T-shirts

Alright by popular demand, some tshirts are back up. And there is a new one. Click on each tshirt to go there. Availanle for a week.

And new shirts!

All proceedings from the new shirts will go to the MARSOC foundation, like last year and the year before.

And mugs... So you can get your black coffee, the right way.

Quote of the day

“The goal of training for alpine climbing can be summed up in one phrase: to make yourself as indestructible as possible. The harder you are to kill, the longer you will last in the mountains.”

— Mark Twight

Apply this mindset to security. Become resilient! By training to be harder to kill you are making your organization more prepared and more resilient to real-world attacks.

(via The Angry Red Teamer)

Quote of the day

“There’s always a degree of randomness involved.”

— Alex Honnold

Phases of a red team assessment: OPORD

The 5 phases of a Red Team assessment:
1: OPORD | 2: Recon | 3: Target ID | 4: Live run | 5: Report

Phase 1: OPORD

The Operations Order (OPORD), a "directive issued by the leader to his subordinate leaders in order to effect the coordinated execution of a specific operation.". The military five-paragraph format is used to organize the briefing, to ensure completeness, and to help subordinate leaders understand and follow the order.

In our case, an OPORD describes the project, the situation the team faces, the target, and what supporting objectives the team will have to achieve in order to be successful. It sounds complicated, but it's not. Essentially is a set of initial meetings where the team gets exposed to the project and supporting documentation or information is distributed around each member. Each team member begins to prepare the tools and techniques based on the information they have. The team begins to study the target and formulate the initial plan.

The way it works best is to have at least 2 initial meetings:

  • A meeting for the presentation of the project and initial brainstorming
  • A meeting 2 days later after each team member had had the chance to incubate ideas and have a rough plan.

Depending on the timelines set for the project, those 2 meetings (3 if possible) will bring a lot of good ideas and questions that need answer.
Generally, the format/agenda for each meeting is standard and has shown over time to lead the team and their thinking in the right direction. This, of course, is not set in stone. You have to adapt to each project, but the following format is a good start

First meeting

Talk about:

  • Situation: what is the target, where is located, who are the key players, who requested the project, why, information about their security capabilities.
  • Mission: what is the project, what is the objective that needs to be achieved, who are we trying to mimic, when, where and how.
  • Execution: This is the initial "plan", what it's to be expected by the team leader or the person that requested the engagement. It should include any rules of engagement (ROE).
  • Admin & Logistics: What tools are needed, what we currently have and what needs to be written (software/exploits/scanning) or bought (breaching gear, recon gear, etc).
  • Command and Control: who leads the project, comms, deployment of assets and standard operating procedures for everything.

Second meeting

Talk about:

  • information already available on the target: perform a surface pass on OSINT just to have some data to begin.
  • Ask questions that will allow for better planning and move RECON (the next phase) in the right direction. Ask: what is the history of the target, competitors (if relevant), top executives or commanders, main products or capabilities, simple atmospherics, social media and digital overall footprint (from the surface scan), initial apparent or known vulnerabilities.

This second meeting should conclude with a good idea for what needs to be done, the roles of each team member and a good estimate of the timelines. After this meeting, the team plans the recon. A third meeting will be called to, a sort of in-between-phases meeting, where the recon will be plan and set to go.

The OPORD phase should be short and very intense. Things need to be set carefully, but relatevely fast. RECON, the following phase, will take long and going into it unprepared will not work. Use Phase 1, OPORD, to set the team's mindset and energy in the right direction. Allow them to ask questions, have the senior guy in the team take over the leader for a while. Also, if there is a member of the team that has more knowlege about the particular industry, or mission, product or procedure, bring him/her up and listen. Leverage the team strengh.

Small teams work best. Practice this during this phase.

In the next post, we will see what's needed to plan RECON, why it is so important, and how to perform it.

Tshirt contest

Hi, this is JS. I'll take over for a few days.

We want to make a new tshirt and we decided to leave it out to you to design it.

The winner of the design will get a Red Teams Patch.

Designs need to be simple and work on light and dark tshirts. Graphics and text are welcome.

You have until august 7 to submit your designs. Post in twitter and send to redteamsblog at gmail dot com.

Execute!

Strategic Red Teaming: The Job Description

Our friends at the Red Team Journal posted a notional job descrition for a "Strategic Red Team Director". This provides a good list of what's needed on a Red Team, an what a Red Team should be on an organization. Yes, it's not pentesting.
Go read it.

This is an excellent opportunity for an experienced, forward-looking red teamer to build a world-class red teaming capability at a prominent global organization. The successful Strategic Red Team Director will lead the enterprise’s efforts in adopting and maintaining a system-wide view of threat-driven risks, with the goal of working with senior management to control these risks.

Situational Awareness

When you stop looking at your phone while you're walking. When you lift your head and just look around, paying attention to sounds, smells, movement. When you observe the world around you.
Things change. You notice things. You realize there are lots of little details everywhere.

You don't need training for this.

Situational awareness allows for a better plan at the end. Recon your target, research online about the weather, patterns of life, terrain, streets, landmark features, history, crine. Then, if possible, go there, spend a day getting a feel for the play, how it works. Maybe talk to people.

Observe.

Quote of the day

"Conflict can be seen as time-competitive observation-orientation-decision-action cycles. Each party to a conflict begins by observing. He observes himself, his physical surroundings and his enemy. On the basis of his observation, he orients, that is to say, he makes a mental image or “snapshot” of his situation. On the basis of this orientation, he makes a decision. He puts the decision into effect, i.e., he acts. Then, because he assumes his action has changed the situation, he observes again, and starts the process anew.

― William S Lind, Maneuver Warfare Handbook