Bringing this concept of doctrine back around to SHTF security planning, we have to ask, how well do we understand the threat? How well do we understand the types of activities or the tactics that they might employ?
Everyone: the team is currently deployed on a incident response project. This has delayed the forum coding and sending of codes for the people that donated. The guys writing the code for the forum are currently overseas. This will be over soon and we'll get back to work.
Back in 2014, a question from a reader asked about the different phases of a Red Team assessment / engagement. Then we listed 8 phases.
These phases were, of course, based on our own experience, and a generic list. Each engagement is different, however having a list to begin the process and have a good visual map of what is needed, is a good thing.
During the last couple of years, we narrowed the phases down to 5:
- Target ID
- Live run
Phase 1: OPORD
The Operations Order (OPORD). An OPORD describes the project, the situation the team faces, the target, and what supporting activities the team will have to achieve their objective.
In this phase, the team gets exposed to the upcoming project or operation. The initial information about the target and the scope of the assessment are dumped and the team members begin to prepare the tools and techniques based on the information they have. The team begins to study the target and formulate the initial plan.
Phase 2: Recon
This phase is the most important one. If you do it right it will most likely end in the success of the project. If done right, a good team can ID the targets quickly, modify the plan accordingly, adapt the tools and finish the project.
During this phase the team observes the target and learns about it. Physical and digital surveillance are performed, as well an open source intelligence gathering. The physical, digital and social footprints of the target are mapped and analyzed. At the end of this phase there is a clear view of the possible vectors of attack. Usually, during this phase, all activities are passive, however in some cases - and the target is open to attack - a more active scan/surveillance is performed.
Phase 3: Target ID
During the Recon Phase, the team identified the possibles options for an attack. In this phase each option is further analyized and a plan of attack is crafted. On the digital side, a deeper scan is performed and exploits are identified. On the physical side, more information about security measures and controls are sought out. Social engineering calls are made and phishing mails are sent. Dry runs, if any, are performed during this phase too. In many cases, custom tools are written to exploit a specific vulnerability or to provide support for penetration and data exfiltration. This is a more active phase.
Phase 4: Live Run
Phase 4 is the Go! phase. Armed with all the knowledge and tools, the team executes the assessment for real. Whether a digital intrusion or a physical infil, the team tries to go inside. Once in, the team begins the lateral movement and smaller Phase 2 and 3 happen again. Important targets are indentified within the primary target and these are exploited as well. Backdoors, and further persistance are set and data exfil channels are open.
Once the team in inside, the team tries to exfiltrate data and also exploit targets of oportunity. Once all this is done, the point of contact that set the assessment is notified.
Phase 5: Report
The assessment is over. This phase is used to clean anything left behind and analyze all that was done. Findings are reported to the point of contact, and a debrief meeting is set.
The final report writing begins. This is the sucky part. Report writing happens after the endless cries from the point of contact.
And the winners of the giveaway prizes are:
RESCO Red Teams: Nathan M.
GORUCK GR1: Sylvia W.
Agilite Jacket: Justin P.
Arc'teryx Jacket: Eriko Y.
Red Team Patch: Travis W.
Emails have been sent. For the Jacket winners, please send the size you'd like to get. For the international winners, please be patient with the mail... Our post service is not always that fast.
Thank you everyone that donated! We'll be sending an access code next week for the Guerrilla Red Team close forum. Standby for that.
Note: Originally posted on my personal blog.
- Simple and light.
- Have a PACE for everything.
- Make it asymmetrical, stack advantages.
- Act, don't react.
- Target dictates the weapon and the weapon dictates the movement.
These are principles that have helped me across a variety of activities: war, alpine climbing, work, red teaming, hard times...
I tried to simplify the concepts as much as I could, focusing on things that can be applied together.
1. Simple and light
Keep everything simple. Simple things are easy to change when you need to. Simple plans will adapt better to the ever-changing conditions in the field. Simple things are easy to understand and explain, especially under stress.
I also believe in being nimble. Being light allows you to move faster, more fluently. Being light allows you to be more efficient.
2. Have a PACE for everything
PACE: Primary, Alternate, Contingency and Emergency. A military way of building a communication plan. However it can be applied to all planning and things.
It's about having a Plan B, but also understanding that everything will eventually fail. Have contingencies and an escape plan. Be ready for the worst. When it happens, you'll know what to do.
3. Make it asymmetrical, stack advantages
It's not what you do, it's when and how you do it. It's making sure the odds are in your favor. If you want to be successful you have to make it happen. Fight with small team tactics, a guerrilla. Make things stack in your favor. Then execute.
4. Act, don't react
Don't wait for things to happen, be proactive. Go for it and be ready. It's too late if you have to react after something happened. Red team it. Plan 2-3 steps ahead, and make it asymmetrical!
5. Target dictates the weapon and the weapon dictates the movement
Don't get caught on a technique, or a method, or a tool, or on planning. Things are dynamic and they depend on your target. Once you know your target (whar you want to achieve), you can then decide what weapon (technique, tools, etc) you need to use to hit that target (or to work with, defuse, assess, build, etc). Once you know the weapon, then you'll be able to understand how you will need to move and reach that target. In other words, don't be stuck on a technique or tool, adapt it to the target, focus on understanding what is the best tool or technique to achive that target, and then you'll be able to plan (move) to make it happen.
(Note: this principle was taught to me by Richard "Mack" Machowicz, one of the most interesting people I've met. Unfortunatelly, he is no longer with us. Thank you for all Mack!)
Today’s adversaries don’t play by any rules. They constantly adapt and learn from failures and the complexity of their tactics and thinking is ever increasing. Whether nation sponsored, criminal or simply opportunistic, this new breed of attacker isn't bogged down trying to exploit the usual suspects (firewalls, web servers, email servers, etc.) They’re not wasting time thinking about your security checklists, policies, and procedures that have been painstakingly developed to thwart them. They’re happy to just go around, under, or over them and uncover weak links wherever possible.
One of the most often exploited weak links is the human one. That human risk can come from both an outsider and insider threats, including your supply chain. The question then becomes, not only whether you know your adversary or not, but do your partners, suppliers and vendors know them as well? Do they know theirs? How frequently are they doing security assessments? It’s a situation that needs frequent testing.Read More
It’s been a couple of months since we first announced that Red Team Journal, redteams.net, and OODA Loop would be compiling the latest “Red Teamer’s Bookshelf” jointly. For those of you who’ve been waiting, the list is finally here. It’s larger than previous years, so we’ve organized the titles by category (and yes, some of these titles would fit in more than one category). The titles address a range of red teaming activities and skills, with a noticeable increase in special operations books this year. Thank you to everyone who submitted titles.
"Hacking takes time. Developing the tool chain takes time, recon takes time, sometimes systems get hardened and the optimal time to hack them was in the past, and so on and so on. The best time to collect intelligence about an adversary is before you need it."
-- the grugq: Idle Thoughts on Cyber
t’s time to update The Red Teamer’s Bookshelf. In the past, we’ve either built the list ourselves or consulted a small group of colleagues. This time we’d like to crowdsource the list in partnership with the Red Team Journal and OODA Loop. Use the contact page to send us the titles of the book or books that you believe red teamers should be reading. (You can reach back into history; these don’t need to be 2016 titles.) When you do send us your title or titles, add a sentence on each telling us why you think it’s important. After a week or so, we’ll aggregate the submissions and post The Red Teamer’s Bookshelf (2016 Edition) at all three sites.
Here are some of the Red Team Journal's previous bookshelves:
And the OODA Loop Top 10
And finally our bookshelf.