How Not To Become A Red Teamer - Neil Lines

Right. Monday to Friday, I wake at 7:00 a.m. I clean my house downstairs. I put the laundry on, eco mode. I feed my cats. I clean the tray. I eat breakfast, mostly apples. I shower. 9:00 a.m. I power up my laptop. At this stage of life, I'd been working as a pentester for about a year. A well-known and powerful person from the security community was visiting the office I worked at. We all knew we had to impress. The powerful visitor walked through each room, meeting and greeting a select few, the stars of the firm, the rock stars. They walked past me and kept walking. He turned round and asked who who was I. I was introduced in this way. Meet Neil.

He doesn't have a degree. We were training him up. This powerful man, a legend of the industry, shook my hand. That day burnt into my brain. I left school with a C in GCC art four for newbies. This is the route uh to me becoming a pentester. So this is when I needed a walkabout Mike. Um I started here putting cling film around pallets [snorts] and I did that for about a year. Um working in a factory cling filming up pallets, cutting my hands every day, Monday to Friday, putting duct tape around them to keep them protected cuz they couldn't afford to give us gloves. And uh yeah, that was the start of my career. Um, I

realized that it was dirty, cold, hard work and basically I didn't want to do it. And uh, I saw people working in offices and I thought that's clean, easy, nice work. I fancy some of that. Uh, so I I managed to get a job with a temping agency or got my CV to a temping agency which was a little bit of a fabricated CV cuz I only had one GCC in art. And um, they managed to find me work um, as a mail delivery boy delivering mail around the office. And I quite like this role. Something worth mentioning to people. If anyone is thinking about becoming a pentester who doesn't presently have a role, I think

it's good to do other different jobs, especially if students watch this back later on YouTube. I think it's important to do other things and work with people and get to know how to communicate with people. But yeah, I I did this job for a bit delivering mail around an office and I really enjoyed it. Um, and then eventually I've always got a bit restless. Uh, I went back to the recruitment firm and I said, "Can you find me something else?" and they found me another job working in an office. This time doing actual what I would call office work and I was doing reporting on an Excel spreadsheet. The company basically had to fill in uh ETAs on

their engineers and I did that Monday to Friday filling in a KPI reporting and making up as along and uh yeah that that lasted quite well. I did that for a bit and while I was doing it uh I got to meet a few of their IT people and at the side at home I was sort of taking computers apart. I was building computers. I was doing pretty much everything back in the '9s that people who hadn't had a formal education with computers but was interested would do. I was reading articles on how to fix computers and I really really wanted to get into it. So I managed to talk a local college into giving me a job as uh

an internal IT person. And I spent my life fixing printers. Uh, and I spent handing out laptops to students. I was fixing network cables. I was walking around. It was a proper junior job. Um, but at the time I I really really liked it. But as always, I got restless. And I asked people there, how did you sort of, you know, progress within their careers. The other people in the IT team cuz they were on more money than me. They were doing better than me. And they all said about Microsofts and Ciscos. So I started looking at Cisco searchs and uh I did my Cisco CCNA and I took the exam all confident I was going to pass it and

I failed and that was a kick in the teeth. I went away I re-revised or revised again and sat the exam and passed it. Back then it was all about YouTube. You can watch YouTube videos um pretty much on any kind of networking sort of topic and learn it inside and out enough to pass an exam. I don't know if it's still the case today. The amount of adverts these days on YouTube and stuff is just annoying to watch. But that was it. I then became uh at the college I was doing sort of you know junior network and stuff. I done my CCNA and I got a job as a network engineer and after that I was a network engineer

for I think about three or four years um doing you know senior network engineers. I worked my way right the way up and I did tons and tons of Ciscos and for the first time ever I had a I guess like a formal education and I'd come from school feeling that I was broken and never going to get anywhere and for the first time ever in my life it kind of made me feel smarter and happier about myself which was a phenomenal thing. Um, so I did that for quite a long time and I got to see while I was working as a network engineer, occasionally we would get pentesters come in and I thought

