<disclaimer> I am not sponsored by ZPS but did receive access to the beta version of the updated RTO course for free in exchange for my feedback on the material and labs. So first and foremost, a huge thank you goes out to ZPS! I paid for my own 30-day voucher for v1 of the course. So while I received the updated course material for free, like everyone else who has already completed RTO, I was comped time in the lab to beta test. Rasta specifically asked me to provide my honest feedback in this review and I will honor that request. But for the sake of transparency, please consider that I was provided access to the beta for free while reading this review. </disclaimer>
The Mouse is back in the house.
Well, to be honest, he never left.
Zero-Point Security, directed by Daniel “Rasta Mouse” Duggan, has released the 2021 update for their flagship course, Red Team Ops. This practical, lab-based course culminates in the Certified Red Team Operator exam, which pits the student against a full-fledged Active Directory environment where the prospective red teamer must prove their competency as an RTO by deploying learned tradecraft.
I completed the RTO course, front to back, twice. Twice? Twice. One time as a student earlier this year where I earned CRTO, and another time as a beta tester for the 2021 course update. The following post is a roll-up of my thoughts about the course update, how it differs from the previous version, and my honest appraisal of the value of RTO from a holistic standpoint.
If you’ve already completed RTO and you’re interested in the updated content, read on. As a former student, you will receive all of the updated course material for free and have the option to purchase more time in the lab to cover the new technical material.
If you’ve never heard of RTO and you’re interested in learning what the course is all about, read on! This course was great before, but now it is straight fire.
Time is a resource. Let’s roll the TL:DR:
- Price point: £349 for the course, then £1.25 per hour of lab time, purchased upfront. Purchasing the course gets you a free hour of lab time and an exam voucher. At the time of writing this, in good ol’ Merica bucks, that’s about $485 for the material and $1.75 per hour. Compared to what I paid for earlier this year, which was $549 for 30 days of lab access and an exam voucher, the price point is much lower than the previous version. Interesting to note: you are not obligated to buy lab time when you buy the course. But on the other hand, you cannot buy lab time without also purchasing the course. This adds flexibility for different students at different competency levels.
- Feeling froggy? Then leap! You can now opt to take the exam without purchasing the course. An exam voucher by itself is still £99 (about $138), which is the same as the previous version of the course.
- A Comprehensive Upgrade: I loved the previous version of RTO, but it had some issues with VPN connectivity, tool stability, a shared lab environment, and some other minor things. The RTO update solves all of these problems in one fell swoop. Every. Single. One.
- Bespoke Design: Where other red teaming courses fail the hardest, RTO succeeds: instructional design. ZPS have gone out of their way to write clear, concise lab instructions that get you enough info to get going and the exact steps you need to succeed in the labs and the exam.
- Topics covered: operational red teaming tactics, techniques, and procedures (TTPs). There are also sections on antivirus evasion and avoiding detection. You will not be sailing through full defensive tech stacks after doing these sections alone, but you’ll have a foundation to build deep technical understanding of custom exploit development and tradecraft.
- In the Trenches: Most of the material in the course is purely practical, incorporates labs, and has immediate real-world application. The other material is contextual information about the non-technical parts of red teaming like client engagement, report writing, etc.
- Arm Up: The previous version of the course was BYOC2. In the update, every student has a full, licensed copy of Cobalt Strike at their disposal for the duration of the course. I know of precisely zero other courses that do this. To me, that is worth the price of admission alone.
- Plenty More: Other features in the course update include a private lab environment where you control the reverts, updated course material that includes examining red team TTPs from the offensive and defensive perspective, an updated exam (coming soon!), access to the new ZPS Discord server, and much more!
- Accessible, well-designed entry-level red team training.
- Private lab environment where you control the reverts. No more worrying about someone else throwing ZeroLogon and bricking the entire domain, unless that someone is YOU. You rascal, you.
- Premium red team software is available for every student in the course.
