The Red Team Mindset
A red team plans strategy for different attacks, collects intelligence on the target, analyzes the possibilities and then executes based on its findings. Having security knowledge or experience alone is not sufficient to making someone a red teamer. Adversaries don’t play by any rules. Attackers adapt and learn from their failures. A good red teamer then has to adapt and play by the same rules of the adversary, in other words: no rules.
The Red Team Mindset is one that (1):
- Thinks what no one else is thinking
- Thinks and act disruptively
- Thinks the unthinkable (Ridiculous Thinking)
- Provides unexpected solutions
- Does what no one else is doing
- Is the disruptive change
- Is the game changer
Red teams can solve problems through an indirect and creative approach, using reasoning that is not immediately obvious and involving ideas that may not be obtainable by using only traditional step-by-step logic.
Using “Ridiculous Thinking” the red teamer plays with ideas and extracts the pieces that have the potential to work when combined with each other. The application of this, coupled with other alternative analysis techniques provide a comprehensive set of potential adversarial attacks on a given concept. Possible attacks on the classic three fronts - digital, physical and human - exploit each front’s weaknesses separately or as a combination to generate successful scenarios where the adversaries win.
Red teams play with situational awareness or lack thereof. Like an adversary, they identify patterns that link individuals to systems, systems to networks, and networks to the full target. They often expose alternative ways to probe the breaking point of policies and plans by creating false trails. They develop noisy attacks and let the target follow them, while having a secondary stealthy one ready to perform the actual attack. This disrupts the orderly way organizations perform their planning (and react to events).
Overall, having an understanding of who the adversary is and how it might exploit weaknesses and security vulnerabilities will make any organization better prepared. Rather than just reacting to a security event, organizations should implement a new posture, one based on the red team mindset: be proactive, think what an attacker can exploit, and stay two or three moves ahead of him. Prepare and establish detection and deception measures. Make a future attack harder.
Red teams can predict future threats. If one has enough visibility into what an adversary might do, their TTPs (tactics techniques and procedures) and motives, a much better overall security defense posture can be set, a better plan with various degrees of contingencies can be prepared and when a new challenge presents itself, the whole organization is better suited to deal with it.
By having a red team exercise, we can learn where the entry points are, what the weak links are, where we can improve and where the system is lacking. We can identify the problem areas, and when the next attack happens, and it will happen, we can better be prepared for it. We can start seeing the signs and markers earlier and have better deceptions placed in the system (whether virtual or real). We can make it harder for the attackers. If an adversary spends time, money, and resources only to find out that we led them on a false trail, then the red team exercise is worth it.
Proactive defense and offense can help deter all but the most focused adversaries. And those that still insist on attacking will need to modify their plans due to our proactive approach. Red teaming can misguide an attacker, causing her to unknowingly provide information to the organization and the security staff. An attacker might be forced to utilize tools or techniques she wasn’t planning to use and, in doing so, she might be careless, providing crucial information to the security stuff. This will provide a deeper understanding of a hacker’s TTPs.