The “Team” in Red Team

This post appeared a while back in SOFREP

As the name implies a Red Team is a team. In the world I live in – information and physical security – it is comprised by a variety of experts in different areas. Each member can perform the other’s duty but each one has a specialty and he or she is responsible for it.

I can’t disclose the current team structure, but one team I was part of early on a few years ago was composed of six members: four members doing the actual work (we called them Alphas), one managing (called Six) and the overall commander (called Six Actual). We rotated through the management of the team so each of us would work as an Alpha on some projects or as a Six on others. This way we all learned to manage the team. Six usually would set the initial plan (recon, digital or physical pentests, schedules, etc) but the whole team would have the ultimate word about the plan once more information was gathered.

Our team had people that were experts in: exploits or tools coding, networking, crypto, social engineering and perimeter security. Again, we could all do everything but some of the Alphas were really good at a specific activity. For example, I am a very good programmer and have experience coding low-level system code and exploits, however I’m not very good with Python, Ruby or other fast and light languages and scripts. These are needed during an operation to write on the run attack tools, scan tools, exploits, etc.

We had this guy, whom I’ll call Z, who was an expert in this. We would have a need for a tool that had to scan a webserver or find an FTP that we could use to exfil files while on the field, he would grab his laptop and have the script ready in a matter of minutes. Z was really good at this. Then we had another guy, called Y, who could pick a lock in under 5 seconds or bypass alarm systems with pliers and a voltage sensor; he could map the blind spots of security cameras and provide the best movement plan. We also had X, a gorgeous female hacker who loved to bruteforce passwords and crack codes and protocols. She would be usually our go-to girl for figuring ways to bypass login screens, prompts or analyze the stuff that was flowing back and for on a port belonging to a service we didn’t know. Finally we had W, he was a network wiz. He could figure out the way a network was mapped, how the routers, firewalls and other network appliances were set and configured.

My speciality was in social engineering and finding and coding ways to extract the information once we were in, be it in the form of hidden channels on TCP packets or DNS requests, or by implementing backdoors or trojans that reported back to a server somewhere in the world, I was also in charge of the ever important C2 part of the backdoors, a piece of software that would allow us to control the penetrated systems remotely from a TOC. Since social engineering was my task and I have a background as a sniper I would be usually in charge or setting the infils for our team and having all the contingency plans for the exfil as well, I would spend countless hours on the field sneaking in different holes.

It was a good team. We worked well together and we had fun doing it.