Filtering by Category: Red Team Mindset


According to DoD, a Red Team is: "An independent, focused threat-based effort by an interdisciplinary, simulated adversary to expose and exploit vulnerabilities to improve IS security posture."

I want to point the interdisciplinary word.

A Red Team assessment is an authorized, adversary-based assessment for defensive purposes, performed by an interdisciplinary team of professionals. It may include:

  • Collecting open source intelligence (OSINT)
  • Performing reconnaissance or stake out operations on both the physical and digital realms
  • Footprinting system, networks, and services
  • Footprinting and profiling people, their behavior and online presence
  • Footprinting the target service providers and external vendors
  • Developing attack vectors
  • Developing exploit payloads to gain entry and escalate privileges,
  • Mounting social engineering attacks
  • Developing backdoors, manipulate audit logs, sniffing networks and generally exploiting configuration errors

At the end, the Red Team will provide an extensive report to detail the problem areas to be addressed, provide solutions to address those issues, and work together with the defenders to train them and make them more resilient.

The key, though, remains in that word: interdisciplinary.

At the end of the day, a good Red Team is there to assume the role of an expert attacker to challenge assumptions, look for unexpected alternatives and find vulnerabilities in new ideas, policies, systems, people, and the intersection of all of that.

The more varied and interdisciplinary the team, the better it will achive its objective.

Quote of the day

"It often takes a crisis for red teaming to be considered and building an ark when it has been raining for 39 days won’t protect you against the flood. For example, the FAA created their red team in response to the bombing of Pan Am 103 over Lockerbie in 1988. For the next 10 years, this group conducted undercover simulated threats to enhance aviation security systems. Then complacency crept in. Red team warnings were ignored in the late ‘90s and early 2000s and were ultimately considered a contributing factor to 9/11. This in turn gave rise to red teaming programmes, including the CIA and NYPD, in the fight against terrorism. Failure sparks change, and sport is no different."

--Best Laid Plans of Mice and Men

Best-Laid Plans of Mice and Men | Leaders in Sport

How red teaming can transform your stumbling blocks into stepping stones.

In an exclusive feature for Performance, Potts reflects on his tenure and delves into Scottish Rugby’s use of red teaming – a common training practice in the military, intelligence, aviation and politics – to explain why it may prove a valuable tool for others in the world of elite sport.

A Change of Mindset | Advanced Capabilities Group

This approach and way of doing things was good, however it presented a challenge. Most organizations are not ready for this kind of security assessments. Their security programs and people are not mature enough to really understand the need for Red Teaming, and they were not ready for the assessment, often resulting in wasted efforts and the fact that the Team penetrated them using techniques they never thought about.

F3EAD: Ops/Intel Fusion “Feeds” The SOF Targeting Process | Small Wars Journal

Find, Fix, Finish, Exploit, Analyze, and Disseminate (F3EAD), pronounced “F-three-e-a-d” or “feed,” is a version of the targeting methodology utilized by the special operations forces (SOF) responsible for some of the most widely-publicized missions in support of overseas contingency operations. F3EAD is a system that allows SOF to anticipate and predict enemy operations, identify, locate, and target enemy forces, and to perform intelligence exploitation and analysis of captured enemy personnel and materiel. Central to the F3EAD process is the functional fusion of operations and intelligence functions throughout the SOF organization. In F3EAD, commanders establish targeting priorities, the intelligence system provides the direction to the target, and the operations system performs the decisive operations necessary to accomplish the SOF mission. This paper explains the F3EAD process, examines how it is used by SOF and general purpose forces, and provides recommendations for its further implementation and inclusion into formal doctrine.

Recommended reading.

Quote of the day

"In all affairs it’s a healthy thing now and then to hang a question mark on the things you have long taken for granted. Many people would sooner die than think. In fact, they do."

-- Bertrand Russell

Recon and site casing

Ten meters away from the main entrance, there was a big metal box with wires going into it. The door to the container had a simple lock and we figured, well, that was the way into it.
At this point we had done the day and night time recon, and we were familiar with the patterns of life and atmospherics of the place. The container, at this time of the night, was not monitored, and there were no lights near it. We could remain fairly undetected while we picked the lock.

It took JS about a minute to get the lock open. Once the door began to move, we entered the container with ease. Inside there was an arrangement of control boxes, monitors and computers that provided the status of the main UPS (uninterrupted power supply) and controlled their work. We were now inside one of the 2 big UPS's for this complex, and after doing our recon, we found this to be one of the biggest vulnerable points. We could now work quietly and hidden, and gain access to the customer's network via their remote access to UPS.

This was possible due to the recon we performed for 10 days. Like we've mentioned many times, a good recon will likely mean the success of the project. Spend time learning your customer, understanding their environment, their industry, the key players in this industry and how they affect your customer. Understand the technology they use. And most importantly, understand their people. Their mindset and motivations.
Comb the internet for information, spend time observing and collect. Connect the dots.

After a couple of hours inside the UPS container, and given that we knew the software that was running on the servers there, we were able to gain SYSTEM access, and prepare a few pieces of malware that would be spread throughout the network and allow us to gain further access. We exited, closed the door and slowly walked out to the perimeter fence, passing under a security camera that was pointing in the wrong direction, and out to the parking lot. A fast walk for about 200 meters and we were in the next building. A factory that was pretty empty at this time of the night.
We sat on our car, and as the sun was beginning to come up, we observed as the early riserr were arriving to work. We had Z and GY in the office waiting for any connection back during the day. So, our work was done. Now coffee.

The project was successful. The IT people run the usual test on their UPS and when they connected to the server inside the container, a little dropper installed a piece of malware on the IT engineer's computer. From that point onward, we managed to secure multiple access points to their network.
As the final note, and after securing the "OK" from the security director at this company, we shut down one of the UPS's and displayed on all server console screens a message saying: The Red Team was here - all your data are belong to us.

So, spend time doing recon. Spend time knowing the place. In some cases, recon goes hand in hand with site casing. It can help you find observation points (OP), exit routes, and create 2 or more escape plans. Spend time observing. Collect. Learn.

Getting in

So, here's the thing. Sometimes plans are necessary. The complexity of the project really can only be tackled by sitting down and creating a good plan. It's the only way to deal with all the moving parts.

Some others... Well, red team it. You go in, like you belong. You find the one thing that gives you access. You exploit that and you gain the needed foothold.

All you need is the right tools.

Right mindset + right tools + practice = Getting in.