Introduction
As Ricki Burke posted "Red Teaming is like teenage sex: everyone talks about it, nobody really knows how to do it, everyone thinks everyone else is doing it, so everyone claims they are doing it."
As I work towards my goal of joining a world-class firm that specializes in Red Teaming, I often reach out to Red Teamers and ask for advice. Some key pointers I've been told include:
Set the right expectations about RT work - The majority of the engagements for companies are not sophisticated. Very few customers require real RT. Even fewer companies that do real RT.
This results in huge competition in the RT space - Getting hired by an overseas company has its challenges - regional security clearance, customers preferring local resources owing to the sensitivity of data involved.
You need to stand out - Technical skills are mandatory, but more importantly, are networking & being an active contributor to the community.
Remain flexible - Develop skills that can serve many use-cases. Chosen skills should allow you to advance your RT goals but also open new doors as time goes on not fewer places as time goes on. This will help you stay in the game longer. Become incredibly technically proficient, but don’t be the guy who can only do RT.
Don't spend time & money on a Master's Degree - Unless of course, your employer pays for the SANS Degree.
Drawbacks of Traditional RT Courses
With new cybersecurity courses flooding the market, identifying the right training content for you is difficult. Every other day, I see the infosec "Twittersphere" & LinkedIn feeds filled with folks completing online training & certifications month after month. The traditional approach to certifications involves:
Study course material from videos\PDFs for 1-2 months
Practice what you've learnt in a simulated lab environment
Pass an exam to get certified
While several certifications out there have great content & provide incredible value, oftentimes they have drawbacks:
Time limitation: Not enough time on the keyboard
Lab\Exercises only require 30% additional work by students
Gives a false sense that students can do this themselves
Good certifications\training in the Red Team space are limited. You may want to consider the following:
Unikod3r's RT Training - If you're not on his Discord channel, you're missing out big time.
This brings me to the reason I wrote this post. I've enrolled in the MRT Certified Red Teamer course offered by Mossé Cybersecurity Institute (MCSI).
I remember when I first enrolled, I couldn't find any information on MRT from students on the internet. In this post, I share my thoughts on this certification and why I think it's a great option to improve skillsets around RT. In the interest of time, MCSI's website covers all the FAQs about the course.
Disclaimer: I'm not sponsored by Mossé Cybersecurity, but a genuinely satisfied student of their MCSI - MRT course
MRT - Certified Red Teamer
Overview
Price: $450
Est. Duration: 6 -12 months
Difficulty: Advanced
Approach: Mentorship-styled, real-world exercise based
Initial Impressions
When I first enrolled in the course a year ago and went through the curriculum, I was surprised to see how different MCSI's approach to learning was. There were no step-by-step video walkthroughs for the exercises, no enterprise-style lab environments and no 800-page PDFs. Being used to the walk-through style of training, I was disappointed at first.
The curriculum contained multiple real-world challenge-based exercises that cover the RT lifecycle that required me to develop a solution and submit a POC (video\code wherever applicable). By looking at the exercises & scenario-based tasks, it was evident that the curriculum was designed by experienced Red Team practitioners. The exercises were categorized based on the adversary tactics & marked based on difficulty. An example of an "Advanced Beginner" level exercise would be to:
Write a VBS Word macro that downloads a PE from the Internet and runs it.
Evading AV is expected. Completing many of the harder exercises would require you to develop your own custom C2.
While the exercises gradually increase in difficulty, at the time, they seemed almost impossible for me to complete. I joined the course with the assumption that I would get certified within a month. Being used to the hand-held style training content, I ended up procrastinating the exercises for later.
A month later, I decided to take up the challenge and enrolled myself in MCSI's "Programming and Windows Internals" bundle which covers foundational skills required for the MRT. From not knowing how to write any Python code, I ended up completing about 90% of the Programming exercises. I could read and understand Python scripts on GitHub, and apply what I've learned to write my own tooling. While it was challenging, I learned a lot in the process.