- Affordable price point especially when considering the quality of training.
- The OPSEC notes in the sections where Rasta describes tradecraft related to the current topic are *chef’s kiss*
- A vibrant Discord community.
- Snaplabs interface is easy to use and feels about as good as a bare-metal hypervisor, though it’s not perfect in terms of responsiveness.
- Inability to introduce your own tools and exploits to the environment (coming soon?).
- The ability to log into a Splunk box and view your own activity is so freakin cool, I wish it had been incorporated even more into the course material. Nothing is stopping you from using the blue stack to view every single thing you do, but the material references it early on and kinda forgets about it later in the course.
- Using a VM lab instead of a VPN with your own Kali machine may feel weird at first.
- The removal of flags in the new environment makes sense, but some students might miss the sense of progression and challenge that comes with capturing them.
- The price is fair but can still be a lot depending on your financial situation.
Your Mission (Should You Choose To Accept It)
No course can truly prepare you for your first gig as a red teamer, but I swear the only way ZPS could have made this course more realistic is if they had a SOC in the target network swatting your shells down and blocking your C2 IPs.
RTO takes you through a full simulated red team engagement, starting at Open Source Intelligence (OSINT) gathering, through the complete compromise of the main domain, compromise of adjacent domains, and finishes with a section on reporting and wrapping up operations. The key word here is simulated red team engagement. As you move through the modules, each part of the course feels like it could be something you would come across in the wild.
Think of the course through line as a “greatest hits” of red team tradecraft, where the entire series of events may be unrealistic to see in real life, but where each link in the chain becomes a handy tactic to hold onto. The course goal is clearly to equip you with a foundational understanding of how to be an operational red teamer, so maybe someday when you are on a real life operation and you feel like something looks familiar, you’ll say…
When you enroll in RTO, you’re given access to the Canvas learning module for the course and the private lab environment hosted on Snaplabs.io. Snaplabs provides hosted lab environments that you can access through your web browser. Your purchased hours of lab time are only spent while you have the lab up and running, which is controlled from the main dashboard. Lab startup and shutdown is pretty quick.
The implication here, of course, is that you are not connecting to a VPN with your own Kali VM to enter the lab network. There are pros and cons to this approach, of course. One of the biggest pros is you no longer have to worry about VPN instability, which was a constant problem for me in the previous version. On the other hand, you can’t bring your favorite suite of tools to bear for the course. This is not a problem as the Snap lab comes pre-configured with every tool you need to use to complete the course, but it does limit your ability to test new tools and techniques in the lab.
If, for example, I had a really cool new Cobalt Strike Aggressor Script that I wanted to try out, my options were to recreate it line by line or by copying it into the lab via the clipboard (more on Cobalt in a moment). This is fine in most cases, but once or twice I did find myself wanting to try out a new exploit in the labs and was unable to due to its size and complexity of the code required to run it. You also cannot git clone or use any internet resources inside the VM lab. I am told ZPS is working on a way to allow file transfer in, which would be perfect for this occasion.
The web consoles for the VMs are quite responsive and feel great to work in. It is not quite at the level of responsiveness that a VM on your own hypervisor feels like, but the tradeoff is well worth the upside of a consistent experience, both in terms of content and connectivity.
Let’s Talk Tactics
Your first actions on objective include simulated OSINT to find users and passwords. You then try breaching the perimeter by password spraying. Then, armed with credentials and a good phishing pretext, you aim for remote code execution via phishing.
An interesting caveat here; you play the part of the phished user! This is a departure from the previous version where a script on the backend would execute your payloads when it detected your phishing email.
This is a theme in the new version: the target network feels much “closer” to you as the attacker and you will perform several actions that emulate both the attack and the defense. There’s even a section early on introducing you to log analysis and detection where you can view your own activity on the network! This is a really nice addition to a course that is heavily focused on the offense.
