 to work with you, good to support the village. I'm really, really glad to see that DEF CON continued on this year. I think it was a great idea. You know, there's a lot of people that don't always get to make it out to DEF CON and so, you know, people get a little taste of what it's like. They missed the human interaction part, but I would bet it's gonna be back even bigger and stronger next year. But thanks to Omar and Joseph for continuing this on as well as DEF CON in general. So I'm happy to present my new talk here today. I have a talk that I do the Pentester Blueprint and it's basically a talk on becoming a Pentester. And so, I came up with something more red team related because there's a lot of confusion between what true red team is in pentesting. So who am I? I'm Phillip Wiley. I have my CISSP, OSCP and the SANS GWAP T-CERT. I'm a senior lead at a global consumer products company. I'm also an adjunct professor at Dallas College, formerly Richland College. I'm the founder of the Pone School Project, which is a monthly, now virtual meetup that teaches cybersecurity techniques as well as a big focus on stuff offensive security. So a lot of our talks are geared towards that. Even some good talks on SOCs and other areas of security. I've been in technology and InfoSec for over 22 years, 2004 is when I got my start into security. The last eight years I've spent pentesting, first five years I was a consultant. I was featured in the book, The Tribe of Hackers Red Team book edition. So those are some really great books by Marcus Carey and Jennifer Jinn. Really good for those getting started out but I recommend it for anyone else. It's advice from industry professionals on different topics. There's the red team. There's the first tribe of hackers that's across all spectrums of security. And then there's the leadership book out. I'm also the co-author of the Pentester Blueprint, starting a career in ethical hacking. I took my talk, The Pentester Blueprint and decided to make a book. And I teamed up with Kim Crowley to help me make that a reality. So that should be coming out late fall or so. And I'm also a co-host of the Uncommon Journey podcast with Chloe Mistog and Alyssa Miller. So the agenda, during this talk we're gonna, I'm gonna describe my path into making offensive security. Cause a lot of people that attend these talks are trying to get into it. There's not a lot of, you know, you have to look out there to find good information on how to get into certain areas of security. And there's not a lot of stuff on offensive security. So continuing on in the spirit of the blueprint, Pentester Blueprint talk, I've kind of extended that on to offensive security in general. This, with this talk being more focused on red teaming, we're gonna discuss what offensive security is, the different domains, a red team intro, red team tools, a red team blueprint as well as some other educational resources and books out there and blogs. So my offensive security path is kind of an unusual one. I started out as a pro wrestler. I graduated high school and my friends asked me, what are you gonna do for a career? And I did not have a clue. I mean, really college wasn't in the plans for me and I didn't know what I was gonna do. I was a power lifter and my friends said, hey, you're a big guy, you should be a pro wrestler. So I went to wrestling school and I wrestled for a few years. And I got out in the late 80s due to needing a more stable career since I got married. So I was married and needed this stable career for my wife and future family. When I did that, just having, working through other areas of manual labor and retail sales, I saw I had on TV for a trade school that taught AutoCAD. So I went to school to be a CAD Draftsman and there's where things really started to take off. I learned about SysAdmin work because I was working in offices and we had a network administrator or system administrator coming in one time to work on our systems and found out that this guy was making more money than I was and what he did looked a lot more interesting. I taught myself how to build computers, took a Nobel network class that used to be the popular network operating system before Microsoft really took off with their directory services. So from there, I moved into Infosec and then AppSec. And AppSec is really where I kind of found out about pen testing and offensive security, learning how to use web application vulnerability scanners, going to some different vendor talks on their tools and stuff got me interested in pen testing. So in 2012, I got laid off from my job of 14 years at a mortgage company and then I went to work as a consultant working in pen testing. I did that for five years and then got out of consulting and moved more into the corporate world and then back in November, I moved into red teaming. So this is a slide I share every semester and during all these conference talks because only hack if you have permission, even better written permission, hacking without permission is illegal. So as long as you have permission, you're good. But you don't want to get any trouble because if you get any kind of a criminal record then it kind of makes it hard to work in any area of IT and especially something like offensive security. So I like this quote, I first learned about it from Spider-Man with great power comes great responsibility. So what is offensive security? So offensive security is just kind of a broad generalization of different types of ethical hacking. So it's assessing security of a target using adversary tactics, techniques and procedures or TTPs, commonly known as ethical hacking. So some of the different secure domains in offensive security, two main categories is pentesting and red teaming. You can see different areas in