So you want to be a hacker?

So, you've seen the movies, the guy in the black hoodie, huddled over a laptop in the back of a coffee shop typing away á la Mr. Robot, and decided that this is your one true calling. Well, grab your hoodie because you've come to the right place! Unfortunately, outside of Hollywood, there is a bit of a learning curve. So what is offensive security, what are the differences between the commonly conflated "Red Team" and "Pen Testers", and what do you need to get started on your journey? Welcome to the realm where firewalls tremble and passwords cower in fear, let's dive in!

Offensive Security
Before you start camping out in the corners of coffee shops, let's cover the basics. Offensive security is a proactive approach to cybersecurity. It involves the simulation of cyber-attacks to test a target's defenses and assess any vulnerabilities that may be in the target's systems, and plugging them before any "threat actors" can abuse them. It's the art of thinking like a hacker to protect systems from real threats.


These simulations are often referred to as "penetration tests" or "pen tests" for short. There are different kinds of pen tests, and the main 3 categories are named after what your initial access and previous knowledge will entail.


Pen Test Types:

Black Box engagements begin with the hacker on the outside of the network, with no previous knowledge of the target system/network. They're meant to simulate an external hacking attempt. The goal is to find vulnerabilities that will allow you to gain access to the target network, where you can begin lateral movement and privilege escalation.

Gray Box engagements can start with the hacker inside or outside the network. The hacker will be given some previous knowledge of the target system/network. This can be a "compromised" user account, API keys, internal documentation, or architecture diagrams but not full system details. If the engagement starts outside the network (external), it simulates an external threat with partial access and tests perimeter defenses. If it starts inside the network (internal), it simulates an internal threat like a disgruntled employee and tests internal security.

White Box engagements start with the hacker inside the network with full knowledge of the target system/network. This type of engagement can simulate an internal threat with deep knowledge of the system, like a developer or system administrator. White Box engagements (also referred to as clear box,  transparent box, or glass box) are the most in-depth of the three types. Because the hacker is given more privileged access, the goal isn't privilege escalation, but rather as thorough of a vulnerability assessment as possible.  

As you move from black box to white box, you begin with more access and previous knowledge!


Red Teaming:
Okay so we've covered pen-testing, but what about red teaming? You'll often hear people use "Red Team" as a catch-all for offensive security, similar to "hacker", which is where some of the confusion comes from. It's not too far off, the skill sets are nearly identical.
Unlike pen-testing, "red teaming" is not about finding vulnerabilities. The goal of red teaming is to test a security team's reaction to a threat.

Red Team engagements are special because they are conducted without the security defense team's knowledge. While pen-tests are done in conjunction with (or at least on the radar of) the security defense team, red team engagements are often contracted by leadership to test their own intrusion detection systems and incident response posturing. They can be white, gray, or black box engagements in terms of previous knowledge and initial access. 


Pen-testers who work at a cybersecurity consulting firm will likely be assigned to "red team" another company from time-to-time, reinforcing the overlap between pen-testing engagements and red teaming. But some companies employ their own in-house red teams to carry out ongoing tests on their security posturing, and keep their security defense team on their toes.

Now what?

Now that you have a little bit more of an understanding of offensive security as a whole, it's time to begin your cybersecurity journey! In cybersecurity, you're a combination knowledge worker and skilled worker. You're going to need to build and demonstrate the hands-on technical knowledge companies are looking for, as well as an in-depth understanding of different security frameworks, best practices, and regulations. Unlike the depiction we get in media, cybersecurity is also highly collaborative, so strong soft skills are also a must! If this sounds like you, or if it's who you want to be, keep reading and check out my articles on certifications and resources!