that's a cushy number that's a nice job. I fancied a bit of that. So I looked into how do you become sort of you know a security engineer and I found a local uh company which was uh they're a cloud provider but they were locally based to me and they do sort outsourced IT support for other companies around the UK mainly and uh I got a job with them and what I did was while I was working there uh just as a kind of junior sort of sock engineer really um the manager sort of said one day we need we need someone to run internal vulnerability scans for us because we get third parties come in vulnerability testers

and they keep finding mediums and criticals and it's costing us a fortune. We're having to have retests. So we want someone internally to take responsibility of finding the lowhanging fruit so we can remediate it as we're building before you know the third parties come in and demand pentest of the infrastructure. So that was it. There you go. The job was simple. Uh vulnerability scan every new device before the third party got in remove the low hanging fruit. Yeah, I I I jumped at it. The minute they said who wants to do that? I was like I want to do that now. I have no idea how. I just somehow sort of knew at that time having a blog was

going to help me. Um, so around about 2011, I just died that one day. I had quite a bit of time on my hands working at this company because they build infrastructure. I do the vulnerability scanning, but I'd also go on YouTube. I'd watch videos on sort of pentesting and hacking and I would see other people's blogs. And that that was what I did was it was quite simple. My blog was I'd look at other people's blogs out there. I'd look at people's YouTube videos and I would just copy it. I'd replicate it. Um, and I'd stick it in my blog. Now, the only difference was between mine and other blogs at the time was I would do the everything

walkthrough. So, I'd make it as naughty as I possibly could so everyone would understand it. And I've always had that mentality through life, trying to pass over as many skills as you learn. Basically, if you help people, they'll help you back. But it kind of got noticed by a few people, a few large people in the industry. And a few of these people are legendary. And they sort of started sending me messages and it was just wow, amazing. Uh also while working at the uh sort of cloud provider sock uh I got to meet pentesters and these were the third party pentesters who worked for the large firms. Uh my job was simple. It was me sitting there looking upset

sitting on a cardboard box. Um I would unlock server cages and I'd watch what the pentesters did and my job was basically to make sure they didn't do anything stupid to the infrastructure. Nothing that would actually stop production or anything. So my job was to sit there for hours uh and I'd just get bored and I'd ask them things and I'd ask them all about their job and they would tell me about it. It sounded phenomenal to me um some of the things they' tell me. And then one day I finally got to meet Mr. No Hoodie uh with dark hair, slick back, tall, smartly intense and expensive looking suit. I also found out later drove a

brand new BMW. You know, you have the cliche of a pentester. Uh he wasn't that. He was a 100% consultant and I at that point in my life I'd never met Pentester like that. Um so I did the honest logical thing. Asked him almost immediately does he have any jobs where he's working? I think you're starting to work out there's absolutely zero loyalty in my work ethic and my boss is sitting there. I'll be in trouble. Uh he replied jokingly, do you have a blog or something? Yes. Four months later they interviewed me. Okay, the interview. So, their office was at the back of an industrial uh sort of area park and arrived early. Their

allotted car park was a wash with BMWs, Audi's, and now my old banger. I wore my next suit and tie, my funeral and wedding suit. I was determined not to mess it up. I had a swear word there, but I took it out cuz I notoriously don't swear. Anyone's ever seen my talks before? Uh once inside I was taken sitting at the seat in a corridor opposite two office doors. I waited and waited. Pentesting firms do not move fast and that is a good tip if you're trying to apply for a job at pentesting firm. They are not quick to respond ever. Finally I was asked to move uh and sit in the far meeting room. The interviewer

