Filtering by Category: Small Team Tactics

F3EAD: Ops/Intel Fusion “Feeds” The SOF Targeting Process | Small Wars Journal

Find, Fix, Finish, Exploit, Analyze, and Disseminate (F3EAD), pronounced “F-three-e-a-d” or “feed,” is a version of the targeting methodology utilized by the special operations forces (SOF) responsible for some of the most widely-publicized missions in support of overseas contingency operations. F3EAD is a system that allows SOF to anticipate and predict enemy operations, identify, locate, and target enemy forces, and to perform intelligence exploitation and analysis of captured enemy personnel and materiel. Central to the F3EAD process is the functional fusion of operations and intelligence functions throughout the SOF organization. In F3EAD, commanders establish targeting priorities, the intelligence system provides the direction to the target, and the operations system performs the decisive operations necessary to accomplish the SOF mission. This paper explains the F3EAD process, examines how it is used by SOF and general purpose forces, and provides recommendations for its further implementation and inclusion into formal doctrine.

Recommended reading.

On Red Teaming

Today’s adversaries don’t play by any rules. They constantly adapt and learn from failures and the complexity of their tactics and thinking is ever increasing. Whether nation sponsored, criminal or simply opportunistic, this new breed of attacker isn't bogged down trying to exploit the usual suspects (firewalls, web servers, email servers, etc.) They’re not wasting time thinking about your security checklists, policies, and procedures that have been painstakingly developed to thwart them. They’re happy to just go around, under, or over them and uncover weak links wherever possible.

One of the most often exploited weak links is the human one. That human risk can come from both an outsider and insider threats, including your supply chain. The question then becomes, not only whether you know your adversary or not, but do your partners, suppliers and vendors know them as well? Do they know theirs? How frequently are they doing security assessments? It’s a situation that needs frequent testing.

Read More

On Planning

Planning can be overwhelming. A lot can go wrong during this critical stage of an assessment or operation. I’ve written about this before, but I thought maybe a simple, deeper post was needed.

Like I mentioned in the article linked above, everyone in the team should be involved in the planning. Each team member should be heard and his/her opinions weighted towards having a good, simple plan that fits the project. We usually have a very straight forward way of doing this, steps of sorts, that we follow. At the end of these steps, the team leader runs the options by the team, we red team the plan/s and we come out with a possible one. That becomes the base for what we want to do.
The steps are nothing special, but over the years this system has helped a lot in organizing our thoughts and methods.

There are 4 initial steps to planning:

  1. Know the project or end goal
  2. Analyze the problems
  3. Red team the plans
  4. Perform a dry run

The first step is to identify what the project is all about, what is the end goal of the project or assessment. During this phase, we really try to analyze what we need, what is the information we have, what is the ultimate goal of this project. It is important to have a clear view of what’s expected. The first draft of the plan is usually created here.
The second step is used to identify the potential problems, trying to focus on the overall plan as well as each part of it. A solid self red teaming of the draft plan is performed here.
In the next step, we focus on finding the solutions to the problems found in step 2 and further polishing the plan. In this stage, and the next one as well, remember Rule 17: Use ACTE: assess the situation; create a simple plan; take action and evaluate your progress. It is important to look at the whole plan with each possible solution, because many things can change in the process of fixing a problem. Each issue identified has a solution, if it doesn’t, then you have to rethink that part of the plan altogether.
The final step is a dry run. This is important to test the solutions, tools needed, gear, etc. A good dry run can identify more problems (as mentioned ACTE). Go back to step 3 as many times as you need, but be careful not to get your team in an endless loop. At some point decide it’s good enough and commit.

Keep in mind something:

Rule 54: Plans are useless, but planning is indispensable.

Plans are something you have to have, however once you're in the field, chances are you will have to change the plan. That’s the reality of this business. Be ready for that, have a simple plan that can be modified.

Simple and light equals agility and mobility.


Yesterday I had a very interesting discussion with the security director of a large corporation. He began making changes to the way they handle corporate security after having two Red Team assessements done in the past year.
The conversation centered around the way I think about security and the way today's majority of organizations handle their IT and Security departments. He was really interested in knowing our (the Team) opinion about his new approach.

During the conversation, I mentioned several times that security is dynamic and not static. In today's world, where adversaries come from different parts of the world and have different motives/goals, you can't just fill up a security checklist and call it a day. Today's adversaries are not static, they adapt, find new techniques constantly, new exfiltration ways, new ways to bypass current security measures and, more importantly, new ways to trick people. You have to contantly challenge your security measures and play by the same rules as the attackers: no rules. If you only focus on past threats, as most checklists and security guidelines often do, then you remain wide open to attacks.
Being PCI compliance, for example, will only get you to a basic level of security, a starting point. But it is important that you improve and build from there. You can't rely on lists or certications alone, the world of security is fluid. Fail to see this and it doesn't matter how much money you throw at the latest Firewall or monitoring software, you will get breached. In fact, you need to realize that you will get brached regardless. Plan for that, know what to do and how to make it harder for the adversary to get what they want.

I am not a good hacker or even a good physical security profressional, I'm quite average, in my opinion. However, I think I have the right mindset and to me that is important. I try to show, to explain this mindset to the people that ultimately will benefit the most: the decision making people.
Red Teaming is a key for this. Red Teaming is dynamic, like the attackers. Red Teaming can challenge each part of the security plans separately, or as a whole - or both. A good Red Team can help bring awareness to the right people, the decision making people. And yes, sometimes it scares the living shit out of the top executives and senior management, but then they can really begin to address the problem.

