Red teaming is undoubtedly one of the “coolest” jobs in cybersecurity.
When you hear the word “red teamer,” you might picture someone in a hoodie, hunched over a laptop, staring at lines of green code in a dark room.
We asked ChatGPT to draw a red teamer, and this is what we got (so close enough).
But what really goes on behind the scenes? What does a red teamer actually do in real life?
TL;DR: A red teamer's job is to act like a real threat actor (by breaking into a network or trying to compromise a system) but then do something that cybercriminals don’t do: report back. Their goal is to help organisations identify weak spots in their systems before real attackers do. Learn more about red teaming.
To give you the full story and a realistic look at what it means to be a red teamer, we asked Dimitri, a full-time SECFORCE red teamer, about his day-to-day job.
Here’s what he told us his job involves.
Most of the time (nine times out of ten), a company hires a red teaming service provider because it wants to see how it would hold up against realistic threats.
Sometimes, this is driven by compliance requirements, such as the Digital Operational Resilience Act (DORA). At other times, red teaming is conducted as part of a company’s proactive security strategy, particularly after launching a new system or implementing major configuration changes.
Regardless of the reason, all businesses that choose to do red teaming do so to simulate realistic open-ended cyberattacks. As a result, red team attackers typically start from the same position cybercriminals do, i.e., outside a company's network.
For Dimitri, this means that most engagements start with phishing.
Dimitri says that his team typically begins with a harmless phishing email to build trust. There are no malicious payloads, just conversation. It’s only once trust is established that they start including malware payloads.
However, phishing isn’t limited to email. Red teamers also use SMS (“smishing”) or voice phishing (“vishing”) to lure users into running malware on their workstations. These tactics reflect real-world attacker trends (deepfake rates, including voice phishing, rose by 1,300% last year).
Once inside the network, the red team's next goal is to gain a position that allows them to compromise a target system or perform a potentially malicious action.
In most red team engagements (which usually last about a couple of months with around two five/six weeks of active hacking), there is a predefined target that the red team is supposed to aim for and then report back about how successful they were.
An example that Dimitri uses is targeting a bank’s SWIFT server.
If a red team can reach the point where compromising the SWIFT server is possible, it shows the organisation that a real attacker could potentially do the same. And for a bank, that’s something they’d rather know before it happens.
Other red team objectives might include:
Forget walls of code for a second. The day-to-day of red teaming is not all (or even mostly) about coding custom malware.
As Dimitri says: “Sometimes we spend days reading internal documentation.”
Real threat actors will always take the technically easiest path to their target, making as few moves as possible inside a target environment to avoid detection. Red teamers follow the same principle.
In fact, a really successful red team engagement might involve no coding whatsoever and could see a hacker get to a goal (such as reaching maximum administrator-level privileges on a system) in just three or four steps using only plug-and-play malware.
As a rule, red teamers will always try to reach their goal using easily accessible (“off the shelf”) tools and techniques first. If possible, red teamers will use well-known tools (like Cobalt Strike). Dimitri calls these “the obvious, monitored tools or APIs.”
Some of Dimitri’s favourite engagements were when he and his team chained together a series of low-severity misconfigurations to completely bypass complex security systems.
Sometimes, off-the-shelf tools just won’t cut it.
When standard techniques are likely to be detected, red teamers, just like real threat actors, need to adapt. That often means modifying or developing malware in order to evade detection while reaching their goal.
That’s why another big part of a red teamer's job is reverse engineering and malware development.
A skilled red teamer like Dimitri will spend time rapidly understanding a target operating system and its internals to identify blind spots in security controls, such as antivirus (AV) and endpoint detection and response (EDR) tools.
So, if a Microsoft-provided tool or function is likely to be monitored by defenders, a red teamer might need to find an alternative path to achieve the same result. If an existing tool can be tweaked to exploit that path, then red teamers will use it. If not, they must be ready to code something that can.
The day-to-day reality of red teaming is solving complex problems on short deadlines with no ready-made or guaranteed solutions.
Red teamers have to operate under what can be serious time pressure. The “active phase” of an engagement might last only a few weeks, and the environments, defences, and tools a red teamer encounters could end up being totally unfamiliar.
For a red teamer like Dimitri, whose focus is on Windows, an unexpected encounter with a properly hardened macOS system during an engagement was a memorable challenge. He had to learn how the defences of a totally new system worked in a very short period.
Companies hire red teamers from offensive security consultancies like SECFORCE not because they want to be hacked but because they want to know how they could be hacked. They also want to find out this vital information safely.
That’s why a core part of a red teamer's job is communication.
A red team engagement usually involves three parties:
Throughout the red team engagement, the red team is in constant contact with the white team. They provide regular updates on what actions they’re taking, the risks those actions might pose, progress made, obstacles encountered, and any adjustments to their approach. They also respond promptly to questions or concerns raised by the white team.
Communication is a feature in every good red team engagement.
That’s why red teamers must be skilled communicators, especially when it comes to identifying and articulating risk. A poorly communicated or mishandled engagement can result in confusion, unintended consequences, unnecessary risk or even real harm to the organisation.
Clients need to know exactly what’s happening during the operational phase and trust that the red team is balancing realism with responsibility.
At the end of the engagement, the red team writes a report.
Report writing is not the coolest part of red teaming, but it is arguably the most important part of the entire exercise. A lot of what a red teamer does is report writing.
The red team's report is a narrative of the engagement. It’s the actions they took, the results of those actions, and the implications of those results. The report is what the organisation that engages a red team will use to inform their remediation work and to identify and address gaps in their security posture.
A red team without a high-quality, actionable report is a wasted red team.
If the above sounds fun to you and is within your technical capabilities, you should consider red teaming.
Want to become a red teamer at SECFORCE? Contact us. We’re always looking for talent.
But make no mistake: red teaming is a really hard job. Sometimes, engagements fail, and planned pathways do not work out as expected.
The defensive landscape keeps evolving, and the job of red teaming is only going to work out for someone who wants to keep learning throughout their career. But for Dimitri, the job of being a red teamer is fun precisely because it's hard.
The fact is that red teaming is an open-ended exercise. There is no guarantee of success.
The open-ended nature of red teaming (versus pen testing, which tends to be containerised inside one website, infrastructure asset, or server) is one of the reasons why red teaming has so many broad use cases.
SECFORCE has been a leading provider of red teaming services since 2008.
We're proud to have employed some of the best red teamers in the world during that time.
Looking to conduct a red teaming exercise at your organisation? We’d love to talk to you about it. Contact us for a free consultation.
Our high-speed explanation of what exactly DORA pillars are, who's responsible, and what you need to do to be compliant.
See more
Compliance expert insights into DORA (Digital Operational Resilience Act) consultancy and the benefits of hiring a dedicated consultancy partner.
See moreThank you!
Please try again later.
