Building a Red Team
In the past several weeks many readers had asked me about the composition of the Red Team and how to build one.
In my opinion and based on experience, a good Red Team is comprised of two distinctive parts: The Operating Team (OT) and the Support Team (ST). The OT is the actual hands-on team and it consist of both digital and physical security experts. The ST, on the other hand, includes the Team leader and the Team coordinator. They might be the same person, but sometimes they are not. They might stay in the office if there is a combined physical and digitial operation, or get deployed with the Team.
The Operating Team
The OT actually carries out the digital and physical penetration. The Team members can be divided into different roles with unique responsibilities and areas of expertise. The team makeup will vary with each operation or project, however having a good default or base Team is a good thing. The actual OT will be selected in the planning phase of the operation, but if the base Team is experienced enough, they can adapt on the fly to the new requirements. Sometimes one Team member will have multiple roles.
- Computer intrussion expert (a hacker)
- Physical security expert (lock picking, profiling and defeating physical security measures, perimeter security, etc)
- Surveillance and recon expert (capable of gathering intelligence by covert means on foot, in a vehicle or by working together with the computer intrussion expert)
- Social engineer expert (either by phone, face to face or by email. Expert in HUMINT)
- Programmer or code hacking expert (able to write attack code on the fly, analysize or reverse engineer other code and understand how security exploits work, this person often is the same as the computer intrussion expert)
Efficiency often demands that team members perform multiple roles. For example, intelligence gathering is not unique to the surveillance expert; this is something that every team member should be able to perform.
The Support Team
The ST may stay in the Team's headquarters (HQ) and help coordinate the OT with the customers, law enforcement or military unit the Team is attach to. The ST can be also deployed with the OT on the field and augment the OT in whatever they need. The roles are not fixed. Often different members of the Team will take the roles of the ST, either Leader or Coordinator. This approach will allow the Team members to take leadership, bring new ideas and provide different points of view.
- Team leader or CO (in charge of the project. Manages the Team members. He or she liaises with the customer if needed and with the different parts involved with the operation)
- Coordinator or XO (may be the same person as the Team leader. This member directs and assists the Team on the field from HQ when the team leader is deployed with the OT. This position is critical if Team members are deployed to multiple locations simultaneously against the same or different targets)
An example of these members working from HQ would be when a physical penetration is being performed in parallel with a digital intrusion. Maybe the information from the digital penetration needs to be passed immediately to the physical experts or vice-versa.
This team composition will vary from project to project. The team might be smaller when needed or augmented by other members. It is good to also have redundancy. For example having 2 computer experts, one senior and one junior, that can work together on a problem or be devided to support different efforts.
The key of a good Red Team is adaptability. Remember:
"Nimble, agile and small multi-tasking teams can quickly change their entire plan, attack and approach. they can adapt rapidly to the incoming intelligence and they can react better to changes in the plan. Small teams can change their priorities and focus.” (Small Team Tactics)