gave me a brief highle overview. I didn't know at the time but he was a highly respected senior web application tester. He logged me into a machine with Backtrack back in the day. Today obviously call it Cali running on it. He then asked me to open burp. Now fast forward to where I am now. I've done tons of web application testing for years. Even as a red team, I use Burp on a daily sort of basis. It's a web application proxy that doesn't know. Allows us to intercept the request between us and the web server and then we can intercept it and don't hear that and uh manipulate it. But back at that point, I did not have a clue what BERT

was. I never even heard the word. It was just a funny name to me. So I said to him, "Honestly, I don't know what that is." Anyway, he leaned over and started Burp for me. Uh, and he asked me to browse to an internal domain. Now, as is the case with all IT problems, DNS in their internal network was broken. And uh, it didn't work. So, he asked me to browse to an internal IP address. I could do that. Now, I had zero idea at that point, but I'd walked into my first ever capture the flag. Challenge one. what is wrong with the application? Now, I was honest and said, I'm sorry, I've never done any web

application testing, which at that point I hadn't. Now, I could tell already there was zero chance of getting this job. But he was kind. He was kind to me. He really was. He spent 40 minutes talking me through about five of the challenges of five of the seven challenges. And he literally said, "This is how you do it. This is what you do. This is how you do it." Now, looking back, it was trivial stuff. Uh, and I should have known it. So my tip is for anyone who wants to be, you know, thinking about becoming a pentester, watch lots of capture the flag videos on YouTube and try them out. And there's free links. So you got Hack the Box, try

Hackme, famous CTFs that are free. And underneath you got IPS. He's probably the most famous um CTF on YouTube. Um you can watch his videos, he'll talk you through them, you can see the tools he uses, you can learn from him. So lots of firms have CTF as part of their interview process. They're normally remote web application CTFs, so you might want to focus on getting good at doing those. Uh, it's also common that they'll ask you to submit a sample report of your findings from that CTF. Now, back to the story of the office in my first interview. So, technically, I failed, but there was a second stage to the interview. The second part consisted

of going upstairs and meeting the CEO. Now, you don't normally get to meet a CEO as part of the interview process. Um, but back then they were a small firm and uh, you know, he was he was a nice person and he liked to chat and he liked to know his team and he wanted to make sure who he was hiring or whether they were suitable for his company. Yeah, he 100% changed my life. Uh, people hire people because they have a gap to fill or as I like to think a problem. They have a problem and problems cause stress and if you can stop the stress you can quite often get hired. Now at that stage he asked if I wanted a

coffee and I replied yes please. No milk, sugar, just as it comes. He kind of laughed at that. Years later, he told me that he'd employed me because of how I took my coffee. So [snorts] about two years later, I was ruled off coffee for medical reasons. Okay, this is a tip. Try and figure out on the fly or try and do a bit of research into a company and have a feel for what you think their problems might be and try and present yourself as the fix. Typical problems pen testing firms have are these travel on-site willingness to sit exams. Internal infrastructure testing, which is absolutely vital to become a red teamer, is quite commonly in the UK on site. So,

you're going to have to travel and you have to do on-site work. Um, as testers get older and grumpier like I am, you tend to be shy of traveling as much when you've done years and years of being on the road. The other one is willingness to sit exams. As part of our industry, um, we have exams that run out every 3 years. You have to keep resetting them and resetting them and resetting them every 3 years. And they keep introducing new exams and new challenges. And testers just get stressed by them. They get fed up of doing them. They're just so challenging. When you're first starting, just agree to do it. Definitely do infrastructure testing if

you can. Go on site as much as you possibly can and agree to sit exams or agree to at least, you know, revise for them and have a shot at them. And what my boss might you sitting there might tell you that I'm a bit exam shy these days. I think I've passed 16 in my years. Most firms will pay a car allowance or offer a higher base salary. So a benefit to travel. You also see lots of testers driving fancy expensive cars and that's the reason why they do it. Um on site does not mean you have to drive. I know most testers will use a train if possible or a bus or a taxi. Claim it