pentesting that are covered network application network including wireless cloud, social engineering, physical security hardware and vehicle security can be tested through pentesting. Red teaming is kind of more of a specialized area. You're getting into more adversarial type simulations. But there's been a lot of confusion. So red teaming, a red team engagement is not a pentest. It's not the same thing. They've been used interchangeably pentesting and red team for years. It's a way to generalize kind of the same way the blue team generalizes the defensive side even the give. So, you know, even on the defensive side all blue team is not the same. There's a lot of differences. But red team, a lot of people have confused and think that red teaming in general that it's all the same, but it's not. So there's there are some distinct differences. Some of the commonalities that are, you know there's these similarities between the two areas. Red, you know, they're both forms of pentesting or, you know, forms of offensive security, exploitation, social engineering, fishing and physical security exploitation are used on both of these. Sometimes not everything with your pentesting, you know, a lot of times only social engineering, fishing or physical security exploitation is not part of it unless it's, you know specifically built into the statement of work the rules of engagement. And so there's some differences there too. So with red teaming, you're emulating a threat actor an APT, an advanced persistent threat with pentesting, you're using some of those techniques but you're not emulating a threat actor. You're just using some of those techniques and red teaming, you're trying to avoid detection. With pentesting, you're, it's a time box test. You're limited to the amount of time you have to test. So you don't have time to go low and slow to try to avoid being detected. And due to the time constraints, you're using vulnerability scanners and doing a lot of port and service scanning which makes it more loud. So you're not really avoiding detection. Sometimes it could be part of a statement of work but usually gets more into your red teaming. Red teaming is less restrictive. There's more areas you can, most cases, social engineering fishing are part of it, part of the scope. With the pentesting, it's more limited. With PCI, when PCI came out, a lot of the pentests and PCI has drove a lot of pentesting requirements to be PCI compliant, it's a requirement to be pentested. So a lot of the focus has been on just what is needed to be compliant and not overall security. So some things get missed. And that's kind of carried on throughout pentests. There's a certain area that they wouldn't be tested. Sometimes it's not a lot of time to plan it out. Budget constraints, they just want to get it done quickly. And with pentesting, vulnerability is the focus. Whereas with red teaming, you're trying to simulate an actual attack or cyber criminal. And there's a lot of tool commonalities. If you look at the list of tools here, you see everything is pretty much the same. There are some variants and some things that are not on this list, but the common tools are listed here. With pentesting, you're using vulnerability scanners. Red teaming, if you're using a vulnerability scanner, you're going to cause noise. You want to be quiet. Metasploit can be used across both of those. And also you see malware and exploits used across both. But red teaming, it's more heavily dependent on to get the footholds using malware through phishing campaigns. Command and control is done both and useful in both, but a lot more heavily relied on for red teaming. And so here's kind of a little red introduction on red teaming. Red teaming is scenario-based assessment, emulating threat actors, and even simulating specific APTs. You can go through like the minor attack framework and pick out specific APTs to mimic. The goal of red team operation is to simulate real-world breaches. Not only is this operator testing the security of technology, they're testing the people in the process. A great quote from the founder of Dallas Hackers Association is the red team test the blue team. And this is a good way to describe that. When you're doing a pentest, you're really not testing the people, you're testing the security controls and the technology. With red teaming, you're testing the reactions of the defenders, as well as any of the systems being detected. During a pentest, things can be detected and usually unless it's built into block it, you're not gonna get blocked. They're gonna let you complete the pentest. And red team operations take a lot of time to plan and perform. So you're trying to go up plan a specific scenario, a certain type APT you're trying to imitate. So you're taking the time to plan this out to perform it. Usually you got more time. A pentest, not say it's a thorough pentest, but a lot of times a pentest may be a week. Like a red team engagement could be four weeks or it could be months. So it depends on the scenario you're trying to imitate. And so red team operations will lie heavily on OSET to enumerate information on target technologies employees. This is leveraged through social engineering to gain initial foothold into the target environment. You can also do like a assume breach and use accounts, but this is a good way to see how easy it is to get past people, the process and technology by using phishing campaigns, sending malicious payloads to end users or compromising a site and putting payloads in there to gain access to the systems. Detection avoidance is very important for a red team to be successful because part of this is they're trying to stop you whereas a pentest, they may see something going on and they're gonna let you finish the pentest during