Advanced Threat Tactics – Course and Notes | Cobalt Strike Blog

Raphael Mudge, the writer of Cobalt Strike has a series of videos about Adversary Simulations and Red Team Operations. They are a good intro into digital red teaming. Here's the video for Part 1: Operations

Follow the link at the beginning of the post for the rest of the videos. They are worth watching.

A book review - the first bad review

Most of you know that we usually don't review bad stuff or gear, unless it's really bad. This is the case of "Next Generation Red Teaming" by Henry Dalziel.

If you want a serious review, jump all the way to the end.

This is a $40 book. 35 pages long.

Yes, the next generation red teaming is as thin as a challenge coin.

Still, when I got it, I was excited. I opened it and went straight into the table of contents, which, wasn't much of anything.

Going into the introduction, the author walks us through all the things he wants to talk about. He wants to explain what a Red Team is, he wants to talk about how it;s different from the traditional pentesting approach, how he wants to map the adversaries. He makes it a point to note that he wants to really talk about software-based analysis and software-based testing. He really makes it clear this is one of the key elemetns in this book. He also mentions that the last part of the book would talk about how to effectively build a Red Team.

I was now really excited.

This part of the intro really caught my attention:

Great! Now we are talking! Just the intro and I am already loving this book.

The book goes into describing what a Red Teaming is, providing various examples of what red teaming is... Well, not really. After reading the page and half explanation of what Red Teaming, all I can think is pentesting.


Ok, then...

Chapter 2 (1.5 pages) talks about the typical engagements, which again are very similar to a pentest... However, in Chapter 3 (1.5 pages) he sets the record straight. He talks about the next gen red teaming. Yes! Finally! He talks about the electronic, social and physical aspects of the next gen red teaming.. Wait a minute... This next gen sounds kind of familiar... I mean, wow! Really next gen stuff here!
I love this part, it's mind blowing!

This is trully cutting-edge, next gen red teaming! Wow. I am speechless. How come none of us thought about this before!

Oh wait... Didn't we use this already 20 years ago? I must be confused...

Anyway, the book continues with cases and examples of "composite attacks", describing how to modify a pelican case to put a team member inside and pretending to be a FedEx guy walk into a building. Now, this is trully interesting. Really. I am smiling as I read this.

At this point I'm still looking for the 2 things I really wanted to read about: software-based analysis and software-based testing, and how to effectively build a Red Team.

Well, by chapter 5 he is trying to teach us how to model an adversary... But his tables are so small and the text is so illegible that, as much as my 20/20 vision allowed, I had to pass on this. No way to know how to model an adversary. However, I got to chapter 6 where he writes: bringing sofrware in...

Yes! Here it is! Half a page long....

Well, the secret here is that "software runs the world so we need to be mindful of this and that we need software to properly test software". Eureka!

Ok, moving on...

I'm still looking for how to effectively build a red team and red team porgram.

At this point you should realize, putting all the jokes aside, that this book doesn't deliver. It's very dissapointing. I'm very inclined to contact Syngress and ask them if this is a sample chapter, or just an intro... I mean, where is the content?

Anyway, judge for youself. Here's a link to the book.

Here's a presentation by the contributing editor that actually is the book + information you can use.

Here's a more legible presentation by the same person


Now a somewhat serious review.
The reason for this bad review is not because we wanted to make fun of this book. No. The book provides some value for complete newbies, in that it talks about red teaming.
We decided to write this review after reading how the book was presented. Supposedly for professionals in the industry, or for CISOs that need to know everything there is about Red Teaming.

Here, from Amazon:

Red Teaming is can be described as a type of wargaming.In private business, penetration testers audit and test organization security, often in a secretive setting. The entire point of the Red Team is to see how weak or otherwise the organization’s security posture is. This course is particularly suited to CISO’s and CTO’s that need to learn how to build a successful Red Team, as well as budding cyber security professionals who would like to learn more about the world of information security.

  • Teaches readers how to dentify systemic security issues based on the analysis of vulnerability and configuration data
  • Demonstrates the key differences between Red Teaming and Penetration Testing
  • Shows how to build a Red Team and how to identify different operational threat environments.

And then from net security:

The book is aimed at cyber security pros: it does not contain explanations about attack techniques - the author assumes you know about them already.

After reading it, the book really says nothing. Teachesvery little things, and things that are not so next gen. And in 35 pages, doesn't even makes a compelling argument about the differences between pentesting and Red Teaming.

With a $40 tag, it's a waste of time.

The author talkes about all kinds of things in the introduction, but really goes into none of them. I'm suprised that Syngress allwed this book to be published.



I'm writting this as we finish the after action review (AAR). We began the environmental recon for a new project. Five of us spent the lsat 7 hours around the customer's area and buildings trying to learn as much as possible. This will be repeated several times in order to learn any patterns. The same was already done during office hours.