You have to continuously challenge your assumptions. In fact, don't assume, verify. If you keep on throwing money at the problem, without focusing on the roots and causes, without focusing on how the problem changes when you interact with it, it will only make the problem worse.

The way I see it, the current world of security is devided into two very distinctive groups: the "saving-my-ass people" and the "risk-taking people". The former, the majority, are contented with the checklists. Their assess are legaly covered and when the next breach happens they can say "but we followed the standards...". The later, well, these are the people making the difference in the security world, coming up with new ideas and taking the fight back to the adversary. Red Teaming lives in this world, the world that is ready to take the next step.

In what group do you belong?

Think about it.

Red Teaming the Plans

One of our first projects was done for an organization that asked us to take a look at their plans. Originally they asked us to focus on the short term plans, namely for each quarter, but after a couple of projects we did for them we were asked to provide a Red Team assessment of their long term plans.

Part of this organization deals with security of high value executives and in the past they have had problems with their planning. By tasking us with the assessment, they wanted to know that at least their current plans were as tight as they could be, and that they were prepared for problems with different contingencies.

In this particular project we did for them, we were tasked with actually testing their plans. Not just analysis of the plan and a report back with the analysis, but actually acting on whatever we found during the analysis. They wanted us to test their readiness.
For this, we split the team in two. One part stayed with the customer to work on their plans and talk to their team and management, and the other part went to Afghanistan to prepare the assessment and test their readiness if needed.

Stay tuned tomorrow for the rest of the post. I just wanted to put this out there. We are almost back on track with the blog.

When in Doubt, Develop the Situation

“Developing the situation is the common-sense approach to dealing with complexity. Both a method and a mind-set, it uses time and our minds to actively build context, so that we can recognize patterns, discover options, and master the future as it unfolds in front of us” – Pete Blaber, The Mission, The Men and Me, 2008

In any new situation when confronted with a problem or things don't go as planned, common sense and/or the Red Team Mindset should be used. It’s important to recognize patterns, discover possible alternatives and options, as well as prepare different solutions based on the analysis.

Developing the situation means innovation and new approaches. Skip the defaults look for new options. A team can truly come together through different ideas based on the intel from the ground or past experience. The best information is real-time situational awareness based on what is actually happening on the ground right now. In order to accomplish this, you have to be open to new ideas. Once information is flowing from the field (by a team member or by direct collection) you can begin to get a context of what’s going on. This collection of intelligence allows you to put the pieces together and plan accordingly.

It’s important that each team member have a say in the planning phase. This is key on small teams. Each member has his/her own interpretation of the information and these different views can provide the next level in developing the situation. Hear what each member has to say about the developing issues and have them state a plan of action and poke holes in your own plan. Develop the situation.

Note: Originally posted on Small Team Tactics.

The 10th Man

The 10th man. The one to disagree regardless of the plan. The 10th man is the way to have a plan B ready to go. If 9 men agree to the plan, then it’s the 10th man task to say “no” and come up with an alternate plan.

Having this way of thinking will challenge the common opinion of the rest of the team, it will challenge the original plan. It would lead to invaluable discussion and the fleshing out of true opinions, possible problems, solutions, and provide a viable plan B as well.
Have a member of your team be the 10th man. Keep him/her always thinking about alternative ways to doing things. As you do this more and more, better plans will emerge and this method will become second nature to your team.

The Corner Spot

Note: This post was posted originally at Small Team Tactics.

It is a good PERSEC consideration to sit in the corner spot on a bar or other public locations. Or at least with your back to a wall. You make sure nobody can sneak up on you. It also provides a good vantage point where you can observe the people and activities around you, check the nearest exit and entrance, and other tricks.

When you are planning an assessment or writing the next project needs, think about the corner spot. What's the safest and easiest way to perform the assessment? What happens if you need an exit? Do you have a quick way to modify the plan or code? is you 6 covered? Are you aware of any problems that might occur outside the scope of the project that might interfere with the outcome? Are you prepared for that? Have you taken the time to look at the problem you are trying to solve from the distance? See all the players around? Do you have a good field of view? 180 degrees? 270?

Sitting in the corner spot has many advantages.

The very essence of teamwork

Note: Originally posted on Small Team Tactics

In this post I will direct you to one of my good friends's post about his experience in the GORUCK Challenge.

Patrick Rhone, of Minimal Mac fame, captured the essence of teamwork in his post The Challenge. Go read the post, but I'll quote some of it here.

After it was all said and done, and she gave me back my jacket, she said that if not for having it she surely would have quit. What she likely does not realize, and what I hope to make clear, is that keeping her from quitting is what got me through. If I had not given her the jacket I might have quit too.

I’ve heard more than a few Cadre in the course of my research about the Challenge tell the teams, "Look at the person to the left of you. Look to the person on the right. This is not about you. It’s about them!"

These words kept running through my head every time I wanted to give up. If I quit, I was not really letting myself down. I was letting down my teammates who I had pledged to be there for. Conversely, if I had quit, in a way I would be telling them they let me down. This idea rang no more true to me than when I gave Ayn my jacket. It was not about me, it was about her.

If you are considering taking the Challenge yourself, this is the biggest lesson I learned and can impart. Please realize that the point of the Challenge is to show you a side of yourself you never thought possible. A side that not only has the mental and physical strength to do it, but also the compassion and sacrifice to give yourself up for others so that they may do the same for you. Because the very essence of teamwork is to help everyone else get the job done knowing and trusting that they are doing the same for everyone else and you. Only then will you see that no one gets through this Challenge (or this life) alone. And this is why we do it.