Implementing an Offensive Security Training Program: CRTO Case Study

Security professionals are tasked with continuously training and staying up to date with the evolving threat landscape. For teams, it is vital to keep a strong pace internally and communicate new tactics, techniques, and procedures (TTPs) so that all testers can effectively assess any given environment. Our goal is to emulate attacker behavior regardless of the objective and provide clients with a realistic perspective of what a threat actor can accomplish. However, training can be challenging internally with varying timelines, prioritizing client work, and handling burnout.

At DenSecure™, we have been tackling this problem by scheduling dedicated training time monthly for all members to collaborate in a lab environment. Team members are free to pursue their own trainings as well through conferences or other offerings. Scheduling time with concrete goals and trackable metrics has been effective at ensuring consistent output of quality work.

This past year, we elected to leverage the business subscription for the Certified Red Team Operator (CRTO) course offered by Zero Point Security.

Certified Red Team Operator:

The CRTO course is an interactive lab environment that teaches operators the basics of a red team operation. The environment is modeled after realistic conditions and is updated frequently by the creator, Daniel Duggan.

The business environment enables teams to share a lab and attack the same targets. This collaboration simulates a real operation where each operator has to coordinate techniques performed, configurations changed, and new accomplishments achieved.

Connections to the lab are managed via Immersive Labs. Once logged in, you can start/stop machines and connect to an attacker machine through a web browser using Guacamole. Each month, we worked through the course materials using CobaltStrike to examine techniques from a “post-compromise” perspective. The business subscription allows managers and relevant stakeholders to track progress from each team member. We used this feature to understand our return on investment and track progression.

After completing the course, when a tester feels prepared, they can take an exam to obtain the Certified Red Team Operator certification. The exam is a 4-day event and includes a hands-on assessment to evaluate your understanding. You must capture 6 of the 8 flags within the environment by emulating attacker techniques. The exam is difficult but fair, there are no secrets, and all elements from the course can be included.

This continuous training style helped us keep all members up to date and developed their skills without leaving anyone feeling isolated. All too often the information security industry forces individuals to work hours outside of work to go through training or pass a certificate. While this approach will always exist and can work for an individual, we recommend separating time for open collaboration when possible. A team with poor communication can introduce the worst case outcome, where specific techniques or procedures are not tested as they may not be known from tester to tester. If you are a client, you should be aware of the importance performing due diligence to ensure you are receiving the quality service you are looking for. If you are interested to learn more how DenSecure stays up to date, the CRTO course, or how we implemented a training program feel free to reach out!