Fortunately, we have a visiting friend, a retired recce guy from the UK, and he brought some invaluable analysis of our plans and provided us with some great ideas. This is why it's always good to have an outsider help you red team the plans. Especially someone with experience in the field.
originally we were going to move from one point to the next and observe, however our friend suggested that we leave 1 team memeber on a fixed position, overlooking the entire target, and then the other 4 separated in two 2-men teams that can move more fluidly around the area, reporting back to the person overlooking all. This way, he can paint a good overall picture of the environment. It was a great idea and it worked great.

During the AAR, our friend really made us walk through all the recon, making sure the things we saw different were noted for further observation the next time we went out.

So, as always, it's is great to learn new things. This was a simple suggestion, but one that made complete sense and made our recon more fluid and better.

Rule 68

“Rule 68: Add things until it starts sucking, take things away until it stops getting better.”

Taken from an interesting post by Frank Chimero.

If I had to describe my philosophy toward technology, I’d say I aim for the crux of whatever works the best with the least amount. You add things until it starts sucking, take things away until it stops getting better.

Which is close to my philosophy.

Answer from the a reader

JD replied to the answer I sent him by email.

Here's his answer. I'm posting it because it makes sense.

You make some great points and they really helped to get my thinking back on track. I am really focused on your stage one or prevention and trying to identify the behaviors before they happen. I went back and re-read Left of Bang and got some great perspective after reading about human behaviors.

I am hoping to incorporate your thoughts here with the intent to “Disrupt” a shooters actions and make then feel out of their element when they enter the environment in which they want to carry out their actions. Adding layers into the schools that a shooter did not account for during their recon could alter their plan and hopefully buy some time or ultimately save lives.

Again, thanks for your insight, it did help to bring back a better perspective on my end. I also can’t say enough about your site and content, it is truly great to read. I am a loyal Red Teams follower and even buy your shirts when you have them available. Please keep up the great work, there are people out here counting on you.


Question from a reader

JD, another security prefessional, asked me the following question on an email and I thought it would be good to post it here. I answred to him personally already, but here it is. Maybe some of you can help him as well, and me. I'm always interested in learning.


I do a lot of with the educational market (k-12 up to higher Ed) and I am constantly asked how do you prevent active shooters from happening. My response is that you really can’t unless you predict when it is going to happen, which again you really can’t do that.

So I started wondering one day, is there a way to change the mindset of how we approach active shooters and can we really get ahead of the shooter. Meaning this:

Is there a way to “Red Team” a school to help them be better deploy deterrable or preventable resources. Trying to make it more difficult for the shooter and in turn buy more time for people to get out of harms way.

I’m not sure if I am explaining this in the best way as it is such a complex issue, but I am trying to figure out if there is a way to use the “Red Team” mindset to help schools be better prepared for these type of events. I focus so much on preventative measures and try to utilize some Predictive Analytics but I think I am missing something and was wondering how to incorporate some Red Team ideas in the school environment. You have such great content and I am sure your real world experience might lend some great insight.

I am sorry if it seems like I am all over the place here, my thoughts are getting in the way of my other thoughts.

I have always tried to think like an adversary but this one has me stumped! any thoughts would be great to help get me thinking a different way.




J, I’m not an expert on active shooting scenarios or even in securing schools, but I can tell you how I would approach this. This is just a brain dump. Each school and campus is different so you have to adapt to this.

I would approach this in 2 stages, the preventive stage and the reactive stage.

The first stage, the preventive one, should focus on stopping or slowing down the shooter before it can get near innocent people. I would start with a physical reconnoissance of the location, paying attention to possible ingress and egress routes. Ask yourself: “if I were a bad guy, how would I enter the school?” What would give the bad guy the best advantage? Also ask yourself: “What’s the nest route to escape?” I don’t know much about the psychology of these killers, but I’ve seen enough bad guy get that moment of doubt, that would make them stop and try to escape. The idea with the routes identification is that, once identify you could potentially close them, make them harder to access or guard them. By making the good ingress and egress points inaccessible to the attacker, you are either funneling him to a single point that you can control, or causing him to rethink his plans and maybe cancel the whole thing. Move to the next target.
Begin to mark on a map, diagram or whatever, the weak points in the school. Points that can be leveraged by an attacker to enter or even engage innocent people. Doors, windows, gates on the fences, parking lots, adjacent buildings, etc. Then note if these points are already being monitored by either the school, their security or the police. If not, then maybe you can suggest active monitoring, locking them (doors that should be open ONLY on fire cases, for example) or making them otherwise inaccessible to the bad guy. Try to funnel traffic (both cars and people) into a single choke point, or at least into the minimum number, so you could potentially identify the shooter even before he reaches the premises. Ideally you would have an armed and trained security guard on the school, but this is something that I haven’t seen in the US.
The big problem here is adjacent buildings, where a shooter with a rifle can take down innocent people while concealed. That’s a whole other world. We could go into counter sniper operations, but that’s beyond this.
The idea here is to make it hard for the attacker to enter and easy for the good guys to identify a possible attacker.
Then I would move inside. Assuming the above failed, the next preventive layer is the inside of the building. has some deception placed. Bogus signs, things that would temp the bad guy into going one direction, where you can, again, try to detect it and bring him down. Realistically, there isn’t much to be done once the attacker gained access, except training for the school staff and have armed security guards.
Ideally, you would have at least one staff member (teacher, admin, etc) trained in active shooting scenarios. From firearms training (stress shooting, CT shooting, etc) and hand combat, to emergency procedures (first aid, escape organizations, communications, etc). Last, identify secure locations for people inside the building, preferable with access to exits or windows where they could escape. Drill the staff and students on how to reach those places and what to do. have students also take charge, teach them how to use comms, or who to call.
I think a good first step is identifying those weak points, and creating choke points for the attacker. Route him into a controlled area, away from the target.