Following initial compromise, you are tasked with executing the full kill chain and taking down the domain. Each section sticks to the tried and true formula for a successful operation: gather information, identify threads to pull on, line up your shots well, execute, and repeat. I particularly enjoyed the sections on COM hijacking, which was a new concept to me but ended up leading me down a rabbit hole of how COM works and how it is exploited.
Other notable highlights include red teaming MSSQL, lateral movement methods including PSRemoting and WMI, Credential harvesting and user impersonation, a whole section on the intricate ways in which Kerberos can be abused, and some cool sections of relaying credentials through pivoted beacons.
And one of my favorite things about the course material itself is the inclusion of OPSEC notes and modules on improving your efficacy as a red teamer. Think about this: maybe other offensive courses have shown you how to get an agent implant on a target machine, but have any of them ever shown you ways of mitigating the possibility of getting caught while doing so? Have you ever seen anything like this in a course?
^^ That is an incredible piece of tradecraft to include in a course like this. And ZPS throws these into the course at every level.
For students that have already completed the RTO course and are looking into going back for the new labs, one noticeable omission is the system of flags to mark your progression. And it makes sense when you think about it: from the first time you boot up the lab in Snaplabs, you have access to every single machine’s console. You can just open the console and you’re authenticated. So it wouldn’t make much sense to have flags dispersed throughout the environment to mark your progress when it’s possible to just nab them right off the console instead of performing the lab steps to capture them. The decision to remove the flags is an adjustment to the new lab environment, so it’s important to take it in context with the other pros and cons of the Snaplabs setup.
It’s an understandable choice given the new lab setup. For me, I didn’t mind too much given I had already completed the RTO course with flags in the labs, but some students might miss the sense of progression. I still think the upsides of the Snaplabs setup are well worth the downsides. So let’s talk about one of the biggest upsides.
I Need A Weapon
The previous version of RTO was built to accommodate students that had access to Cobalt Strike as well as those who did not. In the BYOC2 model, a student would VPN into the lab with their personally procured software and were free to use it in the environment. This meant that students without Cobalt Strike were instructed to use Covenant as their primary C2.
In the RTO update, every student has a fully licensed copy of Cobalt Strike for the duration of the course.
Let that sink in for a moment.
What this means in terms of value for the student is incredible: for the price of admission, you get to use the single most popular C2 platform, which normally costs thousands of dollars a year per license, to your heart’s content. If you have not used Cobalt Strike before, it’s a game-changer.
In the final section of the course, the material even covers some of the most powerful features of Cobalt Strike: Malleable C2, Artifact Kit, and Resource Kit. Cobalt Strike’s true power as a C2 is its flexibility, and these three features, in particular, allow the operator to change essentially every detail about their payload, network signatures, and operational footprint. As red teaming becomes more and more complicated in response to evolving defenses, shapeshifting becomes a necessary skill. So I’m glad the course included this in the final section.
The Absolute Best Part of This Course
I have an opinion on what the best part of this course is. And it might surprise you.
And I could probably write a whole blog post on this topic as it relates to the broader cybersecurity training landscape, but I’ll save that for another day.
So what’s the best part of this course, in my opinion?
This course nails instructional design.
Instructional design concepts are woven into the fabric of this course, and that is its principle strength. A subtle principle strength, but one that makes it stand out from the other offensive security courses available today. Let me explain.
Definition: Instructional design is “the creation of learning experiences and materials in a manner that results in the acquisition and application of knowledge and skills.” In my opinion, instructional design (or the lack thereof) is one of the weakest features of the current offerings of offensive training.
Think about the other offensive security training available today for a moment and answer this question: how do these courses actually “teach?”
A lot of them subscribe to the ascetic methods of “try harder” where the material is loosely coupled with the labs, the labs offer no real guidance or instruction, and the exam is usually a total surprise and leaves you confounded and stressed. Here, instructional design is lacking. And while some people prefer this method of learning, it is not necessarily for everyone, all the time. I submit that a broader application of instructional design would benefit the field for many different reasons.