back. food. It's very common that you can claim for everything from breakfast, lunch to evening meal. You can see the world. I know loads of testers who travel all the way around the world. If you like flying, you can do it. They always looking for people who are willing to do jobs in countries where they can't normally get their testers to go. Anyway, I digressed. A smart word which I learned as a pentester. Digressed. Back to the interview. Weeks passed. Weeks of nothing. No calls, no emails. As I said, firms are slow to respond. Someone earlier said to me, I was I was chatting with someone here, one of my friends. He's trying to get a

job at a pentesting firm and he's gone through the initial interview. He's had the CTF. He's completed that and he's waiting for them to now get back to him. I said, "What are you doing?" They ain't going to get back to you. You have to chase them up a bit. Don't be rude. Don't be pushy, but understand that you probably have an interview. There's a chance you may not ever hear back from them. You have to phone them up. Anyway, months later, I got the call. I was offered the role. So, the first day, day one, I was told I'd be working in the office Monday to Friday. I spent the first two weeks shadowing

testers and reading this book. Uh, that's a good tip. You probably will want to read that at some point in your life if you're considering becoming like pentest, especially a web application tester. Even if you just want to be an infrastructure tester, it's worth reading. And while I'm at the point of advertising books, my mate would slap me if I didn't advertise his book. Um, the link at the bottom is for free download of it at the moment and it just gives you the basics of pentesting. His I think it's about five, six years old, maybe even older now, but it's a very popular book. Anyway, I was super lucky. A few took me under their wing those

first two weeks and they're still great friends today. Third week in, I was given my first web application job and I was determined to kill it. I was the newbie. I wanted to make an impression. Now, on that test, I found an insecure direct object reference idol. Back then, I didn't know it was called an idol, but I'd found an idol. And that resulted in loads of other findings, and I just chipped away for 4 days at this web application. And it's unprofessional for me to say, but I destroyed it. I went for absolutely everything I could find and as maximum criticals as I could possibly find and I tend to call it blood looking for blood

and still today I do that on a test. I feel like I've earned my money when I found criticals and really really you know hard to find things. Anyway it in the interview you can be up against a lot of people. I've seen a lot of pent testing firms over the years um advertise roles and then have 30 or 40 or 50 hundred people go for it and they will it down to like 10 20 people. So be the best at that point. Sometimes I've even seen firms do sort of like open days where they'll all come in together and they all do challenges and stuff. So at that point you do have to fight

really hard. Now once you're in the job don't doggy dance because you're going to get slapped instantly. Um, you're working with some really, really mature testers who know what they're doing. Just learn from them. Strive to be the best. I've always found this in my career. Strive to be the best, but if you aim for second or third, you don't want to be the most technical person in the room. If you're the most technical person in the room, you've got nothing to learn from, no one to learn from. And lots of my friends over the years have said, "I can't do this anymore. I've had enough." And I say to them, it's cuz you're not learning from anyone. You

need to move to another job or move to another place where you're not the smartest person anymore. You're not the big fish. You need to learn again. Start again. I've throughout my career generally every three to four years I've jumped pentesting companies and I start again from the bottom pretty much and work my way back up. So, how do you find jobs? And this is probably one of the best tips I'm going to give people who are looking for a job. A lot of people think recruiters. Now, if you don't have any experience whatsoever in pentesting, there's not a recruiter out there who'll probably find you a job. I've even heard recruiters literally hang up on people instantly

when they say so how much real world experience do you have phone down when they say none. Um now the Crest website which later on in your career or a lot of you will know is obviously very famous for its exams but if you go to the members page of their web application and you'll see 500 firms listed that are registered or a member of the crest. Uh now if you go to the filters you can break that down to UK only firms or any geographical location where you're working. Now in the UK they've got 260 firms listed of which 240 list that they are a pentesting company. That is 240 firms that you should be sending your CV to if you're

