Filtering by Category: Red Teaming


According to DoD, a Red Team is: "An independent, focused threat-based effort by an interdisciplinary, simulated adversary to expose and exploit vulnerabilities to improve IS security posture."

I want to point the interdisciplinary word.

A Red Team assessment is an authorized, adversary-based assessment for defensive purposes, performed by an interdisciplinary team of professionals. It may include:

  • Collecting open source intelligence (OSINT)
  • Performing reconnaissance or stake out operations on both the physical and digital realms
  • Footprinting system, networks, and services
  • Footprinting and profiling people, their behavior and online presence
  • Footprinting the target service providers and external vendors
  • Developing attack vectors
  • Developing exploit payloads to gain entry and escalate privileges,
  • Mounting social engineering attacks
  • Developing backdoors, manipulate audit logs, sniffing networks and generally exploiting configuration errors

At the end, the Red Team will provide an extensive report to detail the problem areas to be addressed, provide solutions to address those issues, and work together with the defenders to train them and make them more resilient.

The key, though, remains in that word: interdisciplinary.

At the end of the day, a good Red Team is there to assume the role of an expert attacker to challenge assumptions, look for unexpected alternatives and find vulnerabilities in new ideas, policies, systems, people, and the intersection of all of that.

The more varied and interdisciplinary the team, the better it will achive its objective.

Why We Red Team?

Security is hard. The security world is full of things that are hard to control. Attacks can occur at any time and place, most of the time in places not of our choosing, and when the time is worst. These attacks usually involve adversaries of unknown size and capabilities, making it harder to have a fixed and solid plan to deal with them. These adversaries, during an active attack, can and will pivot from their initial point of entry or discovery, usually having more than one point of persistence.

Security is hard.

Though there are things that fall under our control, such as the ability to have multiple teams monitoring and engaging (hopefully) these attackers, the reality is that unless you have been put through the ringer of an active incident, or a breach, you don't know what will work and what will fall flat on its ass.

Yes, the adversary usually has the upper hand.

How, then, do we solve this problem? We Red Team it. We inject stress, we do the unexpected, we bring the adversary to you.

Red Teaming is the simulation and emulation of your adversaries, both in their tactics and way of thinking.

By performing Red Teaming exercises, you can begin to stress test your program, your procedures, your standards. From policies to the security teams, a good Red Team can bring stress inoculation to your organization. But, this is not all. Red Teaming engagements will certainly help, but you need to go deeper and change your mindset and culture. Change how you see and approach security, and respond to problems. You have to begin to think like the adversary you are tying to defend against. They don't play by any rules and they don't follow your procedures.

Only when you can apply the adversarial mindset to everything, you will be able to go beyond the known and into the realm of the "what if". By applying the bad-guy-mindset to policies, plans, the teams SOP (standard operating procedures), and educating your people, you can build resiliency, be proactive (and not only reactive), and put in place plans that can adapt to different situations and attackers. You can be both proactive and reactive, giving yourself the best chance to win.

We can help. Start with your organization's top leaders, let us have a two hour conversation with you, and let us set you in the path towards a more robust way of doing security.

Let's start with that conversation, to make you and your company safer.

note: originally posted on ACG.

Question from a Reader: Building a Red Team


How would you build red team? What positions would you create?

Dan and I talked about this on Episode 3 of the Red Team Podcast, but maybe this question warrants going a little deeper.

The Red Team

Usually a good Red Team, as we think of it, is composed of two very distinctive sub teams: the Operational Team and the Support Team.

The Operational Team usually is forward deployed. Whether performing physical reconnoissance, or open source intelligence. Whether actively trying to get into things, or on the phone working the social engineering angle. They are the people that learn the target, research the possible adversaries, and help identify the vulnerabilities and define the plan of action.
The Support Team, on the other hand, usually stays back, whether at the office listening to shells getting back, monitoring radio, providing access and intelligence to the Operational Team, and coordinating with the customer if needed.

One thing to note is that the Team Leader moves between the two sub teams, however, most often - in our case at least - he or she is on the Operational Team.

The Operational Team

As we mentioned, the Operational Team is in charge of recon, identifying the weaknesses, and executing the plan. Members of this sub team, take different roles, based on their strengths. Though the team composition might vary with each engagement, it is a good idea to cross train each person with another, thus having redundancy.