a red team engagement. Usually the people you're testing, they don't know about the pentest, it's not announced. Usually management and a few key people know what's going on. So in case the defenders detect this, they can report it and it can be treated internally to look like a normal breach to see how everyone reacts to it during the exercise. So that's important to stay undetected. And so red team TTPs, red team operations while malware payloads to gain initial footholds. So being able to evade and obfuscate your code for your malware and exploits is very important. A lot of times to get it to work in a pentesting role, you have to work on obfuscating your code because PowerShell is getting more detected although some environments it's not. So as a practitioner, keep trying. People will say this is not environments anymore, it still will be. I mean, I've performed pentest as recent as the end of 2018 where Windows XP was in a company, a Fortune 100 company. So that stuff's still out there and not everyone's blocking PowerShell, but it's becoming more often blocked. So some of the skills that you'll need to work on is really working on the evasion and obfuscation. Command and control or C2 is a very important tool used to compromise systems, deliver payloads, elevate privileges, lateral movement and use for persistence. Cobalt Strike is a very popular command and control as well as there's some other ones out there, Silent Trinity, Covenant and actually Team Aries from Critical Start came out with Demedios, which is a new C2 that's built on Go, so it looks really promising. A new one out there and recently was added to the C2 matrix and Red Team Ops planning. So as we mentioned, there's more planning that goes into this, it can be more detailed. So you can map the APTs from the Mitre Attack framework and use tools like Vector. Vector is a pretty cool tool I learned about from Giorgio Chia's talks. He does a lot of great talks on red teaming and purple teaming and it currently works for sides. So he's a SANS instructor. He teaches the SANS purple team. I mean, the SANS red team course. So keep an eye out for his videos. This Vector tool is a framework that you can plan out your scenarios for your red team engagements. So you can go through the map out the APTs that it's pulling from the Mitre Attack framework. And so red team ops can also be less complicated and not map to specific APTs, just using common TTPs. And as your program starts out, it may not take really advanced attacks to be able to compromise systems. You know, it's kind of like offensive security in general. You wanna make sure that you've got your vulnerability scanning program, your vulnerability management solid in place. Before you include it with pentesting, but you really wanna get that in place and working on that. As you get to more open scope pentests and red team engagements where more things are in scope and can be exploited, then, you know, as you become more mature, then you don't need to emulate more advanced attacks. So starting out, you may not have to be as complicated, but as you're going along, you can become more complicated and detailed in your attacks and using the tools like the Mitre Attack framework and Vector to map those out are great options. And there's some additional red team benefits here. So a major benefit of red team is testing the people process and technology. So during the operation, if activity is not detected, then the red team can work with the security team to tune the security defenses to be able to detect malicious activity. This can be extended to purple teaming engagements or activities where you just work with the blue team to tune their systems to detect different types of exploits. So during your testing, if PowerShell is not being detected, if Mimicats is not being detected, then you can kind of do a purple team activity, just kind of working with your blue team as you launch specific attacks, see if they detected and help them to work on detecting those systems where you can build signatures to detect those vulnerabilities. And so in the spirit of the pentester blueprint, I'm kind of going to go into some details on here on how to become a red team operator. So basically a red team operator is a pentester. You're getting more specialized, going more into adversarial simulation, but you need the base starting out. So your base, you need to understand technology. So if you're jumping in this from nothing, then you're going to have to build these technologies. You have to understand networking and operating systems and Active Directory that you're performing pentests against some of these networks and red team engagements. Because Active Directory is Microsoft's directory services where all the users and different computer objects and security settings are set in Active Directory. You get access to that. You can breach a lot of things, compromise on a large scale. I mean, the way to look at it is kind of like a single sign on type of solution using LDAP. So you're able to, if you're able to compromise Active Directory, then you can get access to anything in the environment. So understand it. You have to understand this technology. So understanding networking, understanding operations, operating systems from a system administrator perspective. You need to be able to start and stop services, disable firewalls, enable services and that sort of thing during a pentest. So if you gain a shelter system or command line access, then the more you understand the command line, the more things you can do, the more effective you do. And you've got to understand networking and pentesting hacking. So you have to understand the different tools and techniques that penetration testers and hackers use. So you have to have those