The second stage is reactive. The shooter is already inside. This is a nightmare situation, as we’ve seen many times. Chaos rain, akin combat, only people here are not trained.
Like in the previous stage, I think it would be good to have the staff trained in what to do. Have them trained with firearms, and possible have a few firearms in the school. Accessible only by those people (to prevent untrained people from hurting themselves or other innocents, or from the bad guy gaining access to them). Have them practice a procedure where when an active shooter has been identified, they take command: they move the kids to a safe location (identified previously), they reach the firearms and try to take the shooter down, and they call law enforcement.
Drill them, practice reaching the safe locations and the weapons. Stress them.
Like I said, once the attacker is inside, there isn’t much to be do other than take him down, and bring the kids and staff to safety.

I hope this gives you an idea… Again, I am not an expert. I’m just trying to apply the Red Team Mindset and think like an attacker. Then identify how I would protect me against that threat.

The multinational and lessons learned

Some time ago, a large multinational corporation approached us. They were concerned with the security of their high level execs and their intellectual property (IP).
After several weeks of discussions, during which we set the tone of the engagement, we finally got the green light to go for it.

This project lasted 19 months and took us to 8 different countries across the globe. We learned a lot. We discovered new techniques, new tools (both digital and physical) and we also came out with a new, more efficient way of analyzing the environment and having a good, solid plan.
The engagement touched all aspects of security: digital, physical and social. The multinational security management was very cooperative, open minded and were ready to help us all the way.

Since this was such a large project, with many lessons learned, we thought maybe we'll spread the posts over the next few weeks. We'll try to create a post detailing one specific lesson learned and why it was important.

Stay tuned this week for the first post in the series.

Have a good one.


What we're reading...

Following ITS Tactical What We’re Reading at ITS: An Updated Glance at our Nightstands, here's what the team's currently reading. Or try to read... The free time seems to be hard to come by...

Re-reading Team of Teams by General Stanley McChrystal

Next in line: Zero to One: Notes on Startups, or How to Build the Future by Peter Thiel

Willian Gibson, The Peripheral

Kevin Maurer, Gentlemen Bastards: On the Ground in Afghanistan with America's Elite Special Forces

Robert J. Bunker, Counterterrorism: Bridging Operations and Theory: A Terrorism Research Center Book

Patrick Van Horne, Left of Bang

Any good books out there?


The catering service

Last year, we were hired to do an overall security posture assessment and see if we could get a foot inside the customer's network. The idea was to test their perimeter and the training their employees had in security awareness.
The customer gave us 6 weeks to complete this and give him what we found.

After a couple of weeks and a bunch of failed attempts, we figured their perimeter security was good. We could probe and penetrate it, but we needed a bit more time than what we had. So, we decided to change the approach.

List most big companies, our customer had a cafeteria in the building that would serve breakfast and lunch to the employees. They outsource the food and service to a 3rd party catering service and since the supply chain is usually one of the traditional weak points, we looked there.
The catering service had set an external website for the employees of the customer to place orders for lunch. After scanning, we found their "secure coding" was, well, non existant and we found multiple vulnerabilities that we could exploit, from PHP env. variables that we could arbitrarily set and get upload our code to reverse shell and exploits, to getting full control of their server. Which we did. After changing a some of the application code, we now had a good way to spread a backdoor into our customer network. The next day, when people began placing orders for lunch, we began receiving shells from their workstations. At the end of the morning we had 39 active shells, including an administrator.

A week later we had copies of all their emails.

So... What's the moral of the story? You might be secure, but are your suppliers?