, Rust,…. whatever floats your boat. I recommend C#.
- Get comfortable with at least 1 scripted language such as Python.
- If you’re interested in Malware Development, get comfortable with C or C++ and x64 intel assembly. I recommend starting with C only.
Now that we’ve got the basics out of the way, what’s next?
2. Work on your pentesting skills
The next step is practicing your actual “hacking” skills, familiarizing yourself with day-to-day pentest tooling and understanding how to approach different environments. For this I can only recommend purchasing a HackTheBox subscription and start owning retired boxes with the help of walkthroughs such as the legendary IppSec provides on his YouTube channel. I recommend focusing primarily on Windows machines since this is the most common environment you will be working with during actual pentests or red team engagements. This doesn’t mean all Linux boxes can be ignored, knowing some basic Linux exploitation always comes in handy.
If you’re willing to throw money at the problem and make it easier to learn instead of learning by doing in a HackTheBox environment, then I recommend TCM Academy courses.
Alternatively, you can watch this and this YouTube video by TheCyberMentor.
3. Become familiar with Red Team tools
The next steps are particulary for red teaming. Pentesting tools are great, but they lack certain “OPSEC” features to be used during stealth engagements when you want to avoid settings off alarms and detections as much as possible. The answer to this problem are Command & Control (C2) frameworks such as Cobalt Strike or BruteRatel. Of course there are plenty of Open Source alternatives to practice with such as Covenant, Mythic, Sliver and Havoc.
Unfortunately this is where the free resources stop and I’ll be recommending paid training and platforms. At this stage you should have sufficient knowledge and skills to land a entry level pentesting gig.
4. Get proper training
Now it’s time to specialize. I recommend to obtain the following certifications:
5. Pick your poison
After obtaining RTO I & II it’s time to pick your poison and specialize into a specific “role” you want to fulfill within a red team. Afterall, there is a “team” in “red team”.
- If you’re interested in Malware Development, pickup a subscription to MalDev Academy and the Sektor7 Malware Development courses: Essentials, Intermediate, Advanced.
- If you’re more interested in applications and general pentesting, then obtain the certifications such as OSCP from Offsec Training
- Last but not least, if you have too much money or your company can pay for your training, you can obtain certifications by SANS. I recommend SEC565: Red Team Operations and Adversary Emulation, SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking, SEC699: Advanced Purple Teaming - Adversary Emulation & Detection Engineering
That’s it. There’s no other magic sauce. Only hard work and dedication.