Certified Red Team Operator (CRTO) Review

The Certified Red Team Operator (CRTO) course is an offering from Zero Point Security which aims to teach “the basic principles, tools and techniques, that are synonymous with red teaming”, with the accompanying exam giving you a shiny new badge saying that I am good at pretending to be a real bad guy. I recently completed this course and, thankfully, passed the exam. In this post I will be going over my thoughts on the course, exam, and Zero Point Security as a security training provider. Let’s get stuck in!

The CRTO course begins by giving a brief overview of red team engagements, their purpose, and the considerations one must take when planning and executing this type of a security test. This is a good overview for anyone new to the idea of red teaming and helps newcomers distinguish a red team engagement from a traditional penetration test. We then move onto the technical (fingers on keyboard) content as the course delves into the basics of Command & Control (C2) and uses the infamous Cobalt Strike to do so.

Once the student has their basic footing of Cobalt Strike, much of the remaining course content focuses on covering the attack life cycle from an offensive point-of-view (the attack life cycle is the basic path a typical cyber attack follows).

Attack Life Cycle

This takes you through how to initially compromise a host, perform reconnaissance, escalate your privileges, and jump to other machines on the internal network. One could equate many of these activities to an internal penetration test, though the course consistently discusses operation security (opsec) concerns and potential ways your activity may be caught by defenders. This focus on remaining undetected in the logs, as well as evading common Windows security mechanisms like Defender, AppLocker, and PowerShell CLM, is what sets the course content apart from similar offerings in the offensive security training domain. I found this main part of the course a good overview of the topics covered but it left plenty of room for exploration where a student could delve deeper into these topics.

The final section of the course focuses on how to extend Cobalt Strike so you can more easily evade defenders and mimic threat actor’s tactics/techniques/procedures (TTPs). This is the bread and butter of a red team engagement — effectively emulating a real-world threat. Again, the content is not exhaustive but it does point you in directions you can take to expand your knowledge of extending Cobalt Strike.

The accompanying lab environment lets you try out all the exploits/abuses demonstrated in the course content in a “walkthrough” fashion. The machines are setup exactly as they are shown in the course and you simply copy/paste the commands the course shows. I found this useful for learning the topics but when it came to the exam (discussed in a bit) there was a a bit of a learning curve. It would have been great if Zero Point Security threw in some practice scenarios for you to explore by yourself to help cement the concepts the course was trying to teach a little better. This brings me onto some recommendations I have for getting the most out of the course content.

Getting the Most From the Course Content

The course is not exhaustive (even though it may seem like it at first). It covers a lot of areas and offers some direction of where to further your knowledge in some of the domains it covers (like extending Cobalt Strike). As such, one shouldn’t hold the course content as a holy bible to performing a red team engagement. There are plenty of other Active Directory abuses, lateral movement strategies, and MS SQL exploits you should become familiar with (in the long run). The course simply opens your eyes to areas of an enterprise environment you can target to achieve an objective and, in this, it does an awesome job. Based on this, I have some general recommendations about how a student can get the most out of the course content.

  • a) Use the course content as a a platform to delve deeper into topics covered. Find other resources on exploiting Active Directory, MS SQL servers, Forest/Domain trusts, Group Policy, etc. to expand your repertoire.
  • b) Try to accomplish the same exploits with other tools. For example, trying substituting Rubeus for the Python tool Ticketer when creating Kerberos tickets or use Metasploit (Meterpreter) instead of Beacon when you compromise a machine. This really helps you cement your learning of the exploit/abuse as you have to pay close attention to the nuances between tools.
  • c) Use a different C2 framework entirely and see if you can accomplish the same objectives. The course originally allowed you to use Covenant as well as Cobalt Strike, however to streamline the learning (and due to instability issues) Covenant was dropped. Cobalt Strike is awesome but it’s not the only C2 framework out there. You should become familiar with other popular open source ones like Havoc, Covenant, and Sliver so you can weigh the pros and cons of each. Checkout the C2 matrix to get a good list of features each C2 provides and direction on which you might be interested in.

Some of these recommendations you can do in the accompanying lab environment, however for some you will need to build out your own lab environment at home or in the cloud as the environment provided is quite constrained. Playing around in your own lab environment is where the most learning will come from. It lets you learn how to build the infrastructure, learn where security micsonfigurations may get implemented, and then exploit those misconfigurations using whatever tools you want. That said, this is diving in at the proverbial deep end. I think a student should first complete the guided lab environment a few times and really get a good grip of the course content before tying to emulate it by themselves.

The Exam

Once you feel sufficiently levelled-up enough you can book a time to tackle the CRTO exam and have a go at collecting another shiny badge (got to catch them all). The exam consists of 48 hours of lab time spread across a 4 day event where the student has to find and submit 8 flags (6 flags to pass) This means you have a Snap Labs lab with a runtime of 48 hours to capture the required flags however, unlike some exams, you don’t need to hack for 48 hours straight and you are not constantly monitored by a proctor like some Orwellian version of the movie Hackers. You can take time to go to the bathroom, eat food, and sleep as you spread the 48 hours over 4 days (a win for mental health). Without giving too much away, the exam is an assumed breach scenario where you have access to a low privileged account on the internal network and you must use your newly acquired hacking skills to jump around that network (maybe onto other networks) and compromise other machines. From here you hunt down all those precious flags until you have enough to fill your infinity gauntlet and master the universe… I mean pass the exam. Once you have a flag you simply submit it in the Snap Labs dashboard, submit enough in the 4 day event and you pass the exam. There is no reports to write, debriefs to attend, or hoops to jump through.

I found the exam challenging but not overly stressful. The course content covers everything you will need to pass the exam and having a good grasp of how/why the exploit/abuses work, along with how the tools you are using work, will put you in a very good position to pass the exam. Like I previously mentioned, it would have been great to run through some practices scenarios in the lab environment before tackling the exam to cement that understanding, but then where is the fun in being completely prepared. If anything it’s always good to test a student’s initiative in an exam and the CRTO exam definitively managed to accomplish that when some of the tools did not work as expected.

Final Thoughts

Overall the course content was great and I don’t see a better introduction to red teaming on the security training market. The course is more focused on breadth than depth but gives the student a good idea about where they can go to extend their knowledge once they master the basics. The lab environment is perfect! The setup, the web interface, and the private instances are the golden standard that all security training providers should strive to emulate. The only area of improvement would have been adding some practice scenarios to cement the student’s understanding of the course material rather than just walkthroughs. In regards to the exam, excellent. The delivery through Snap Labs… perfect. The scoring system with flags… loved it. The 48 hours spread across 4 days… my sanity thanks you. I don’t think Zero Point Security could have done a better job with their exam and I applaud them. Even the support was tremendous. There were times when I had some basic support issues and the speed at which Daniel Duggan got back to me and resolved these issues was exceptional. That’s not even mentioning the substantially cheaper price when compared to other security training providers!

A truly terrific course which I would happily recommend to anyone who wants to dig deeper into the offensive side of security.

Going forward, I will be looking at other offerings Zero Point Security has as I look to carry on down the rabbit hole of offensive security. I am particularly interested in building my own security tools and focusing more on AV/EDR evasion techniques. Till next time, stay frosty my friends and enjoy the Christmas break!

--

--

Cyber security professional who merges offensive and defensive paradigms to solve new and exciting security challenges | Penetration Tester | Threat Hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adam Goss

Cyber security professional who merges offensive and defensive paradigms to solve new and exciting security challenges | Penetration Tester | Threat Hunter