The Course: Pros
After a year of procrastination, I decided to get back to completing the MRT certification and have stayed consistent. While the exercises may seem intimidating at first, if you break through this with a "Try-Harder" approach, you will be able to complete them. The constructive feedback for each exercise submission is very helpful & motivating to keep moving forward. Once you're on this path, the exercises don't seem as intimidating anymore. Gradually, you start improving the quality of your submissions as though it was a deliverable to a prospective employer. While a lot of time is spent on completing a single exercise, when you finally get it reviewed, it's very rewarding and becomes almost addictive. You start to understand the value of their approach.
By reviewing my progress, I was able to identify areas I needed to work on. Often times I'd be required to take a step back and brush up on Windows Internals or C programming if I wanted to proceed. You see, this is the mindset MRT helps you build.
The exercises require you to go above and beyond your comfort zone. It forces you to overcome challenges by doing your own research, just like in the real world. It trains you to develop a problem-solving mindset - break down complex problems into smaller chunks, solve them and put them back together to develop your solution. I have taken something that I’ve learned in the course and applied it at my day job in nearly all of the sections I’ve gone through. I have learnt more than I have, doing any other course\certification.
I'm happy to see the course being updated regularly. Not just the technical exercises, but there are detailed videos explaining everything from being a professional Red Teamer, designing a Red Team Op, writing reports, interviewing for RT roles and more. The standard of the content is top-notch.
Apart from these, the certification also contains two scenario-based challenges, where the student is required to perform all the tasks involved in executing a Red Team operation. This includes developing a CONOP, RFI documentation, deploying C2 infrastructure, developing mission briefs, reports and much more. It doesn't get any more real than this.
The MCSI support team is very responsive and professional. A submission typically takes less than a day to get reviewed. Each submission is reviewed by the instructors and graded either "Pass\Fail" based on the exercise requirements. The instructors provide constructive feedback on what was done well/could be improved. For example, I received the below feedback for one of the failed exercises:
Can you make the following small adjustments:
1). The recording of the source code at the start of the video is too small. Can you make it larger?
2). I couldn't see the execution of Zoom_invite.exe. Can you demonstrate that?
3). Can you hardcode a different path of where the stealer executable is stored? As an attacker, you could not guess c:\users\FIRESTONE65. Maybe you could implement some code that detects the path?
4). Your video is excellent. One thing that would make it exceptional would be transitions. i.e., a black screen that explains what is about to be demonstrated.MCSI has a community platform where students can reach out to their peers or instructors to guide them.
Benjamin really knows his craft! He is extremely professional and is always happy to help the students progress. He has been a great mentor in guiding me.
The Course: Cons
As with any course, there are also improvement areas. I've mentioned a few drawbacks as well as references to supplement yourself in this area. At the time of writing this post:
MRT does not cover a lot of Active Directory post-exploitation TTPs. Considering how crucial this is for Red Teaming, you may supplement with "adsecurity.org" and Pentester Academy.
OSINT-related exercises are limited. TCMAcademy has a great OSINT course.
The 'Good Reads' section provided for many exercises was very generic, like a link to MITRE or Wikipedia. Instead, a reference to an informative technical blog post would be more helpful for students.
Exercises covering newer attacks such as ADCS, unhooking EDRs etc. would be great to have on the curriculum.
What's great is that the MCSI support team is quick to respond and is always open to improving the course content.
There is no single course that will teach you all you need to know.
The MRT is designed in such a way if a student could complete its challenges, then they can tackle anything else that the job throws at them. The MRT curriculum takes students up to a level after which they can:
Do their own research & develop their own tools → Create a GitHub project of interest → Create a community around it
Customize open-source tooling based on their use-case
Execute Red Team engagements with a high professional standard
Apply what they've learnt and present at conferences
Eventually, become an industry contributor
Closing Thoughts
All this being said, the MCSI MRT may not be what you're looking for. For many folks out there, spending $450 on a course, for exercises & personalized feedback may not be the best bang for your buck depending on your outlook on learning. If you already have a lot of RT experience, the course may lose some value, but you will definitely be challenged to learn a lot of new skills.
In my opinion, the offering provides substantial value and I would highly recommend it. The mindset and skills the course teaches you are crucial if you plan to pursue an offensive cybersecurity career. At the time of writing this article, there isn't anyone I know who's completed the MRT certification. All the more reason to become an MRT Certified Red Teamer and demonstrate your passion and commitment to offensive cybersecurity.
To better understand what submissions look like, here's a solution for one of the exercises: