Phases Of A Red Team Assessment - Revisited

Back in 2014, a question from a reader asked about the different phases of a Red Team assessment / engagement. Then we listed 8 phases.
These phases were, of course, based on our own experience, and a generic list. Each engagement is different, however having a list to begin the process and have a good visual map of what is needed, is a good thing.
During the last couple of years, we narrowed the phases down to 5:

Phase 1: OPORD

The Operations Order (OPORD). An OPORD describes the project, the situation the team faces, the target, and what supporting activities the team will have to achieve their objective.
In this phase, the team gets exposed to the upcoming project or operation. The initial information about the target and the scope of the assessment are dumped and the team members begin to prepare the tools and techniques based on the information they have. The team begins to study the target and formulate the initial plan.

Phase 2: Recon

This phase is the most important one. If you do it right it will most likely end in the success of the project. If done right, a good team can ID the targets quickly, modify the plan accordingly, adapt the tools and finish the project.
During this phase the team observes the target and learns about it. Physical and digital surveillance are performed, as well an open source intelligence gathering. The physical, digital and social footprints of the target are mapped and analyzed. At the end of this phase there is a clear view of the possible vectors of attack. Usually, during this phase, all activities are passive, however in some cases - and the target is open to attack - a more active scan/surveillance is performed.

Phase 3: Target ID

During the Recon Phase, the team identified the possibles options for an attack. In this phase each option is further analyized and a plan of attack is crafted. On the digital side, a deeper scan is performed and exploits are identified. On the physical side, more information about security measures and controls are sought out. Social engineering calls are made and phishing mails are sent. Dry runs, if any, are performed during this phase too. In many cases, custom tools are written to exploit a specific vulnerability or to provide support for penetration and data exfiltration. This is a more active phase.

Phase 4: Live Run

Phase 4 is the Go! phase. Armed with all the knowledge and tools, the team executes the assessment for real. Whether a digital intrusion or a physical infil, the team tries to go inside. Once in, the team begins the lateral movement and smaller Phase 2 and 3 happen again. Important targets are indentified within the primary target and these are exploited as well. Backdoors, and further persistance are set and data exfil channels are open.
Once the team in inside, the team tries to exfiltrate data and also exploit targets of oportunity. Once all this is done, the point of contact that set the assessment is notified.

Phase 5: Report

The assessment is over. This phase is used to clean anything left behind and analyze all that was done. Findings are reported to the point of contact, and a debrief meeting is set.
The final report writing begins. This is the sucky part. Report writing happens after the endless cries from the point of contact.

On Red Teaming

Today’s adversaries don’t play by any rules. They constantly adapt and learn from failures and the complexity of their tactics and thinking is ever increasing. Whether nation sponsored, criminal or simply opportunistic, this new breed of attacker isn't bogged down trying to exploit the usual suspects (firewalls, web servers, email servers, etc.) They’re not wasting time thinking about your security checklists, policies, and procedures that have been painstakingly developed to thwart them. They’re happy to just go around, under, or over them and uncover weak links wherever possible.

One of the most often exploited weak links is the human one. That human risk can come from both an outsider and insider threats, including your supply chain. The question then becomes, not only whether you know your adversary or not, but do your partners, suppliers and vendors know them as well? Do they know theirs? How frequently are they doing security assessments? It’s a situation that needs frequent testing.

Read More

The Red Teamer's Bookshelf 2017 edition

It’s been a couple of months since we first announced that Red Team Journal,, and OODA Loop would be compiling the latest “Red Teamer’s Bookshelf” jointly. For those of you who’ve been waiting, the list is finally here. It’s larger than previous years, so we’ve organized the titles by category (and yes, some of these titles would fit in more than one category). The titles address a range of red teaming activities and skills, with a noticeable increase in special operations books this year. Thank you to everyone who submitted titles.

Here's the list.

Quote of the day

“Most people are starting to realize that there are only two different types of companies in the world: those that have been breached and know it and those that have been breached and don’t know it. Therefore, prevention is not sufficient and you’re going to have to invest in detection because you’re going to want to know what system has been breached as fast as humanly possible so that you can contain and remediate.”

-- Ted S.

The Cyber Moscow Rules | OODALoop

Lessons learned from US agents who operate in enemy territory have been captured for years and transformed into a code of conduct popularly known as “Moscow Rules.” Those old rules existed for a reason. Real-world experience proved their effectiveness when agents had to operate in the presence of adversaries.

Since modern cyber defenders are also frequently required to operate in the presence of adversaries there are lessons from these old Moscow Rules relevant to cyber defense.

With that as an introduction, the following is a modified list of the old Moscow Rules designed to help the cyber defender under fire.

Consider these as “Moscow Rules for Cyber Operations”

I like this one:

Understand the human tendency to forget about the threat as soon as the current attack has been mitigated. Do not fall victim to this cyber threat amnesia. When not under visible attack, study, prepare, and test your own defenses.

Focusing on the goal

I've experienced plans going wrong many times during the several years I've been Red Teaming. Sometimes because of poor planning, some others because the real world always has the last word, especially when Mr. Murphy is along for the ride - and he always is.

Over the years both experience and mental resilience had taught me to assess the situation and adapt the original plan, go to a plan B or just work without a plan. While on the field, ideally you’d be looping through 4 steps constantly:

  1. Understand the problem (in this case what caused the plan to not work)
  2. See the solution (how do I solve this in a simple, fast and reliable way)
  3. Communicate the new plan (to your team or to you, mentally saying the plan helps red team the issues)
  4. Execute it

However, while doing this you have to keep in mind the goal of the mission, assessment or engagement. It is very easy to lose focus of the goal. An instructor at one of the schools I attended while on the military, always told us to focus on the end goal, no matter how bad it was. Mission came first and if the mission was to recon a target and gather intel then that should be the focus. All our planning was geared towards achieving that mission. Once we had that, then the rest (kit, transport, alternative exfil points, etc) would cascade from there. Remember: Rule 16: Target dictates the weapon and the weapon dictates the movement. The goal comes first. The what you are planning for.
It is very easy to lose focus of this when the conditions on the field are chaotic, or not as expected. We tend to focus on the things on front of you, and while these are often pressing and more important (sometimes life or death), once we solve the immediate problem, we need to go back to the original mission.

The best way I found to do this is adding the following to the steps described above:

0: What is the goal.

So, identify the goal, identify the problems preventing you from achieving the mission, find a solution (don’t forget: the solution is in the problem), communicate that solution and execute it. If it didn’t work, or a new problem arises, start again, but always keeping the question what is the goal as the first step. This will keep you focused on your mission.