looking for a job. They are often looking for people and they like people who they can train up. So this is a little bit cheeky of me. Look on LinkedIn. Connect with people who work at the firms you want to work to. Ask them if they got a job. Firms look for passion, willingness to travel, willingness to learn, willingness to sit exams. So exams. Now, uni degrees are not required to be a pentester or red teamer. I know loads of testers at my level who haven't got a degree. Uh, degrees are phenomenal for some things. They're not required for this job. So if you did want to become a pentester and a red teamer, you can

bypass that period of life if you felt that that was right for you. Um this is the crest website and these are the exams that you'll come up against in your life as a pentester. Now the CPSA is an online 120 multiple choice question uh exam. Now that is the prerex for the CRT exam next to it. Now I would recommend to anyone who wants to become a pentester to not sit these exams until you work for a firm. And my reasoning for this is they're very very expensive. The only one there that I think is reasonably priced is the CPSA. All the other exams there can spiral into thousands and you'll probably fail first

time. Um you'll probably fail second time. You'll probably have a go third time. You might even take your four times. That's a lot of times to sit these exams. When you go and work for a firm, they will want you to sit them. They will pay for you to sit them. They will have internal they will they'll expect you to sit the exam. And then when you've sat the exam and you haven't got a clue what to do, you'll then speak to other people and they'll go, "Welcome to the club." Um, and then they'll sort of say, "Have you thought about this? Have you thought about that?" And you start to get a feel for how you can sit

and pass these exams. Clearly, I didn't just say that cuz that would be in breach of an NDA. Right? There are rivals and the cyber scheme is a rival, a respected rival. Now, the reason why I've put the prices versus this, they're a little bit cheaper. Uh and also you have to log into the Pearson view site now to see the prices of the Crest exams and I couldn't be bothered. So the cyber scheme exams another of arrival. They are again expensive. I would get I will say again I wouldn't recommend that you try and sit this unless you're working for a firm. Now there are there used to be historic exams that were quite cheap but

unfortunately there doesn't seem to be any. This one is not required for any job but I like it. Um, it's the red team ops exam. It's relatively cheap. It's about £365 quid or £45 with some lab time. Um, and it won't get you a job, but what I have spotted is when you got pentesters who have been working as a pentester for three or four years, they seem to love this and they go for this and they kind of use it as evidence that they are showing signs of being ready to then become a red teamer. I'm going to get to being a red teamer later. So, what is a pentester? Um well there's absolutely no title anymore called a

pentester. Today we're called cyber security professional security consultants or my own title which I love executive principal security consultant. Cyber security professional jobs typically consist of these flavors. Now for a period of my life I worked for an American company and I picked up the term netc and appsse which is dreadful but I quite like it. Um so netseec would be infrastructure testing in the UK physical social engineering that kind of thing physical devices that kind of area. Application testing as we call it in England or appsec in America would be web web application testing mobile applications and generally code reviews. Now code reviews is a specialty thing but over the years I suppose people have

those sort of flavors tend to source the code review people come from that area generally. Now most firms separate the skills. I think that is a tragedy. I really do. A real shame. Uh to become a red team, you need to be great at all of those flavors really. So I was lucky. The first firm I worked for assigned me lots of app and in jobs. If you do go and work for a firm, ask them if you can do anything. Everything. Anyway, I spent two years living from hotels, traveling a lot, eating steak at night, fried eggs for breakfast. Seeing different offices can be fun. Right, the next slide is probably a little bit controversial. Uh

pentesting should not just be about port scanning and vulnerability scanning in map and Nessus which are the two tools you would use. So this is what I used to do when I was an on-site infrastructure pentester. I used to turn up say hello. I didn't always say hello. I used to sometimes just walk in and plug my laptop in and kick off anyway. I'd be taken to a seat. I would always be asked to be put in a busy area because what happens is clients are often very very kind. They'll take you to the coffee machine. They'll then take you to a little office, little cubicle, meeting room, and they'll say, "This is where you are for a week." That's no good to

