Sign in Subscribe

Certified Red Team Operator (CRTO) Review

Last updated on 
Certified Red Team Operator (CRTO) Review
Photo by Alexander Jawfox / Unsplash

Introduction

The CRTO or Certified Red Team Operator offered by Zero-Point Security is one of the best-known Red Team beginner-intermediate certifications with a focus on Active Directory and the use of a Command & Control framework.

This certification was updated earlier this year with changes on both the course and the exam.
I passed the exam on my second attempt and I want to give you my review of the updated certification, as I am really impressed by what it offers for the price you pay.

Content of the Course

When buying the course you will have lifetime access to the material and to course updates; Therefore, most of the material is text-based only, because, as it is explained in the course, it is easier to maintain text-based content compared to videos, especially when updating the material.

For almost every topic you see on the course, you will also have access to labs that let you put into practice what you just learned. These labs are browser-based, meaning that you don't need a VPN to connect to them or install all the tools in your computer. You just need to start the lab and a new tab on your browser will open up with everything you need.
One thing to note is that, as getting access to the labs is included in what you pay for the course, you can only have a lab running for a selected limit of time, and also a limit of lab instances that you can start within a span of 24 hours.

The course covers a lot of material ranging from Initial Access (Creating payloads for phishing attacks) to Forests & Domain Trusts and Domain Dominance.
In my opinion, after taking several offensive security certifications and courses, I found this certification unique because of the practical use of Cobalt Strike (A Command & Control framework) and how it teaches you to carry your operations with good OPSEC practices to avoid being detected.

Cobalt Strike & OPSEC
Cobalt Strike is one the most widely used Command & Control framework for Red Team Operations and Adversary Emulation. If this is the first time you are using a Command & Control framework and you have a background on pentesting, it will soon stand out for you how these frameworks make your life so much easier. Even though I found Cobalt Strike's user interface horrible (It was built with Java), after finishing the course I got in love with it:

  • Creating and configuring payloads is faster and can be done with GUI.
  • You can clone and host websites for phishing attacks.
  • Pivoting and proxying is much easier.
  • It already has many capabilities on it (Such as lateral movement), that makes it easier to execute them and to remember the command syntax.
  • Beacon Object Files (BOF) allows you to execute any binary on a target system without the need to transfer the binary to that system
  • And more.
    In the course, most of the attacks and techniques that you see are taught so that you can execute them from Cobalt Strike. What I think makes the certification even more valuable is the fact that you are getting hands-on experience with Cobalt Strike, whose one-year license starts around the $3,000 dollars.

Other thing that stands out is that throughout the course when learning about an attack or technique, there will be some 'OPSEC' sections. These sections will teach you some considerations about how that attack or technique may be detected or flagged as suspicious by the security team, and how you can execute them in a stealthier way to avoid being caught. For example, a lateral movement technique that is considered 'loudly' and how you can use other techniques to be 'stealthier'. In some labs, an Elastic instance will be running that will let you analyze the events generated by you operations.
It is important to mention that these OPSEC considerations are not the same as 'Defense Evasion'. OPSEC is about 'Good practices' that allows you to carry out your operations in a stealthier way, whereas Defense Evasion is about avoid being blocked by security solutions such as Defender or AppLocker. Defense Evasion is focused on the creation of payloads and the configurations of these payloads to execute post-exploitation tools.

You can check the course here.

Difficulty level
In my opinion, if you already have a little of pentest experience or have similar certifications, the course might be a little bit more challenging but still very digestible. I will consider the Defense Evasion modules the most challenging as I only knew the basics of AV-evasion. The Kerberos, Domain Dominance, and Forest & Domain Trust modules were easy for me as I have experience with Active Directory in general.
Also, in some sections it gets a little heavy on coding with C and C#, so if you don't have experience with these languages, I would suggest learning at least the basics of them.

Labs & Exam
As I mentioned, purchasing the course comes with access to the labs which let you put into practice what you learned. As the labs don't require you to pay more money and the certification is affordable compared to other ones in the industry, the labs comes with some restrictions: For each lab there is a limit of instances that you can launch in a span of 24 hours, each instance that you launch can only be running for a limited amount of time, if that time ends you'll have to launch the lab again. However, the connection to the labs is very stable and I didn't have any problems with them while taking the course.
I think it would be very convenient to be able to pay more to get unlimited access (Instances launches and running time) to these labs.

Before the certification was updated, the exam was a practical CTF-Style with a flag on each machine that was submitted as a proof of progress, at least 6 of the 8 flags were required to pass. Unfortunately, I cannot share information about this updated exam as that is information you get when purchasing the course and also after getting the Rules of Engagement; however, I want to say that the connection to the exam was also very stable and that having 7 days to complete the exam allowed manage my time and do the things I must do on my day-to-day (Work and exercise).
I passed the exam on my second attempt. On my first attempt I did some mistakes that rested me some points from the final score. Before taking my second attempt, I revisited the modules and labs from the specific mistakes that I made, and after understanding and practicing better those skills, I took my second attempt and passed the exam.

Pentest vs Red Team
What I'm really surprised after getting my first training in Red Team is the difference compared with pentesting. Through all the course and the exam I didn't use Kali Linux or pentesting distro, everything was done from a Windows machine with a Cobalt Strike client installed. The few times that Linux is used is to access the Cobalt Strike server and change its configuration. You don't use exploits, tools like nmap, netcat, nxc, or webshells, and you don't fire you tools like you'll never be detected. Everything has to be done in a stealthier way.

I really think that the CRTO is a top-level certification and that, the knowledge that you gain is extremely valuable for the price you pay. I'll definitely consider taking the CRTO II when the new version is released.