Usually the Operational Team members include:

  • Physical security expert
  • Digital security expert
  • Surveillance and recon expert
  • OSINT expert
  • Security generalist (someone that can fit on either position)
  • Team Leader

The Support Team

This sub team takes care of all the needs of the team while things are happening. They provide an extra set of eyes when needed, they perform the initial recon once a foothold on the network is gained, the execute further exploits and gain persistence on other systems, the identify more targets and generally speaking, they are in charge of connecting the dots, and the Find and Fix and Analyze on the 3FEAD.

Usually the members are:

  • Digital security expert
  • Exploitation and code writing expert
  • System and networks expert
  • Physical security countermeasure expert
  • Main planner

Again, in both cases individual team members have to cross train in multiple areas of responsibility, covering for each other, and often rotating between those 2 sub teams.

What's in an Engagement and Report?


Sure, you write the report, you list the findings and their solutions, you wrap it up with a good executive summary, pictures of the engagement and a closing statement. But, is that it? Is your job done?


There are a few things you still need to communicate. This is the key of a good Red Teaming engagement. No, it's not "I breached everything, bypassed all and got your data". It's not "your security sucks and we are so cool, look how we pwn you!".


The 5th phase of a Red Team engagement is the report. But, there are few more things you need to do. These are the key pieces that will not only bring your customer, or you team, to the next level, but also keep them engaged and thinking the way you want them, effectively making them think like the adversary going forward.

There are, in my opinion, two things needed during and after the report:

  • A clear explanation of why they need to implement the security solutions you are recommending
  • A clear view of what their industry, and more importantly, their competitors and peers are doing to be more secure

Simple, right?

You would be surprised how often red teamers forget these.
Let's see those two points.


The more your customer, or the people you are red teaming understand why you are suggesting they do something, the what you are solving, and how this directly correlates to real world attackers, the more they will work with you, and buy your strategy and solutions. It is important they understand how attackers work, how they change and they need to change with them. Explain how you, the red teamer, need to adapt as well in order to effectively mimic and emulate the attackers that would come after this organization. Explain very simply and without technical buzzwords the gaps found in the assessments. Explain why we, the red teamers, do what we do.

It's a simple step, yet it is so hard to do. The benefits of this are enormous.


What are the competitors and peers doing with their security. Why. What are the standards out there today that they are not meeting. What security controls, and possibly the strategy, the competition saw fit to put in place to solve what problem, what attacker.
This is very important. Explain this very clearly. Explain what you did to understand the industry, gaining several points for really speaking their language. Explain the process an attacker would use to do the same, to understand the vulnerabilities and gaps in organizations within this industry, and how they would leap from there to the targeted reconnoissance of your customer. The more they understand the security needs of their industry, the more they will understand the need to Red Teaming. This is key to working the right way with an external Red Team.

Give them all the transparency you can. Work with them, make them understand the what.


The more you do this, the more you will begin to see a change on mindset in people that tend to be overly defensive when you break into their stuff. The moment they begin to understand what you do, how you do it and why, the more they will be inclined to work with you in the future.

I speak from experience.

When in doubt, red team it.

F3EAD: Ops/Intel Fusion “Feeds” The SOF Targeting Process | Small Wars Journal

Find, Fix, Finish, Exploit, Analyze, and Disseminate (F3EAD), pronounced “F-three-e-a-d” or “feed,” is a version of the targeting methodology utilized by the special operations forces (SOF) responsible for some of the most widely-publicized missions in support of overseas contingency operations. F3EAD is a system that allows SOF to anticipate and predict enemy operations, identify, locate, and target enemy forces, and to perform intelligence exploitation and analysis of captured enemy personnel and materiel. Central to the F3EAD process is the functional fusion of operations and intelligence functions throughout the SOF organization. In F3EAD, commanders establish targeting priorities, the intelligence system provides the direction to the target, and the operations system performs the decisive operations necessary to accomplish the SOF mission. This paper explains the F3EAD process, examines how it is used by SOF and general purpose forces, and provides recommendations for its further implementation and inclusion into formal doctrine.

Recommended reading.

