Every year, I try to distill some of the changes, events, and information surrounding the big week of computer security conferences in Las Vegas. This week, including Black Hat, BSides Las Vegas, and DEF CON, is what some refer to as “Hacker Summer Camp” and is likely the largest gathering of computer security professionals and hackers each year.
So there’s a lot of confusion out there about Penetration Testing and Red Teaming. I wanted to put together a list of resources for those familiar with infosec or penetration testing who want to get into red teaming or at least get a better understanding of the methodologies and techniques used by red teamers.
First, it’s important to note that Red Teaming is predominantly comprised of two things: alternative analysis and adversary simulation. Red teams do not attempt to find “all the vulnerabilities” and do not usually try to have a wide breadth of coverage. Instead, red teams seek to simulate an adversary with a particular objective, predominantly to act as a “sparring partner” for blue teams. Keep in mind, red teams are the only adversary that will debrief with the blue team so that blue team can figure out what they missed or could have done differently.
For more about the specific definition of Red Teaming, check out the presentation Red Teaming Probably Isn’t For You by fellow red teamer Toby Kohlenberg.
Over the past 4 days, I had the opportunity to take two hardware security classes taught by Joe Fitzpatrick(@securelyfitz) along with @_MG_. Both courses are part of the “Applied Hardware Attacks” series of courses taught by Joe. The first course, “Rapid Prototyping”, is focused on using 3D printers and PCB mills to build interfaces to hardware systems. The second course, aptly named “Hardware Implants” applies these skills to build hardware implants to perform attacks on hardware systems. Both courses are very timely and informative, as well as a lot of fun.
For some reason, security certifications get discussed a lot, particularly in forums catering to those newer to the industry. (See, for example, /r/asknetsec.) Now I’m not talking about business certifications (ISO, etc.) but personal certifications that allegedly demonstrate some kind of skill on behalf of the individual. There seems to be a lot of focus on certifications that you “need” or that will land you your dream security job.
I’m going to make the claim that you should stop worrying about certifications and instead spend your time learning things that will help you in the real world – or better yet, actually applying your skills in the real world. There are likely some people who will strongly disagree with me, and that’s good, but I want it to be a discussion that people think about, instead of just assuming certifications are some kind of magic wand.