Filtering by Category: Rules

The Red Team Manifesto | Reciprocal Strategies

A great addition to the Red Teaming world by Mark Mateski at Reciprocal Strategies.

I’m a red teamer:

  • I ask questions even when the answer seems obvious.
  • I speak the truth as I understand it.
  • I protect my clients from their adversaries and from themselves.

Go read the entire post. It blends nicely with our own Rules of Red Teaming:

  • 1: The purpose of a Red Team is to become the adversary, to be the worst case scenario.
  • 2: People lacking imagination, skepticism, and a perverse sense of humor should not work as a Red Teamer.
  • 3: Red Teaming is mostly about paying attention.
  • 4: Understand the thing you are Red Teaming, If you don't, the results will be poor. Spend time learning.
  • 5: Don't play by the rules. Make your own and adapt.
  • 6: If you’re happy with your plan, you are not doing it right.
    1. The efficacy of security is determined more by what is done wrong than by what is done right.
  • 7a: Build on this. The bad guys typically attack deliberately and intelligently, not randomly. Mimic that.
  • 8: A Red Team is most vulnerable to detection and disruption just prior to an attack. Don't make mistakes.
  • 9: If you're not failing when you're training, you're not learning anything.
  • 10: There are an unlimited number of security vulnerabilities for a given system, program, or plans, most of which will never be discovered. Tap into that.
  • 11: When in doubt, Red Team it.
  • 12: We are never prepared for what we expect.
  • 12a: During a stressful moment, take a step back and look at the whole system. Analyze whether this is real stress or a deception by the defenders.
  • 12b: Act, don't react. Plan 2-3 steps ahead.
  • 13: The solution is in the problem. “When in doubt, develop the situation.”
  • 14: The more sophisticated the technology, the more vulnerable it is to primitive attacks. People often overlook the obvious.
  • 14a: Most organizations will ignore or seriously underestimate the threat from insiders. That's your in.
  • 15: Make it asymmetrical. Advantage-stacking is your friend..
  • 16: Remember PACE: Primary, Alternate, Contingency and Emergency. Always have a PACE for everything.
  • 17: Use ACTE: Assess the situation; Create a simple plan; Take action and Evaluate your progress.
  • 18: If there’s a question about if it’s necessary, remove it. KISS.
  • 18a: Stay small. Stay light.
  • 19: Don’t become predictable.
  • 20: Prioritize and execute.

Personal Principles

Note: Originally posted on my personal blog.

  1. Simple and light.
  2. Have a PACE for everything.
  3. Make it asymmetrical, stack advantages.
  4. Act, don't react.
  5. Target dictates the weapon and the weapon dictates the movement.

These are principles that have helped me across a variety of activities: war, alpine climbing, work, red teaming, hard times...
I tried to simplify the concepts as much as I could, focusing on things that can be applied together.

1. Simple and light

Keep everything simple. Simple things are easy to change when you need to. Simple plans will adapt better to the ever-changing conditions in the field. Simple things are easy to understand and explain, especially under stress.
I also believe in being nimble. Being light allows you to move faster, more fluently. Being light allows you to be more efficient.

2. Have a PACE for everything

PACE: Primary, Alternate, Contingency and Emergency. A military way of building a communication plan. However it can be applied to all planning and things.
It's about having a Plan B, but also understanding that everything will eventually fail. Have contingencies and an escape plan. Be ready for the worst. When it happens, you'll know what to do.

3. Make it asymmetrical, stack advantages

It's not what you do, it's when and how you do it. It's making sure the odds are in your favor. If you want to be successful you have to make it happen. Fight with small team tactics, a guerrilla. Make things stack in your favor. Then execute.

4. Act, don't react

Don't wait for things to happen, be proactive. Go for it and be ready. It's too late if you have to react after something happened. Red team it. Plan 2-3 steps ahead, and make it asymmetrical!

5. Target dictates the weapon and the weapon dictates the movement

Don't get caught on a technique, or a method, or a tool, or on planning. Things are dynamic and they depend on your target. Once you know your target (whar you want to achieve), you can then decide what weapon (technique, tools, etc) you need to use to hit that target (or to work with, defuse, assess, build, etc). Once you know the weapon, then you'll be able to understand how you will need to move and reach that target. In other words, don't be stuck on a technique or tool, adapt it to the target, focus on understanding what is the best tool or technique to achive that target, and then you'll be able to plan (move) to make it happen.