Key Things to Have in Mind while Red Teaming

Red Teaming is the art of thinking like the adversary, finding what that adversary will do, and go do it before they have a chance. In doing so, red teamers help build resiliency and create an overall more secure organization.

There are a few things you should consider when you begin to engage a new project, or while deep into an assessment. These things can be applied to all domains of Red Teaming, from digital to physical to human.

Intelligence leads to pwn

Gathering intelligence is essential for understanding your target and to guiding actions and behaviors. Learn your target, its industry, its people, and its competitors, and have a means to understand their real-time digital/physical behavior. Then make a plan.

"Developing the situation" is the most important overlooked skill

Most plans and field actions might fail because of lack of visibility or understanding of what's happening on the field. The environment was not fully analyzed, the target's 3rd party providers were not taken into account, the new leadership approach was not understood... In short, the information and potential problems were not analyzed and developed.
During your planning, make sure you don't ignore what the environment if giving you, do you homework, perform a situation analysis, run that extra OSINT and get your facts right.

Data is key, collect it

Without data to inform you on your progress, success, and direction, you will not be able to understand if you are successful or not. Use ACTE:

  • Assess the situation
  • Create a simple plan
  • Take action
  • Evaluate your progress

Once you loop, address your problems based on the data, re-orient, and execute.

Detailed planning is a must

Before every project or assessment, or even training, you need to spend hours, if not days, on planning and preparing for every scenario that might come up. This is key if you are to be successful. However, as we all know, Mr. Murphy is always present, and things will not go as planned. It's ok, spending time on planning helps you react better and faster when unplanned situations materize. The more you plan, the more of a SOP (Standard Operating Procedure) you have, and the more you can fall back on what worked on similar situations in the past. Things repeat themselves.

Have a backup plan

Rule 4. You know plan A will more than likely fail, or the reality int he field will cause it to have to be re-arranged or droppped altogether. Having a plan B is a default in any red team assessment. Always plan this, understand the threats and risks, address them and make a plan B. Always have a PACE (Primary, Alternative, Contingency, Emergency).

Find the main vulnerability and attack it

Every system can be defeated by understanding its weak point and attacking it with full force. The same applies to people and physical targets. If you think of everything as a system that has vulnerabilities, it will get your mind in the right place. Scan your target as if you were sniper, from far to close, then close to far. Then left to right, and right to left. Create a grid and walk it, make sure you analyze and collect all information.
The weakest areas are usually the joints: where two networks connect, where one area of responsibility ends and another begins, etc. The most vulnerable areas, those most likely to exploited, are where two things connect. There is no such thing as seamless connection. Seek those areas and attack them.

Separate the signal from the noise

Things can get too big to understand. Huge networks, huge numbers of systems, unknown variables, too many people to phish, and unpredictable situations. It's easy to get overwhelmed. You need to be able to separate the signal from the noise, focus on what's relevant and discard the rest. Identify the crital areas of your target and focus first on those. Then begin to go down to smaller and smaller pieces, until you find the vulnerabilities to exploit.

At the end of the day, it's all about execution

You might have the perfect plan. Your team is ready and you have found the right things to exploit. If you fail on the execution, then it's all worthless. Make a dry-run. Run your plan and contingencies. See what breaks and what can go wrong. Get ready to execute to the best of your capabilities.

Getting in

So, here's the thing. Sometimes plans are necessary. The complexity of the project really can only be tackled by sitting down and creating a good plan. It's the only way to deal with all the moving parts.

Some others... Well, red team it. You go in, like you belong. You find the one thing that gives you access. You exploit that and you gain the needed foothold.

All you need is the right tools.

Right mindset + right tools + practice = Getting in.


Why Red Teaming?

Why we believe in Red Teaming?

Modern organizations are too complex to really consider themselves “secure”. Breaches can and will occur, it’s a matter of when, not if-it is more likely that an organization has already been compromised, but just hasn’t discovered it yet. It is critical to assume this is true, and preparing for this will greatly enhance your chances of continuing business when a breach happens. One of the best things an organization can perform to be better prepare for the impact of current and future threats, is simulating real-world attacks, and bringing to bear tactics, techniques and procedures (TTPs) that a determined and persistent adversary uses during breaches. The information gained from Red Teaming and live site assessment exercises helps to significantly strengthen defenses, pointing what works and what doesn’t, holes in plans, improving response strategies, train defenders, and drive greater effectiveness of the entire security program.

