Twelve Steps to Becoming a Red Teamer

These posts include the core steps to help jumpstart your physical red teaming career. Regardless of the specific path to get into physical red teaming, these twelve foundational concepts are essential to being a well-rounded red teamer with the knowledge, skills, and context to make you an attractive candidate or consultant.

Phased Approach

Ready to become a physical red teamer? Diving into a new career path (or expanding a current one) is a massive undertaking. It is also difficult to know when you are ready to work in that field, and to know when you will have the competence and confidence to show for it. In other words, we all experience imposter syndrome, but we want to help get rid of yours. Our goal is to give you a roadmap that makes you a highly competent red teamer, and provides the clarity and structure needed to be confident in yourself, your skills, your knowledge, and your place in the security field as physical red teamer. As red teamers, we aim to provide you with a wide array of resources from different perspectives and professions. We have broken the training and ramp-up into three parts:

• Phase 1: Fundamentals (this post): What is red teaming, what types of red teams exist, where does red teaming fit into the wider security field, what is the difference between red teaming and penetration testing, and more. Understanding the profession, terminology, framing, and goals of a red team are essential to pursuing a career in the field. There are three steps:

  • Step 1: What is Red Teaming?

  • Step 2: Analytical Red Teaming

  • Step 3: Cyber Red Teaming

• Phase 2: Technical Skills: Every profession has specific skills that most practitioners are expected to maintain; physical red teaming is no different. From lock picking to OSINT, badge cloning to social engineering, we will cover the basic (and advanced) technical skills that physical red teamers are expected to have within the industry.

  • Step 4: Lockpicking

  • Step 5: Social Engineering

  • Step 6: OSINT

  • Step 7: Physical Access Control Systems (PACS): Badge Cloning and RFID Hacking

  • Step 8: Bypass Techniques

• Phase 3: Employment Skills: So, you understand the industry and have the skills to break into buildings. Now what? It’s time to work on being an attractive employee or consultant. This entails effective communication around red teaming, report writing, partnerships with other types of red teams, knowledge of regulations and rules around red teaming, knowledge of security frameworks, ability to stay safe while red teaming, and an understanding of where physical red teaming fits into broader security picture of cyber, information, and physical security teams.

  • Step 8: Red Teaming Ethics & Laws

    • 8a Red Teaming Gone Wrong

  • Step 9: Red Team Risk Management: Staying Safe

  • Step 10: Learning From the Real Baddies

  • Step 11: Security Frameworks, Standards, and Regulations

  • Step 12: Report Writing and Impactful Communication

Phase 1: Fundamentals

Timeline

Phase 1 should take two months. If you rush the process, you will sacrifice depth of knowledge and the opportunity to take advantage of your new excitement about and dedication to physical red teaming. If you find yourself rushing, keep rushing! But do so intentionally. Take notes of key terms and concepts that interest you, and if you find yourself done early with the items listed in a specific phase, begin doing deeper research on those topics. Harness your curiosity instead of rushing through all three phases.

Note that while most red teamers have broad knowledge of the topic areas in all three phases, they will often also have incredible depth of knowledge in one or two specific subject matter areas. For example, if you find yourself suddenly passionate about combating groupthink, picking high-security padlocks, or OSINT-gathering on radical hate groups, then take time to research, pursue, and begin contributing to those red teaming specialties. Many areas of the physical red teaming profession are relatively new, and ripe for your contributions. By taking the time to conduct additional research, gain more skills, or publish tutorials online, you will contribute to the profession of physical red teaming, you will make yourself a better red teamer, and all the while you will become a more attractive job candidate or consultant.

Step 1: What is Red Teaming?