us. We need to be on the same network as the people because it's the broadcast traffic that you manipulate, that you exploit. So, I'd say to them, you know, thank you for this. I appreciate it. Can you put me out there? Put me in the middle of it. Right in the middle of the office. Anywhere they would. I'd plug my laptop in. I'd get an IP address. I'd start Wireshark and have a listen to what's going on. Um, that's the the textbook. what you should do and what I learned and what I was told. I used to get bored quite quickly. As I get older, I've noticed Wireshark is phenomenal. Actually, everyone should get really

good a while. The next thing I'm about to say here is I used to then start up a tool called responder which listens to broadcast traffic responds resulting in the person's domain uh their password hash and the machine name being sent to you which you capture and then you can reverse. We had a go at reversing the password hash. You can do all that in Wireshark. Anyway, I used to snag hashes, reverse them, hunt out where I could use them. Back in the days, use a tool called SMB Exec, which became known as crackm map exec, which became known today as net exec. I'd get local admin access. I dump also my age. The fact I'm

dumping als mimicats the memory dump, clear text creds will pass the hash to domain admin. So, I would try and get access to accounts that have access to absolutely everything. The keys to the castle, the keys to the kingdom. You win. Perfect. Once I'd done that, I'd then go and get lunch. And then I'd come back after lunch, then I'd run Nessus. [snorts] Okay, this is just me being particular. Um, and I used to be the worst for this. Don't get DA. Hunt for DA. Go for the domain admin creds. You don't get DA. You get an account that belongs to the domain admins group. Right here is a list of those tools I've just mentioned.

Um, the only exception there is Nessus because that is a professional paid for tool, but they do have a free version for you to trial. All the other tools there you can download for free and try in your own lab and you definitely should be. So, what do you do next? You keep you keep doing it. Eat, sleep, hack, repeat. Just keep doing it over and over again. Jumping from firms. I know that's cheesy. Uh, jumping from firms, meeting new people, learning new experiences. But you get better at it. You learn more. Chat to loads of people. Once you're in a pentesting firm, definitely chat to all of the pentesters. Ask them for their skills, their tips, you know,

how they do it. Ask to sort of shadow people if you can. So, consultancy. Now, consultancy and reporting are the two most vital parts of this job. Um, you need to be confident, helpful, but very friendly. It's really important that you're very approachable. Testing can be super stressful for clients. It is. I've been at the other end of the spectrum where we've had people in testing us. I know how stressful. I know how scary it can be. I know how hard it can be. They go, "Fix this, this, and this, and this." And you think, "That's going to break everything." So, you got to stay professional, but being very approachable. Okay. Report writing. Now, this is the

bit the clients actually pay for. They need the report. The report has to be of really, really high standard. Uh, reporting is the most important aspect of testing. I was told that on day one. I've been told that in loads of other firms. It's true. It is. That's what they're paying for. Okay. Most firms have a semi-automated solution. uh and we call that boiler plates. So findings that we'll find over and over again that have an automated solution that will regurgitate a decent write up for a boiler plate. Now 15 plus odd years of writing reports. Uh I'm yet to find any automated report solution that doesn't require lots of tweaks and I have tried

them all. There are some out there that are good. It generally I end up having to rewrite most of it myself. This you will come up against when you go and work for a firm and this was a shock for me highly dyslexic person who can't spell for um to come up against a department or a person or people within a company who all they do is they check the quality of your writing not just from a technical perspective but from the actual English you know perspective. Yeah, that was a new one. This isn't true for everyone but most people will think probably you think they'll be okay at report writing. They'll probably be dreadful. I was

absolutely dreadful. I was beaten up for about two years for the quality of my reports. And I learned I learned hard. Um, the best tip I can give you is ask or try and find out who you think is the best person at writing reports in the firm. Ask to see their reports. Learn what they do and understand what they do and why it's so good and replicate it. You know, reinvent the wheel. If someone is writing something and is passing QA every time instantly, why wouldn't you just use sections of it if possible? Um, reading reports also allows you to learn other things. Um, when I've done sort of reading of people's reports and I've

