Kenny On is a seasoned red team leader who has many successful exercises under his belt. We sat down with Kenny to hear about how and why he became a red team cybersecurity professional, what it’s like to be the secret sauce of the security team, and what really goes on in those covert operations.
What Makes a Red Teamer
Can you describe your professional background?
My degree is in electrical engineering, so I come from more of a hardware background. I have always been interested in taking apart technical devices and assembling all the bits and pieces. I started my professional career doing DevOps. My move into security, and specifically red team cybersecurity, came from DevOps.
What made you get into red team services?
I have always been interested in the mechanics of how things work. A big part of a red teamer’s job is to understand how the minds of cybercriminals work, in an effort to think like them and anticipate their moves. I liked the idea of being a psychologist of sorts.
I was also drawn to the idea of doing something undetected. I liked that the success of an exercise is determined, among other things, by whether it is completed unnoticed by the customer.
What is the typical background of a red teamer?
Red teamers are a diverse lot. They come from different fields but mostly from technical backgrounds. Like me, they may have worked in operational parts of cybersecurity and entered red team services that way. Otherwise, they may have come from doing other things in the security space before getting into red teaming. What they all share is a technical background and the ability to think and execute creatively.
Would you say most red teamers are drawn to the job for the thrill of the hunt? Or are there other reasons?
I think the thrill of the hunt is a big draw. It makes the job exciting. But there are other reasons too. For example, the thrill of executing an attack without becoming compromised. And then there is the thrill of completing a red team exercise and presenting your findings to the customer. Seeing the customer’s reaction and understanding how much you have helped them is very satisfying.
The Illusive Team Nobody Quite Understands
Why are red team services needed?
Red teams check a company’s cyber defenses on multiple levels: the company’s software defenses, their security team’s response, their policies and procedures, and their overall readiness across all attack surfaces.
How are red teams different from white hat hackers, penetration testers, and vulnerability researchers?
White hat hackers are another term for ethical hackers, which means people who infiltrate systems for defensive purposes to help organizations. This is different from black hat hackers, who exist on the dark web and do these same activities for gain, usually monetary. So you could say that pen testers and red teamers both fall under the category of white hat hackers.
Penetration testers focus on a single application or system, while red teams try to exploit all attack surfaces. That is one way to differentiate between penetration testing and red teaming. But the main difference between the two is that penetration testers do what they do with the awareness of the organization and can make as much noise as they want. Red teamers, on the other hand, work under the radar, and the point of their work is to infiltrate without being noticed. Vulnerability researchers are something slightly different because they don’t perform organizational assessments or red team engagements. They research specific vulnerabilities.
All these jobs require strong technical capabilities and there are some personality traits that the people who perform them may have in common, like precision, patience, and perseverance. But red teamers need to know how to operate under the radar. This is a huge part of the job.
What tools do red teams use?
Red teams mostly use customized tools developed in-house. There are some off-the-shelf products that are available as well, but naturally, those will be more conspicuous and increase the risk of being found out.
But perhaps the biggest asset that red teams use is not really a tool—it’s the human mind. It’s the ability to think like a hacker and tap into the mindset of a cybercriminal.
How often and when should red team operations be performed?
The frequency of red team exercises depends on the company size and how many assets and users are in its systems. Some red team exercises can take up to several months to complete, from when we get started to when the company can implement the changes we suggest. But as a rule of thumb, I would cautiously say every six to nine months, so that there is always some level of security improvement going on: either the uncovering of gaps in cyber defenses or their remediation.
Something About Yourself
Have any hobbies helped shape your red teaming skills?
Yes, I would say that my love for gaming, specifically competitive gaming and strategy games like StarCraft, have had a profound effect on the skills I brought to security in general, and more specifically to red teaming.
Ever since the earliest documented militaries, war tactics were fleshed out of battle simulations and war games. This is not directly related to red teaming, obviously, but if we think about cyber threats as warfare and cyber space as a battlefield where malicious actors are the enemy, then we can see a lot of similarities. Mostly around getting into the head of the enemy to anticipate their next move. Other elements too, like the element of surprise, of going undetected, are also borrowed from the military playbook.
What’s your favorite part of the job?
I really enjoy the psychological aspect of it. Red teams need to get into the minds of malicious hackers and try to think like they do. I also enjoy digging into a client’s organization to uncover how their security team thinks and operates.
Can you share one red teaming experience that stands out in your memory?
I remember a particular exercise in which we uncovered the internet login credentials of one of our customers. We were flown over to the customer’s physical offices, and we logged into their Wi-Fi from just outside their offices using the credentials we uncovered. Once we were on their Wi-Fi, we had access to all their systems and were able to attack them shortly after. It was memorable to show the customer how easy it was to breach their organization simply with credentials that were floating around the web.
Want to learn more about how to develop a comprehensive red team strategy that enhances the security of your organization? Download our guide.