because hacking is part of being a red team or that's part of the job. It's kind of an extension or more advanced form of pentesting. And so programming and scripting can be very important. Some of the best hackers I know can program, they can write their own code or they can write their own scripts. So popular ones out there are Python and PowerShell from a red team or a contestor perspective, knowing how to use PowerShell using some of the tools like PowerShell, Empire and some of the different exploitation tools out there and command and control is very important. So you don't necessarily have to know how to write PowerShell, although it's good. Tools like Python and Golang can be used across multiple platforms. Python has been very popular for years. It allows you to write tools pretty quickly, modify tools. And from programming scripting perspective, at first you need to really be able to modify exploit code, be able to look at Python code and be able to alter that to fit. Maybe you find some exploit code and there's something different about that system that you need to modify. So just understanding how to modify exploits is important. It's a good starting step. But be all right, Python scripts. Golang is a very new popular one. I guess it's been out five or six years or so, maybe longer, eight years. But it's a really good one because it's also a compiled language. It can run across multiple platforms. The thing I really like about it too is you can compile code on a Linux or Mac system to run on Windows. So this is kind of nice. Because some of your exploits, if you're doing a pen test, then you need a similar system with Linux to be able to compile your exploit code, a similar system, or compile it on that system. With this, you can easily compile it on your own system. And this C-sharp is a very popular one for pen testing, because some of the PowerShell started getting detected and people moved on to C-sharp. There's a lot of good tools out there written in C-sharp. A lot of the tools are kind of going away from PowerShell more towards C-sharp. So understanding these tools, you'll write your own tools, it's going to make you a lot better hacker. So yeah, just be able to do that makes, like I said, some of the best hackers I know and red teamers know how to write their own code. I mean, you stop and look at some of the tools out there, Harmjoy, for instance, from Spectropps. He's a prime example of someone that writes tools and he's a red teamer. So I mean, this goes to show you, you look at a high level of pen testers and red teamers, they're writing exploits and they're writing tools. So if you really want to do well, then that's an area to focus on. So red team focused skills. So malware and exploit development where these are also important in pen testing, really working on obfuscating and be able to evade systems with your PowerShell code or C-sharp or any language you're writing in, be able to obfuscate. Sometimes there's written tools out there and you can use different tools to obfuscate or going to manually modify yourself to try to take some of the headers out in signatures. So it's not as easily detectable. Sometimes it could just be the name of the developer of the tool that the system's picking up or the name of the tool in the system. So just be able to modify your code where it's not being detected. Active directory exploitation. Understanding Active Directory is not enough but understanding Active Directory and knowing how to exploit it is very important in red teaming. And command and control. So command and control is a very important tool. It allows you to send payloads to your systems. You know, once you get a system compromised, you get access to it, then you can do lateral movements, going to other computers, other accounts, try to escalate privileges and help you maintain persistence, maintain control over the systems that you've exploited. In phishing and social engineering, these are two very helpful tools because a lot of cases, maybe their systems are pretty secure as far as trying to, you know, crack passwords or if you're on, you're doing a Zoom breach or you're on that network and maybe you're not able to crack hashes. So if you can send malware through an email, through phishing campaigns, then that's a way to get an initial foothold. Social engineering to get people to execute that code. Physical security exploits gaining access to the buildings, getting past security into the server rooms or different areas to be able to pull off your exploits. And kind of here's kind of a learning path to follow for gaining these skills, kind of a good baseline or good place to start. And this is assuming that you've got an IT background is you got to learn the hacking skills. So certification courses like the OSCP, hack the box are really good to build those skills. You know, learning social engineering, but the OSCP is a really good one because you got to get those hacking skills before you really get into the red teaming. So you need to be a good hacker. So there's other courses out there like eLearn security, where a lot of those other courses really focus on pen testing, which pen testing and hacking is similar with the OSCP. There is a big focus on hacking skills and with some of the newer content of the OSCP, they've kind of went more in the direction of adding more pen testing content. Whereas before is mainly just a really great, you know, really great hacking course and kind of teaching the way pen testing used to be. But a good path is once you get the skill set of someone with OSCP, then you can start working on the red teaming skills. And this is something you can work on hand to hand because your red teaming skills, you can be working on active directory. So there's some courses