done QAing later on in my life, other people, I get to see what people have done. I've learned loads of tricks from QA. I wow, I had thought of doing that. So, this is what one of my friends says to me. Um he'll regularly I know loads of people in different companies and I [snorts] speak to them and they'll say one of them will say to me so and so wants to join our red team and he'll say to me why would you want to be in the red team? Why in hell? So this is the dayto-day I'm about to show you is the dayto-day life as a red teamer. It's like I sometimes say to people

jokingly I'm going to crawl up into a little ball now and cry. I wish it was a joke. Sometimes it is so so stressful. Pentesting isn't that stressful. It's enjoyable. Um you get to do some cool stuff, get to do some really fun things. The physical social engineering stuff is really stressful. Breaking into buildings is scary. Um but [snorts] red teaming nine times out of 10 when it's going well, it's incredible and you absolutely love it. When it's not going well, it is horrible and stressful. You spend a large proportion of your time building infrastructure, building things, not just testing things, building it. You're always looking at manipulating services and figuring out how you can compromise someone by using

something new that's out there. You learn how to do it, the vendor fixes it and takes it off you. So you then have to start the process again and again and again. So almost everything you've learned as a pentester, you can't use as a red teamer. uh we can strain ourselves into the most complex situations afraid of triggering even a single alert. Um to give you an idea of how bad that can get, I've got a really good friend who won't open a txt file on a target uh share because he's scared because he once got stung by a web bug. You can't even execute code in a txt file, but yet he's still scared of it. So the paranoia

in red teaming is very very deep. So what is a red teamer? So this is what a red teamer in theory is adversal threat replication of the real world or as we like to say scenario based testing. So it differs from a pentest where it's just find all my vulnerabilities or what can you exploit. Clients will come to us and say you know these are our threats these are our concerns can you prove whether they're true and then we have to try and prove whether they're true or not and do it without triggering a single alert where possible. So a simulation of serious threat or as AI likes to say a sophisticated stealthy prolonged cyber attack by a wellunded

and highly skilled group often the nation states. That's the kind of level that we're trying to replicate. And here is the beautiful kind of triangle where we would say pentester and red teamer is top of the tier which is correct and I agree with that. But I actually like to flip it like that because while I said that we can't use any of the methods that you kind of learn as a pentester, that's not kind of true because you have to use everything. And not only that, everything from infrastructure, everything from other elements of life, talking to people in organizations, socially engineering, coercing people, all of that you have to be able to do. So what are the positives of red

teaming? Because I've sort of made it seem quite negative. Uh freedom, freedom, freedom to do pretty much anything on a job. Someone says this is the goal. You then go away and try and think how can I get to that goal pretty much in any method you like as long as it's legal. Um highly addictive. You get to do some incredible things that 99% of the world would never get to experience. Um a lot of stuff we do everything we do is obly obviously authorized and legal if anyone else is to do it highly illegal and we get to do it all the time. So you get to test your skills and learn from highly experienced people and

then put them up against the most mature environments out there. I have been up against some of the most mature environments I've ever seen in my life doing this. Um some of the things that you know that I've done over the years. So I just want to give you a quick overview of just some of the things I've done personally. Now I have broken into lots of buildings as part of physical social engineering. I've done it loads of times. I've run across roofs in the center of London looking down at people shopping. Um I've spoken to some of the smartest people in the industry. And and when I mean that, I mean like literally people that you'll see like in media and

these like, you know, the people who run these largest organizations. I've got to chat to them. Um I've tested almost everything and targeted pretty much every kind of organization you could think of. So I wanted to give you a quick demonstration before I run out of time of today, what it's like versus it was sort of five or six years ago. Today it's more about these kind of approaches. Uh you'd look on LinkedIn to start with or any kind of social media sites and you try and find the targets. uh organization or we try and find someone who works for it. Now, we tend to find uh what we would deem as someone who's quite new to a business because

