Red Teaming is the art of thinking like the adversary, finding what that adversary will do, and go do it before they have a chance. In doing so, red teamers help build resiliency and create an overall more secure organization.
There are a few things you should consider when you begin to engage a new project, or while deep into an assessment. These things can be applied to all domains of Red Teaming, from digital to physical to human.
Intelligence leads to pwn
Gathering intelligence is essential for understanding your target and to guiding actions and behaviors. Learn your target, its industry, its people, and its competitors, and have a means to understand their real-time digital/physical behavior. Then make a plan.
"Developing the situation" is the most important overlooked skill
Most plans and field actions might fail because of lack of visibility or understanding of what's happening on the field. The environment was not fully analyzed, the target's 3rd party providers were not taken into account, the new leadership approach was not understood... In short, the information and potential problems were not analyzed and developed.
During your planning, make sure you don't ignore what the environment if giving you, do you homework, perform a situation analysis, run that extra OSINT and get your facts right.
Data is key, collect it
Without data to inform you on your progress, success, and direction, you will not be able to understand if you are successful or not. Use ACTE:
- Assess the situation
- Create a simple plan
- Take action
- Evaluate your progress
Once you loop, address your problems based on the data, re-orient, and execute.
Detailed planning is a must
Before every project or assessment, or even training, you need to spend hours, if not days, on planning and preparing for every scenario that might come up. This is key if you are to be successful. However, as we all know, Mr. Murphy is always present, and things will not go as planned. It's ok, spending time on planning helps you react better and faster when unplanned situations materize. The more you plan, the more of a SOP (Standard Operating Procedure) you have, and the more you can fall back on what worked on similar situations in the past. Things repeat themselves.
Have a backup plan
Rule 4. You know plan A will more than likely fail, or the reality int he field will cause it to have to be re-arranged or droppped altogether. Having a plan B is a default in any red team assessment. Always plan this, understand the threats and risks, address them and make a plan B. Always have a PACE (Primary, Alternative, Contingency, Emergency).
Find the main vulnerability and attack it
Every system can be defeated by understanding its weak point and attacking it with full force. The same applies to people and physical targets. If you think of everything as a system that has vulnerabilities, it will get your mind in the right place. Scan your target as if you were sniper, from far to close, then close to far. Then left to right, and right to left. Create a grid and walk it, make sure you analyze and collect all information.
The weakest areas are usually the joints: where two networks connect, where one area of responsibility ends and another begins, etc.
The most vulnerable areas, those most likely to exploited, are where two things connect. There is no such thing as seamless connection. Seek those areas and attack them.
Separate the signal from the noise
Things can get too big to understand. Huge networks, huge numbers of systems, unknown variables, too many people to phish, and unpredictable situations. It's easy to get overwhelmed. You need to be able to separate the signal from the noise, focus on what's relevant and discard the rest. Identify the crital areas of your target and focus first on those. Then begin to go down to smaller and smaller pieces, until you find the vulnerabilities to exploit.
At the end of the day, it's all about execution
You might have the perfect plan. Your team is ready and you have found the right things to exploit. If you fail on the execution, then it's all worthless. Make a dry-run. Run your plan and contingencies. See what breaks and what can go wrong. Get ready to execute to the best of your capabilities.