(Note: this principle was taught to me by Richard "Mack" Machowicz, one of the most interesting people I've met. Unfortunatelly, he is no longer with us. Thank you for all Mack!)

On Red Teaming

Today’s adversaries don’t play by any rules. They constantly adapt and learn from failures and the complexity of their tactics and thinking is ever increasing. Whether nation sponsored, criminal or simply opportunistic, this new breed of attacker isn't bogged down trying to exploit the usual suspects (firewalls, web servers, email servers, etc.) They’re not wasting time thinking about your security checklists, policies, and procedures that have been painstakingly developed to thwart them. They’re happy to just go around, under, or over them and uncover weak links wherever possible.

One of the most often exploited weak links is the human one. That human risk can come from both an outsider and insider threats, including your supply chain. The question then becomes, not only whether you know your adversary or not, but do your partners, suppliers and vendors know them as well? Do they know theirs? How frequently are they doing security assessments? It’s a situation that needs frequent testing.

Read More

The Cyber Moscow Rules | OODALoop

Lessons learned from US agents who operate in enemy territory have been captured for years and transformed into a code of conduct popularly known as “Moscow Rules.” Those old rules existed for a reason. Real-world experience proved their effectiveness when agents had to operate in the presence of adversaries.

Since modern cyber defenders are also frequently required to operate in the presence of adversaries there are lessons from these old Moscow Rules relevant to cyber defense.

With that as an introduction, the following is a modified list of the old Moscow Rules designed to help the cyber defender under fire.

Consider these as “Moscow Rules for Cyber Operations”

I like this one:

Understand the human tendency to forget about the threat as soon as the current attack has been mitigated. Do not fall victim to this cyber threat amnesia. When not under visible attack, study, prepare, and test your own defenses.

Robert Rogers Standing Orders

Rogers is famous for his 28 "Rules of Ranging". A series of rules originally created during the French and Indian War. They have morphed today and the US Army Rangers still carry them to combat.

His Standing Orders can be applied to many things, including Red Teaming. Here they are:

  1. Don't forget nothing.
  2. Have your musket clean as a whistle, hatchet scoured, sixty rounds powder and ball, and be ready to march at a minute's warning.
  3. When you're on the march, act the way you would if you was sneaking up on a deer. See the enemy first.
  4. Tell the truth about what you see and what you do. There is an army depending on us for correct information. You can lie all you please when you tell other folks about the Rangers, but don't never lie to a Ranger or officer.
  5. Don't never take a chance you don't have to.
  6. When we're on the march we march single file, far enough apart so one shot can't go through two men.
  7. If we strike swamps, or soft ground, we spread out abreast, so it's hard to track us.
  8. When we march, we keep moving till dark, so as to give the enemy the least possible chance at us.
  9. When we camp, half the party stays awake while the other half sleeps.
  10. If we take prisoners, we keep 'em separate till we have had time to examine them, so they can't cook up a story between 'em.
  11. Don't ever march home the same way. Take a different route so you won't be ambushed.
  12. No matter whether we travel in big parties or little ones, each party has to keep a scout 20 yards ahead, 20 yards on each flank, and 20 yards in the rear so the main body can't be surprised and wiped out.
  13. Every night you'll be told where to meet if surrounded by a superior force.
  14. Don't sit down to eat without posting sentries.
  15. Don't sleep beyond dawn. Dawn's when the French and Indians attack.
  16. Don't cross a river by a regular ford.
  17. If somebody's trailing you, make a circle, come back onto your own tracks, and ambush the folks that aim to ambush you.
  18. Don't stand up when the enemy's coming against you. Kneel down, lie down, hide behind a tree.
  19. Let the enemy come till he's almost close enough to touch, then let him have it and jump out and finish him up with your hatchet.
  20. Don't use your musket if you can kill 'em with your hatchet.

The Three C’s of OPSEC

Via Grugq.

I would add:

  • Be paranoid, never trust anyone, always verify
  • Never reveal your plans
  • Never work from your own office/safe place
  • Don't reveal personal or atmospheric details
  • Never leave anything behind that might be traced to you

Remember the rule of 3

  • Always have a plan.
  • Always have a back-up plan, because the first one probably won’t work.
  • Always have an escape plan because all the rest of the plans will fail.

Yes, make it 4: PACE - Primary, Alternate, Contingency and Emergency.