The BYU CSRL Red Team is a team of Information Technology (IT) students who provide professional penetration testing services across campus and within the local community. They have been in operation since 2011 and operate under the supervision of Dr. Dale Rowe. Red Team membership is highly competitive and sought after. The team competes in regional and national competitions and works hand in hand with the CSRL Blue Team to better secure our cyber-systems. For on-campus engagements, the team works closely with BYU's Office of IT (OIT) security team; Internal Audit Services; and the Risk Management, Safety, and Compliance department. All engagements include:
- A series of planning meetings to establish scope and requirements.
- A Security Assessment Proposal which includes scope and rules of engagement.
- Non-Disclosure and Code of Ethics agreements
- Regular client debriefings throughout the engagement
- A formal debrief and report
Red Team Progression
Team members progress through a ranking system in the Red Team. Starting as an apprentice, a Red Team member must demonstrate basic knowledge and understanding in order to progress to junior member. Unlike apprentices who can only work under direct observation, a junior member may be assigned simple tasks and work with a greater degree of independence.
Graduating to full member requires successfully compromising over 50% of our Behemoth lab machines - a set of nearly 30 virtual-machines developed internally for student learning as well as specific challenges designed to show both breadth and depth of knowledge. The Behemoth systems include over 15 different operating systems with a variety of applications and challenges ranging from simple password cracking, to complex client-side attacks and routing manipulation. Students maintain full-member status by continuing to breach additional machines or develop new challenges for the Behemoth lab.
Full members are also required to regularly mentor those at the apprentice, junior and other full member rank.
For some of our most elite penetration testers however, the rank of master involves demonstrating exceptional competence in a Red Team specialization, writing a complete research paper on a newly discovered exploit, and completion of a custom-designed lab by Dr. Rowe and Trevor O'Donnal. During this lab, the candidate is continually asked questions and interrogated to demonstrate their mastery of the topic. Only upon successful completion of these requirements is a student listed as a Red Team Master, and added to our Alumni list on this page.
Working with the Red Team
The team have received frequent praise from clients both on and off-campus. Students on the team receive valuable real-world experience to compliment their classroom studies and are highly sought after by recruiters. All students on the team are active in cyber-security research and volunteer their time to conduct penetration tests.
If you are interested in using their services, please contact us at redteam at byu.edu.
- Sarah Cunha, Whitney Winders, Dale C. Rowe and Cara Cornel. 2016. The Untrustables: How Underclassmen Evolved Our approach to Student Red-Teaming. In Proceedings of the 17th annual conference on Information technology education (SIGITE '16). ACM, New York, NY, USA, 26-30. DOI=10.1145/2978192.2978213
- Kellie E. Kercher and Dale C. Rowe. 2012. Risks, rewards and raising awareness: training a cyber workforce using student red teams. In Proceedings of the 13th annual conference on Information technology education (SIGITE '12). ACM, New York, NY, USA, 75-80. DOI=10.1145/2380552.2380573