out there that are really good for red teaming. And Pentester Academy's red team labs is a good resource. They have active directory in their labs. So they've got different levels, but they even have like a red team certification. They have labs where you're using Linux to exploit Windows systems as well as Windows systems to perform the same similar labs, learning how to use PowerShell exploits during that to compromise systems. And then eLearn Security, their pen testing extreme course is, you know, it's labeled pen testing extreme, but it's a red team course. It teaches red teaming techniques. They teach you exploit development, code obfuscation and some other techniques that are important for red teaming. Hack the Box Pro, Ross the Labs, this is a really great, good one to learn and it's kind of inspired Ross the mouse to start the zero point security red team ops course. I'm actually going through that. And if they actually have a certification with that, I'm currently going through that at the moment and it's a really good course. I mean, it's even set up to where you can send phishing emails in that environment. And so some different tools and resources for red teaming. So your APT planning, as mentioned, the MITRE ATT&CK framework vector. So there's the URLs for those resources. Those are really good to know. Just getting out there learning how the, you know, a threat actor's mind works, getting that threat actor mindset through tools like the MITRE ATT&CK framework, learning how those TTPs work, you know, you get to see some of the common attacks. And this is a great resource for defenders to be widely used by our defenders. Command and Control, the C2 matrix. You can find that at thec2matrix.com. Cobalt Strike is one of the more popular ones, one of the first command and control. Although Metasploit is also considered command and control. It's also pretty heavy on the exploit framework. But Cobalt Strike, Silent Trinity, PowerShell Empire, BC Security took over support of that and upgraded to Python 3. And you can use Star Killer, which is a web front end to it that makes it more similar to some of the other C2s that have a web front end. Or you can use these tools as a team. You can collaborate together. So you can, you know, collaborate on the same project. So these really work good for collaboration. And a shout out to critical start team areas with their DEMIO C2 that recently came out. It's written in Golang. They're adding new items to each features as it goes along. So it just recently come out. They're pretty excited about it. It looks like a really good tool. So you should check that out. And it's a free tool. It's open source, like a lot of the other C2s. In operating systems, Slingshot OS, or Slingshot Linux, you can find that on Sands. It's a good operating system for pen testing as well as red teaming. It has a lot of the C2s already installed. So it actually vector, I believe vectors installed as well. Kali Linux and Parrot OS are good hacking options and Commando VM for Windows. So in red teaming, you're dealing a lot with Active Directory. So it's good to have a Windows box to test with. And resources and courses. So hack the box pro, as mentioned by Rasta Labs, one of Rasta Mouses projects, Pentester Academy, Red Team Labs. And the institute.sector7.net. This is a good course. They have relatively inexpensive. And I'm kind of listening to some of these out based on the expense of the course. They have like a course on malware, writing for red teaming. They have a privilege escalation as well as another course. I can't think of at the moment that these three different courses build red team skills. And sometimes some courses may deal more on the red team side and less on the malware. With this course, they have a good coverage of malware. So that's a good skill to develop. And they cover that in that course. And zero point security of the Red Team Labs course by Rasta Mouses, which they actually have a certification for it. This is a pretty cool environment. You have VPN access to it. They have Windows boxes in there. You're separated like through a firewall. So you're connecting in. So you have to send like a phishing email to get on that system. So it's really cool. If you have the OSCP, you can just take the exam, but I didn't really want to miss out on the educational opportunity of going through the course fully. So that's currently what I'm working on. It's been a lot of fun so far. E-Learning security, as we mentioned, the pentesting extreme course. That one's a red team course and they cover malware. So it's a really good, well-rounded course. Covers a lot of good materials. I haven't personally taken this course myself, but I've taken the E-Learning security web app pentesting course and their mobile pentesting course and the good quality courses. And then I expect you to be an expert to be able to take these courses and learn from it. They start at in enough detail that someone with technical experience can pick these up. And then the spectra ops, adversary tactics and red team operations. I got to fortunately got to take a couple of courses before COVID really started ramping up and it caused us all to have to social isolate, but I got to attend this talk and harm joy was one of the presenters there as well as some of the other gurus from spectra ops. But this course, if you've got cobalt strike, this is a really good way to learn cobalt strike and use it as a red team operator. 