Marketing Guerrilla

This is a different approach to the Red Team Mindset. Written by "Jon" a Senior Brand Strategist and Planner in the Boston area, this post presents another side of the Guerrilla Red Team.

To be clear, I’m not a Red Teamer. I’ve never been contracted to security test a facility, office, or database. But, everyday I go to work, I red team. It’s absolutely integral to what I do and I make my teammates read the Red Teams book. I don’t hack systems or facilities, but I hack people everyday. I’m a marketing strategist by trade.

At first glance, marketing and red teaming might seem worlds away from each other, but the mindset often mirrors each other. As a marketing strategist, my job is to fully understand the brand, category, and consumer for any client that I work with. My team fully immerses ourselves into qualitative and quantitative research around these three verticals. With the goal being to drill down to the core strengths, weaknesses, and unique attributes of the client and the consumer and find the overlaps between the two.

To do this we gather industry research, interview stakeholders and customers, survey consumers, and review the competitive landscape. This is our version of reconnaissance. After we’ve gathered all of this data we start analyzing. Trying to see the whole picture that those verticals create, find the themes that run through them, and begin identifying voids in the market or in the way the marketing has been done. After full analyzing the research we’ve collected we poke holes wherever we can, getting input not only from our teammates, but other coworkers to see what holds water and what leaks like a sieve. Once we’ve found the insights that hold a truth for the brand and consumer it’s time to develop the strategy that will drive the rest of the project. It needs to not only synthesize what we learned, but communicate it in actionable way for all the departments to act in unison on the strategy. This is our marketing equivalent of the mission plan. Then it’s time to execute. For us this can mean coming up with a marketing campaign, launching a product, or rebranding a company.

Throughout the entire process, the strategy team is representing the consumer of whichever company we’re working with. We put ourselves in their mindset to see how they might interpret what we create, or how they see our client. Everything we do is put through this lens. It’s seeing the business world through an adversarial mindset. When we fail to do so, we usually fail at our project. It’s a harsh reality of failing to consider a problem from the unexpected angles. You try not to learn it more than you have to, but a reminder failure often sneaks in when we become complacent or overly confident.

Red Teaming to me is a mindset. It’s a willingness to think about things in a different way, in a way that might not align with your own opinion and ideas, but in the end only makes a plan stronger or proves you need a new plan. I’m a marketing red teamer.

Use a Plan and ACE it - how to evolve situational awareness

This story was submitted by a german Air Force officer with a large scale of Force Protection experience resulting from the German engagements in Asian and African missions and multinational (NATO) deployments in Afghanistan and the Balkan’s.

When I was deployed the last time to AFG (ISAF) as the Force Protection Commander of Mazar-e Sharif airfield I deployed with the question: “what will be the improvement in the villages around the airfield in the last two years, as I left MeS airfield?”. The two JOC battle captains tried hard to explain me the so-called progress, but I can´t notice a big step. What I really missed in this moment was a clear statement of the overall situation of the afghan villagers (in the sense of: religion, schools, who is the major, who is the political leader, where do they live from, what kind of military and police units are responsible …) and their main problems. Additionally I asked the question, why in some parts of our AOR (20 clicks x 25 clicks) the threat level is so enormously high with IED attacks and in other parts not mentionable and where we are invited to marriages.

So I established a responsibility for each of my patrol leaders to take care (in every means) of one AFG village. Usually they are NCO´s and they stay for four until six months in AFG and spent their time with patrolling the fields for 80 % of their deployment time - heading back after one year. We created a village folder and used different layers on a map for the different aspects.

What I tried to do is, establish a pattern baseline around the base, with clear responsibilities, a information line structure, a patrol report memory and a map of non- and governmental, religious and military authorities etc. in our area of interest.

On the other hand, me and a small team of experts taught them, how to read or detect minor changes in the environment to prevent attacks when engaging the danger zone and I ordered the battle captains to make use of a Red Team for the patrol and sweep plans. This Red Team consists of Norwegians, Swedish, German SOF and intel soldiers and an afghan born but german airforce infantry man. The first patrol and sweep plans were changed in average three times until we could say: its sounds like a plan. What I learned quickly, was, that this plan has to have an Alternate plan, a Contingency plan and an Evacuating plan. The assessment of the Red Team and the learning process was outstanding. As time goes by, we were able to establish a baseline security “feeling” and measure it by using a five scale area accessibility (situation controllable/yet/ prevalent/ not prevalent/ not controllable).

Some months later two of my platoons were attacked 10 clicks far of our base in the danger zone by a small Taliban commando about 330 yards in front of a village. After responding fire the patrol leader decided to follow them and catch them quickly by sweeping the village. He wanted to surround the village as soon as possible with a diminished platoon and send the other one -supported by cover fire and sharpshooters- for the sweep (one of the main tasks for experienced infantry). The patrol leader has got his ok from me and they started with a quick survey of the baseline.