Before jumping into the skills and knowledge of the red teaming profession, you should be able to confidently describe to friends and family exactly what red teaming is, and it’s not simply “picking locks and breaking into buildings.” Red Teaming is a mindset, an organizational position, and a profession wrapped into one. It’s applied in fields such as Analytical Red Teaming (sometimes called Applied Critical Thinking), Cybersecurity Red Teaming (most often just called Red Teaming), AI Red Teaming, and Physical Red Teaming. To speak to the wider field and approach of red teaming, you should read either:

• Red Team: How to Succeed By Thinking Like the Enemy – Micah Zenko

• Red Teaming: How Your Business Can Conquer the Competition by Challenging Everything – Bryce Hoffman

I recommend reading either of the two books, or both as they are excellent reads. Reading and internalizing stories, framing, and fundamentals of red teaming are essential if you are seriously contemplating a career in red teaming. Upon completion of your initial literary journey into red teaming, watch Deviant Ollam’s “You’re Probably Not Red Teaming… And Usually I’m Not Either” video:

Step 2: Analytical Red Teaming

You have read at least one book about red teaming, mostly focused on Analytical Red Teaming (ART) and Applied Critical Thinking (ACT). Now it’s time to dive deeper into that world to ensure you understand the concepts that you will apply to the physical space. Being knowledgeable about ART and skilled at ACT exercises are foundational requirements for being a good physical red teamer. They teach you how to detect and address the assumptions, missteps, or cognitive biases within the security space that you will be tasked with combatting. The most important thing a physical red teamer can offer is a mindset and perspective that differs from the mainstream security teams’. This is far more valuable than any specific skill. This is foundational to being an effective physical red teamer. To begin on this journey, you should:

• Read: UFMCS Red Team Handbook V9.0 (Latest & Last Version Published)

  • You don’t need to read the full thing! I recommend pages 1-82, and selecting 5-8 specific tools and techniques to familiarize yourself with. Be comfortable running a workshop where you use these techniques, and understand how they foster critical thinking, combat biases, and lead to better decisions.

  • My favorites: 1, 2, 4, Whole Group; 4 Ways of Seeing; Circle of Voices; Frame Audit; Mind Mapping; Key Assumption Check; Think, Write, Share; and of course, the all-time favorite: Pre-Mortem Analysis.

Step 3: Learn about Cyber Red Teaming

As a physical red teamer, you will frequently be collaborating with (and mistaken for) the cybersecurity red team. Learning the language and basic approach of cyber red teams is necessary to be a good partner, holistic security professional, and excellent physical red teamer. There are also a significant number of exploits that fall squarely between physical and cyber red teams. For example, which team clones badges, pulls cameras off the wall and plugs in a laptop to see if they can access the corporate network, plants and uses keyloggers to capture passwords, conducts social engineering, and scans WiFi networks for weak passwords? There is no consensus on where the line between physical and cyber exists, and at many companies the line doesn’t exist at all.

If you are starting from a non-technical background and want to learn about cybersecurity, hacking, and penetration testing, I recommend doing any two of the below items:

• Read through this site and this site and take notes on any terms, software, or acronyms you don’t know in a document. Take some time to define and learn a bit about each of those terms as you come across them.

• Learn about 28 different attack types from MITRE’s ATT&CK framework (two from each attack phase/column). Look up terms you don’t know and gain general understanding of the language used, attack methodologies, and phases of attack.

• Complete a Udemy Cyber Security Course (Options: 1, 2, 3, 4, 5)

  • LinkedIn Learning also has cybersecurity courses, and most people can access for free with a library card.

• [Advanced] Obtain your Certified Ethical Hacker (CEH) Certification

• [Advanced] Obtain your CISSP Certification

• Read Trustwaves Blogs: Trustwave, SpiderLabs

You don’t need to become a hacker or programmer for this one, just gain a general understanding of the language, approach, and community of cyber red teamers that makes up the overwhelming majority of red teaming professionals today. Cyber red teaming is a larger and more mature field and profession than physical red teaming. As you learn about it, take notes and adopt their practices, templates, and approaches that you think can apply to physical red teaming.

Now let’s get hands on! Phase 2 will focus on the skills that all physical red teamers should have.