Here at Prelude, our mission is simple: make advanced security testing accessible to more people. We hope our flagship product, Operator, is a shining example of how to take the complexity of offensive security - and without sacrificing realism - allow untrained users to launch effective security assessments at their companies.
As we build, we often ask ourselves, "What's best for the customer?" or "Is this as simple as we can make this?"
KISS - or Keep It Simple Stupid, is more than just an acronym at Prelude. If we had a team motto, this would be it.
As we were pondering about simplicity, another question popped in our head:
"I wonder what non-red teamers think about the industry?"
Because Hollywood movies and shows like Mr. Robot often portray "hackers" in mysterious ways, with magical skill sets, we started getting curious if that is the common perception.
So we set out to find some talented, technical college students to see what they thought. We hope you enjoy reading the transcripts, we had a blast talking with them!
Meet our interviewees
Meet Olivia, a freshman at Rochester Institute of Technology. Olivia is dual-majoring in computing security and computer science and is in her university’s honors program.
Meet Jazmin, a cybersecurity student at Rochester Institute of Technology, also minoring in psychology.
Red Team Q&A
When you hear “red team”, what do you think?
Olivia: (Laughs) I think of good criminals. It sounds kind of mean to say that but they break into companies for the good, with permission, not because they’re doing anything bad.
Jazmin: A literal red team, dressed in red. IR sec competition was my first exposure. Group of people that attack/are on the offensive side/manipulate what you have, in order to have you fix it.
What is the difference between a hacker and a red teamer?
Olivia: I thought they were the same thing! Ok, I’d say a red team probably has multiple parts and they work more as a team. Some teams may include social engineering and more advanced capabilities. A hacker is an individual, just doing the hacking on their own.
Jazmin: A hacker has malicious intent, while a red teamer has an intention of teaching you something.
What skills do you think are required to be a red teamer?
Olivia: Well… programming or knowing how to do Wireshark. Operating VMs, stuff with rubber duckies.
Jazmin: Like an overseeing eye, being able to see the cracks behind the scenes, how the networks are connected. Having perception. Being able to see and recognize what no one else can see.
What type of education or degree do you think most red teamers have?
Olivia: Probably not much. Maybe some community college. Or they may have (industry) certificates.
Jazmin: Probably something that doesn’t have to do with cyber, so by accident. They might stumble upon errors that you see. Some people unintentionally find things that have cracks and become red teamers.
Thinking about cybersecurity, what kind of protections/solutions come to mind?
Olivia: I think about two-factor authentication. I also think about (SAAS) services like “Have I Been Pwned”, which tell you if you have any compromised accounts. Password protection is also big, as are cloud services. Database management (I’m not sure what that is, but i hear about it being a thing!). General IT also falls under this, I think.
Jazmin: - Vulnerabilities that are accidentally put in place. I associate cyber security with people in dark clothing/dark rooms.
Which protection is the best, why?
Olivia: That’s a tough question! I think using good passwords is the most important. Everyone who uses the internet needs passwords and people still struggle with this.
Jazmin: Definitely penetration testing. Being able to figure out what is wrong, to prevent bigger scale attacks. There will always be cracks in a system and people always get in, so what do you do about it?
What defensive solutions do you think most companies have?
Olivia: Big companies probably use DUO or some 2FA service. They also probably have some type of structure or hierarchy with where to get help when a problem comes up. For instance, they may have an IT team to ask questions when you get spam, to see if it’s bad or not. They also probably use physical security mechanisms such as IT cards and video cameras.
Smaller companies may have a security camera outside, probably no ID cards though because they’re small. [For software] maybe they use 2FA or just ask people to use password apps on their phones. Essentially, anything a person could do they may recommend, as small companies are made up of individuals. Both big and small companies probably use some type of cloud security.
Jazmin: I don’t think companies really think about their defensive solutions. I feel like a lot of them are one step behind and that’s why there is always something to fix.
Do you think it’s possible for a large company to avoid getting hacked, why?
Olivia: No. I think they can take certain measures but I don’t think they can completely avoid being hacked. If there are people involved there will always be mistakes. Also, people make computers and there’s a misconception that they cannot fail. But because of the human component, computers can lead to vulnerabilities just as easily as people.
Jazmin: Absolutely not. Everyone thinks they are one step ahead but they put too much trust into what they have. There is always a way in, always a loophole. Have people working for hours on end, and people get tired, and you make a mistake/mistype something.
Name as many cybersecurity job titles as you can.
Olivia: Here are the ones that come to mind: cyber analyst, cyber consultation, cyber risk management, IT manager, networking people, information assurance.
Jazmin: I can’t. I don’t know what classifies as a “title”.
As an individual, how do you protect yourself from being hacked?
Olivia: I subscribe to “Have I been pwned” to see if my accounts have been part of a breach. It’s not perfect but it gives me some knowledge. Also, I use 2FA authentication whenever I can, and not the one with text message verification, as I’ve heard it’s not as secure as the other ways. I have everything backed up on my computer - but I store nothing on the cloud. I generally have nothing important on my computer anyway... I try not to send sensitive information over the internet. Having HTTPS add-ons is another thing I do.
Jazmin: Never make a password too easy. Change your password consistently. If you see something fishy, pay attention. Don’t click a phishing email, don’t click on suspicious messages.
Are you planning on or have you ever thought about becoming a red teamer?
Olivia: Yes. I applied to a bunch of internship opportunities but didn’t get any red teaming related ones. I was a volunteer at the Collegiate Penetration Testing Competition, where I got a good introduction to the work and skills needed. I like the idea of being able to do things that aren’t allowed but getting the stamp of approval to do it. I like working with computers in general. I love the command line - it’s beautiful. I spend time just messing around with it. But the biggest thing I like is that special stamp of approval to do the work, which is fun.
Jazmin: I think I would really like to become a red teamer. It seems really cool. The stuff behind it should consistently be done, you need the other side of figuring out what is wrong with things/fixing them.
Thanks so much Olivia and Jazmin for your willingness to go “on the record” and let us grill you about red teaming and the current state of affairs of cybersecurity. We appreciate your insight into how you think and feel about the industry.
Good luck at school!