(And for another point, it’s not an all or nothing game here; you can even have courses that are well designed, instructionally speaking, that include pockets of the “try harder” method and you can structure this in such a way to improve the overall ALRIGHT GOOD JOB EVERYONE, YOU GOT ME ON AN INFOSEC TRAINING TANGENT. Resuming the review now…)
You can tell when a course has done instructional design well when there is a through-line of “conveyance” between the learning material, the labs, and the exam. Each supports and builds upon the next item in the experience.
RTO understands and implements instructional design and does so phenomenally.
You don’t have to take my word for it, I’ll show you a practical example.
Outstanding instructional design is evident when the material follows a simple loop; Tell -> Show -> Do -> Apply. This model is incredibly effective. I will die on the hill of applying it to everything I’ve produced as an instructor.
As I wrote this section, I logged back into the RTO course and selected a random section in the course. I ended up going with Session Passing. Let’s analyze:
We’re immediately in Tell in blocks one and two. Block three gives us the commands we will run in the form that represents what we will be seeing when we do the activity, so we’re hitting Show by the end of the first section. And as you start following along in the labs and perform the commands in block three, you start to Do the activity, which reinforces the topic learned by allowing you to recreate it on your own. And as you do each exercise and take down notes, you’re building a series of playbooks for situations that you might encounter someday, which helps you Apply these labs to the real world.
And one of the most important parts of this loop, the pace, is fantastic in the course. The contextual information does not kill you with exposition. It gets you enough info to move into the practical portion where you can really reinforce the skills. It respects your time.
The remaining content in this section repeats this cycle with each activity that it teaches. Some sections also have a demonstration video where Rasta performs the activity in the lab and narrates the actions. But every single section that includes practical elements follows the same formula:
- You are told the broader context of the topic (“Session passing allows interoperability between different platforms…”
- You are shown the practical steps and what it looks like when they are done correctly (“To pass sessions between Metasploit and Cobalt Strike, enter this command…”)
- You do the lab steps along with the instructions (*you perform the steps and it works!*)
- You are shown how this might apply to the exam and real life (“Hey if I ever need to use Metasploit’s capabilities during an engagement, I can do this!”)
It’s simple, it’s clean, and it works. No three-thousand slides, no unguided labs. No banging your head against the wall. And when you take the exam, there really aren’t any surprises. You have all the puzzle pieces, but now it’s up to you to put them together in ways that you might not have thought of before. It’s incredibly satisfying to complete a course when it presents as a well-designed puzzle. And, on the subject…
At the time of writing this post, I have yet to take the updated exam because it hasn’t been released yet. I could talk about the old exam (it was a lot of fun) but that doesn’t provide much value to you, the reader. Expect an update after the new exam is released!
In my experience with offensive security training offerings, when they fail in an aspect of their design, they fail hard. Some courses offer little instruction and leave the student exhausted, frustrated, and confounded. Some courses offer instruction but fail in the delivery of the material and leave the student wondering how to apply the concepts. Some courses are instructional and well designed!… but have no practical portion, and when the student finishes the 150 multiple choice test, they wonder why they wasted their time.
RTO is a rare and radiant offering in the offensive training space that is well designed instructionally, technically, and has excellent conveyance of the topics. The course follows the principles of instructional design and does so phenomenally. The course material can be used to build an arsenal of playbook items in your notes. And though no two red team target environments are ever the same, maybe someday you will be performing actions on objective and use some of the tradecraft taught in this course to effect. I know I have already.
With a seasoned practitioner at the helm, it is no wonder why this course turned out to be the way it is. ZPS does not just give you the technical how-to. They respect that you will be able to learn the science of red teaming. But by offering to teach the art of red teaming to the student, they have created something incredible.
This course was worth it when I completed it earlier this year. The update has made nothing but improvements on the course, save for a few quirks.