less people will know them. Um we'll then try and hunt out the targets internal service desk phone number, the help desk phone number and uh the internet. I have becoming more and more convinced it's just a gigantic share that I love searching for stuff in. Pretty much everything is out there. Now, if you can't find the help desk phone number, literally phone up the reception. Find the reception number on their main page and ask them for the help desk phone number. That one surprises me. They will often just give you the help desk phone, which is an internal phone number that only internal employee should know, but they often will. Then phone up the service desk and tell

them your ad who you've just looked up on social media and tell them that your password's not working and can they check it? At which point, they'll often reply to you, it's not locked out. after a few minutes of checking go it's not locked out just ask them to change it tell them you you know it's one of them days or you've been away for a few days or to be honest I'm just having a bad day I can't remember it and now I'm going to lock it out nine times out of 10 they will change that password for you now as a red team we would then have those credentials and we'd see where we can use them

so I'm about to wrap up now but before I do I want to talk about being banned so you kind of know when you're getting close to to the level that we operate at when every website you go to gives you a banned picture. And the reason why they do this is because uh we live our lives on VPNs. We're always bouncing IP addresses. We're changing geographical locations. We're using it to bypass conditional access policies. We're using it just to blend in. We're using it just to hide. Uh and we're forever using it. And it gets to the point where I just use a VPN pretty much all the time. I'm so used to doing it. So, we can't use

applications. And before I finished, I sort of want to sort of give you a bit of what I think is an amusing story um of why I personally can't use Google. So, we've all come across captures, but has anyone ever tried to complete a capture while connected to a VPN here. Yeah, it's painful, isn't it? So, a typical capture would be a couple of these attempts hopefully, and then you would complete it. This is simulation of me testing just to show you how painful it is using a VPN and using a legitimate service. So, we do a few more and then we do a few more and then we have to fill in a few more.

Now, at this point, most people be pulling the hair out with it. We finally get to this at the end where we have a chance. Anyone who uses a VPN understands that final thing where you got a chance of actually finally getting it. You get it wrong and you get another one. So, I worked out the average build rate for a red team is about £1,500 a day. Now I worked out that that took me six minutes to complete that capture using a VPN. If you divide the number of hours and work out the number of hours per day in a working day and then times that by six a cost £18.75. So to use

Google to do a simple single search as a seasoned mature red teamer that would have cost a client £18.75. That's why I don't use Google search engine. So my name's Neil Lines. I work for NCC group part of FSAS and ask me on LinkedIn and that's my GitHub page. Thank you very much. Are there any questions? [applause]

[applause] Thank you very much. And we've got time for a couple of quick questions. Has anyone got any questions over the back here?

Hi, just a quick one. Would you be able to go back to the slide with the the book link? >> I've literally just taken the battery out my clicker. Which page? Sorry. >> It was the one uh where your mate had um written a book and you put up a link to to get a free copy of it. >> Yeah. [clears throat] >> Thank you.

Yeah. 209 slides if anyone's interested to know. >> Bloody hell, it's a long way back. >> That one. While I'm there, also read that.

Any more questions? Oh, one over there. Okay, whilst I'm walking there, just a reminder that the closing talk and prize giving is at half five in the trap.

Hey, Neil. Uh, sorry. Thank you for the thank you for the talk. There's two things with red teaming, emulation and simulation. Which one's your favorite? >> Sorry. Where was that question from? >> Sorry. Sorry. I was I saw you leaving a Thanks for coming back. Uh, there's two things in red teaming u to my knowledge. Um, simulation and emulation. Which one is your favorite? That's a hard question for me to have at 5:00. Um, [snorts] that's a whole one because we emulate adversaries, but we also simulate adversaries. These emulation give you the answer. Any other questions? Thanks all.