Start with the assumption that you have been breached!

In the current world, a prevention-only program is not enough to address determined and persistent adversaries. You have to be proactive and address the what, where and how.

Red Teaming also plays a big role when planning your business continuity strategy. Traditional security methodologies have largely been focused on prevention. Prevention is a defensive strategy that, while a vital part of any good security program, doesn’t address post-breach or emergency planning. Red Teaming can steer decision makers in the right direction, helping the teams create preventive plans, as well as TTPs to be use during an incident and immediately post-incident.

The ever-changing perimeter

With the evolution of networking, and adoption of the cloud paradigm, the boundaries or perimeter of the organization can no longer be defined by a network perimeter managed physically or virtually through firewalls and network devices. Corporate data, including sensitive data and source code, can be found spread everywhere: on-prem, in datacenters (co-located or fully owned), in the cloud, with partners, with vendors and services providers, and on a variety of user devices. All of which require a different security strategies that most companies haven’t even began to address. This is why factoring Red Teaming on a security program will help look at all the different corners of the organization, allowing the decision makers to address issues that were unknown until then. The role of a Red Team is to attack and penetrate environments using the same steps and TTPs as an adversary, and often creating new attack methodologies made specifically for the organization. Red Teaming verifies that protection, detection and response mechanisms are implemented properly.

The “social” aspects

Last but not least, there is one very important aspect that security plans often overlook: people and social media / the internet. A capable adversary will often begin reconnoissance of a target by looking at the employees and service providers of an organization. There is a lot to learn from what people comment on social media sites, the pictures they post (often with pictures taken inside the office and other locations of interest). A good security plan should account for this, but often this last bit is neglected. Red Teaming looks at this as well. A good Red Team spends time learning the target, combing the internet for any publicly available piece of data. Most of the time, the people supply all this information for free. Open for the taking. Don’t forget the people. Act, don’t react. Actively looking at the threat footprint of an organization is one of the first steps towards making the organization more secure and resilient to attacks. Look at the people.

An overall look

At the end of a Red Team assessment, a very thorough report and review is presented to all interested parties. This report describes every failure and success, the response by the defenders, and things that need to be addressed immediately, from controls to planning to better TTPs. Lessons learned is the name of the game. A Red Team engagement will provide solutions and enhance decision making. Organizations open to this, allowing Red Teaming as part of their security strategy, will remain the top players, even if a breach occurs.

When in doubt, Red Team it.

Playing the Part

Over the years I've found several techniques that, no matter how trained the security personnel of a corporation is, tend to work one way or another.
In this case "the angry executive speaking in another language on a cellphone".

I've used this many times and with good results. After researching a bit the target, learning what are the baselines in term of dress code for the top executives and diversity of the employees, coupled with the atmospherics of the location and its patterns of life, you can put together a very credible employee from another office act.
The idea is both show that you belong there, but that you are coming especially coming here from another location. It causes whoever happen to be in front of you to be a little more sympathetic.

In one particular case, I was outside, on the street, but the booth keeping the entrance to the underground parking. The guard was looking at me. I was wearing the proper suit and tie, with a fake, though very realistic badge clipped to my jacket's pocket. On cue, another guy from the team call my cellphone. I answered in English and switched to another language. I increasingly become more and more agitated as minutes passed. The guard kept an eye on me. I made it a point to walk back and forth the booth, and give him consternated looks. He began giving me small smiles... And after about 20 min, he lost interest in me. Having seen my badge and sensing that I belong there.
Once I saw that, and still arguing on the phone, I slowly began walking towards the parking. Going down the ramp step by step, still on the phone still gesticulating and never looking back, at the guard. I belong there, right? I wouldn't worry about the guard.

Boom. I was in. I was freely walking on the underground parking.

Next was to get inside the building. My badge was a good copy, but it wouldn't open the door from the underground parking to the elevators. So I stood there, still angry on the phone, until 5 min later, someone came back to his car. As he walked by me, i gave him a smile as I walked in. He never questioned me. So... Now I was really in.

After that it was just stuff, but, once you understand the environment, and know how to play the part... It's just a matter of time.