What they found out, was that the all-the-time-present shepherd’s and the birds weren’t there, they heard some barking dogs in the surrounding area and some of the villagers flee south. So the patrol leader decided to use a handheld UAV to have a look into the village (and the cover fire positions on higher hill tops). To cut a long story short: the cover fire positions were manned by enemy forces, the village was prepared for a deadly U form ambush by roundabout 35 bad guys with RPG´s and some of them were waiting as a reserve some 100 yards east with the typical with-yellow Toyota Jeeps or cabs. As I was sitting in my TOC and looking surprised at the transmission of this live stream, I realized that they have learned our tactics very well. The patrol leader decided to ask for urgent CAS on the positions of the hills and their reserve force. Finally he marks his position with green fog and changed his plan to the Evacuating plan. He used the time frame of the CAS attack to regroup, to cordon the area and to reinforce with the reserve infantry unit using his Contingency plan. They caught 7 wounded and 15 suspects which was a great day for the boys.

  • Use a plan and ACE it
  • Focus on your aim, but don´t let yourself be attracted by quick wins or red herrings
  • Use your ACE to win the game
  • Reflect the after action with the (team) leaders
  • Change your habits (tactics)
  • Look at the baseline and evolve your situational awareness

A couple of stories

This post was sent by Neal Bridges, he is a contributing editor at the Red Team Journal.

RTJ Red Team Law #51 (“The Obvious”): Sometimes your red team will execute what you think is an ingenious attack and borderline impossible. It must not be too impossible if they were able to pull it off.

I want to tell you a couple of stories. These stories come from real penetration tests that I have executed in the first half of 2015, but they will share a common theme. The names of the companies have been changed to protect the innocent.

In March of 2015, we began an engagement for a very large collections company. They were the second largest in the state and were in possession of over eight million unique pieces of credit card information, and twice as much personal information including social security numbers, names, addresses and phone numbers. They had hired us to come in and do an engagement in preparation for a compliance inspection. We performed open source intelligence (OSINT), we targeted their personnel, we reviewed as much of the physical areas that we could from the internet, and we attempted to attack from the outside. Not surprisingly, their external was relatively secure. This, of course, meant that we had to go to their physical location.

Upon arriving at the client’s location, we noticed a very prominent back door. We would later learn that this was the back door to the break room, near the rear of the building. After examining the habits of the individuals entering and exiting the building we decided that was our way into the facility. We had taken a thumb drive and programmed it in such a way that the computer would recognize it as a human interface device (i.e. keyboard or mouse) instead of a thumb drive. We labeled it as "Pay adjustments and layoffs" and placed it in their break area. As expected, we were successful in gaining access to their networks.

Upon talking to the leadership of the organization, we were discussing the merits of the attack vector. When we explained to the client that this attack vector was not what we would have done, it sparked a conversation that the client would not soon forget.

Client: Well, why didn't you do the attack you wanted to do?
Us: We didn't have the funds.
Client: Ah...it was expensive?
Us: In a way. When we observed the individuals coming in and out of your break room, and combined it with what we knew about your organization, we wanted to do something a bit more...direct.
Client: How so?
Us: Well, when we researched your organization, none of your employees had a LinkedIn profile claiming to work for your organization. We interpreted that to mean no one was proud to be working here enough to brag about it as a career path. When we arrived on site and started to observe your people we noticed that most of the folks were very casually dressed. On their breaks, they would check their phones or go to their cars. We profiled them as being run-of-the-mill overhead and presumed that most would be around the minimum wage market, if not much above that.
Client: Wow - so far you are about spot on. However, what does that have to do with your attack?
Us: Well, put yourself in my shoes. I am a Russian hacker. I make my living hacking and selling credit cards on the black market where I have a 1,425% return on investment. What if I profiled the single mom or dad who is trying to make a living for their family? The one who does not really hang out with the group. What if I offered that individual $1000 to plug this thumb drive into their computer? How many of your employees would turn down $1000?

The blood drained from my clients faces. They had never considered their employees were an attack surface in that way.

The next story involved a large healthcare organization in the Midwest. Our process was the same as the previous story. In this scenario, however, I noticed that there was a hotel less than a quarter of a mile from the client's data center. In addition to that, I could use "Street View" on Google Maps to see that it was pretty much an unobstructed line of sight to their building. With this being the case, I procured a two-foot Yagi directional antenna ahead of flying to the customer’s site.

Upon arriving at my hotel, I applied a little social engineering (I asked nicely) and was able to obtain a room on the side of the building directly facing my target. I proceeded to the client’s site, where I walked into their data center without confrontation and wandered my way around to the corner that faced my hotel. It happened to be in a massive training room, with numerous connected computers. I unplugged one of them and plugged in my wireless access point. Later that night, in my hotel room, I successfully connected to my Wi-Fi access point with my Yagi directional antenna and subsequently accessed their internal network.

The next day I spoke with the leadership of the organization. I showed them pictures of the setup and the view of their building from my hotel room. I showed them the path I took into their facility and explained that no one had challenged me. I showed them how I hid my access point. Ironically enough, they had a meeting in there sometime after I executed my attack and no one noticed my equipment. Their response and I quote was "W-O-W".

So with those two stories, I present to you Red Team Rule #51. Your adversary has the benefit of looking at your organizational defenses and asking itself "how can we defeat these". You don’t have the luxury of money, time, or personnel to look at their attacks and ask yourself, "how can we defend against these". The red teamer will always just come up with something else.