Offensive Information Warfare and Red Teams

(This post was published originally in SOFREP)

It’s 0100. The moon sits high in the sky over the target’s facility. Four men dressed in BDUs and gear are sneaking in by the tree line, about 50 meters outside the building outer perimeter fence. Pausing occasionally to peer through night vision monoculars to scan the perimeter. They make it to the final penetration position.

One of the men keys a mike and relays their position to the TOC (Tactical Operations Center) where another team is ready for the next phase of the operation. This team is comprised of highly skilled digital operators with backgrounds in computer hacking, intelligence, electronics and networking.

They’ve already spent the better part of 2 months preparing the mission’s digital package: digital intelligence gathered via OSINT and direct digital actions (DDA) – in other words, through good, solid network and computer hacking.

They’ve also performed an onsite analysis: they used laptops and highly sensitive antennas to scan for radio frequencies emanating from the target and a good solid recon by observing guard patrol schedules and looking for holes in the perimeter for possible breach points.

They are now ready to execute the next DDA in support of the team on the ground. This digital op will enable the team to bypass the fence’s security and remain undetected.

Suddenly, a patrol vehicle appears near the corner of the building, its headlights coming in directly to the men. The operators freeze. Not a single movement. The vehicle passes, and the men remain undetected.

Minutes later, the men reach the fence’s back gate. They wait. The team at the TOC is busy with their computers. They have full access to the command and control (C2) computers deep inside the bowels of the target. The backdoor they installed not long ago provides a full range of options. One of the digital soldiers sends a pre-recorded command, and the C2 computer disables the camera and disengages the lock on the fence’s back door. The ground team moves in quietly. The gate is closed and the security features are enabled again.

At around 0200, the operators enter the target’s office, where he – a well known terrorist – plans the next attacks on the free world. Not this time, the operators think. They place the specially crafted explosive device under the chair and leave, undetected.

The story above might seem out of a Hollywood movie, however, it is as close to a real operation as I am allowed to write. The digital operators are part of a special breed of people working for a very skilled red team.

What are Red Teams? They’re the special operation forces of the security industry. They are composed of highly skilled individuals hired by clients (government and private) to break into their own networks and physical security. These guys find the security flaws so they can be patched before someone with malicious plans can sneak in.

The DoD defines them as an organizational element comprised of trained and educated members that provide an independent capability to fully explore alternatives in plans and operations in the context of the operational environment, and from the perspective of adversaries and others. You can read more about Red Teams in:

Red Teams can be used to support SOF units as intelligence gathering elements. They can also be used to augment those units by providing digital and comm support and running digital operations (DO) to make the operators on the ground more efficient.

In past operations where my team was involved, we supported those units in two different phases.

1- We provided the initial digital recon of the target, including inside information about sentry schedule, different access routes (those that were locked during the night hours and those open but monitored), number of personnel inside the facility during the different times of the day, hardware and software information, provided a complete site casing including detailed sketches based on the design blueprints extracted from a computer, and a week’s worth of daily activity logs hour per hour.
2- We also acted as a direct action support team, providing real time information about what the target was doing inside the premises, location of sensitive computers, disabling alarms and other security features in real time, etc.

All that information was carefully analyzed and compared with the intel gathered by the unit’s own intel guys and was found either at the same level or, in most cases, more accurate. The guys on the ground went in having a clear image of what to expect on the site and what to look for once they were inside the building.

Another type of operations the Red Teams can run is the DDA. Direct digital action ops are what people today refer as “cyber-battles.” The digital operators study the targets, prepare their weapons (a weaponized PDF, a website containing malicious code, a backdoor ready to be dumped into the target’s system by hiding it inside another program, etc) and perform the attack. Attacks can disrupt the ability of the target to reach the Internet or communicate with their people; it can destroy their backends and frontends (software); it can disperse wrong information and generate chaos, and it can bring the whole enemy operation to a halt.

Digital warfare, also known as cyber warfare (although I don’t like to use that term), is increasing in tempo. Governments are realizing that the future battles are going to be fought both on the real and the virtual worlds.

Red teams can help, if only by pointing the weak spots on our own defenses.