40 North has a couple of good classes. They're initial access operations and intrusion operations. So they cover some malware in their course as well as silent break security, which they have like a malware development course and the adversary simulation. So those are really great courses and the SANS red team exercise and adversary emulation. This is a two day course and George Rochias teaches this and it looks like a really good course. And then they get into the red teaming from building a team type perspective as well as doing the technology piece. And then cobalt strike offers some free videos on their site. If you go to the training and support tab on the cobalt strike website, there's links to their YouTube page as well. So they've got all sorts of tools in cobalt strike that they teach you how to use. I mean, a lot of the tools are pretty easy to pick up on, but if you hadn't had experience with C2s, then you know, highly recommend these videos because there's things are done a little bit different with a C2, but they do a good job of covering the different tools that you can use within cobalt strike. And cobalt strike uses PowerShell and C sharp tools pretty heavily as well as other scriptings and scripting languages and executable files. So that's a good resource out there. You get a good idea of how red teaming works from the cobalt strike video series as well. And resources and blogs. So here's a list of some blogs and resources that I've come across, and I started dedicated red teaming back in November. So I've been doing a lot of research and studying to learn the red team side of things. And so here's some good, the red team journal is kind of an older blog. I don't think it's been updated lately, but there's a lot of good information on there. The red team guide is based on the red team guide book, but there's a lot of good documents on there on starting pen tests and different, some of the different techniques. And I mean, red teaming techniques. And then thread express is kind of a site related to the red team's guide. Same people, it was kind of their blog before they came out with the red team guide. Good information there. By leaders website along with his awesome tools. There's a lot of great information on his blog. HarmJoy's blog is great. BC security, spectra ops, rasta mouse, house sec from is actually part of spectra ops, silent securities blog, 40 Morse blog and iRED.team and Vincent use blogs. These are some really good places to learn. And I've been using the likes resources as I'm going through the rasta mouse is a zero security red team ops course. There's some other books out there. So this is one of the books out here that recently came out the hackers playbook. If you've seen version two and three version one and two, it's more pen testing related, but version three gets into into red teaming. I highly recommend if you don't have version two, get version two. It's got a lot of good real world pen testing attack scenarios. So also the red team development and operations. This kind of shows you how to build a red team and it's one of the authors is Joe vest that he formerly worked with spectra ops. I got to meet him back during my red team training through spectra ops earlier this year. So it's a really good book and they go through and show you some, they got some different checklists and stuff on how to perform red team operations. So that's a really good book even for management or people manage red teams. I recommend this book because it kind of shows you how red team operations work. And then hands on red team tactics a practical guide to master in red team. This book actually covers some cobalt strike information. And this was recently recommended yesterday during one of the actually Friday during one of the talks in red team village. So it's a little more indicator that it's a good resource but these are some good books out there as well as just pen testing books in general learning pen testing and certifications. There's not like a lot of certifications out there yet, but, and there may be more than this and I saw another red team cert that is more physically and more lock picking and more physical security related but what you're going to need from in most cases what you would gain from zero point securities cert pentester category learning security the skills that you would need to reforming red teaming operations. While some of the physical stuff is important you can take lock picking courses and learn physical security to kind of really get started and especially if you have a pen testing background and these three cert courses or the other certs would be good to have. And some of these pentest focused certs from offensive security sands and e-learning security offensive security and the sand certs are really good for getting your foot in the door as a pentester and good for getting pentesting jobs the e-learning security is starting to gain more notoriety and really good courses and really well written and really well priced if you don't have the money to you know your company will put you through sands training then offensive security and learning security those certification courses are really good ones as well as the pentester academy courses. And here's my contact information. I kind of got into teaching and presenting a conference as a way to share I used to mentor and still do mentor a lot of people a lot of times just answering questions and sharing resources. So this stuff's my hobby I live and breathe this stuff. So I'm always up to talk about this stuff give career advice and help out if you have any questions there's my contact information feel free to contact me. And so that concludes my presentation. Awesome. Thank you so much Philip. As always you have been amazing and thank you so much for supporting the community and the red team village as well. And for those of you that are online please join the conversation in this court. We have the link in the bottom of the screen. So in the description whether you are in YouTube in Periscope or in Twitch please join us and