In the field
Red Team operations, digital surveillance, physical recon, staff assessments (red teaming members of your staff), digital warfare and intelligence gathering are sometimes performed in the field.
This can be challenging and, depending on the location, dangerous. There are several reasons for performing digital ops straight on the field. These include:
- You need to remain fairly anonymous by using public networks.
- You need to appear to come from a specific IP and the only way to do it is by physically being at that location.
- You need to be close to the target because you are also performing a physical recon on it.
- You were in the street and something came up and you need to check it right away.
- You are part of a larger LE or the Mil operation.
While there are some other reasons, these above are generally the ones we found ourselves in.
Regardless of what the reason is, basic fieldcraft can make the operation easier and safer, and help you remain fairly anonymous while helping you protect the sensitive information you might discover during the operation.
The information in this post is common sense, these are things that worked in the past - 20, 10 years ago - and, based on our own experience, continue to work today. However it might not work for everyone, or even make sense. Still, I think these points below will provide enough information so you can be prepared or at least create your own methodology.
Each project usually starts with mission planning, followed by a recon phase. You should allot enough time to prepare the project. Recon, in this case, includes scanning the area for any wireless signal (open or encrypted), RF signals, physical security measures such as cameras, access keys needed, etc. Then making a map of the best locations to perform any network scan and physical surveillance, essentially casing the site. These locations can be cafes, bars, parks, offices with a waiting area or across the street from the target, and others.
Recon of the area will also give you a good idea of the best way to move around and escape routes (should you need one). During this phase, atmospherics are also performed, so you can learn the location, what's normal and what's not. How to dress and act. Some people I know like to hire a local, send him a portable wireless signal finder/scanner, a smart phone, or a laptop with a stumblr, and have that person map the area ahead of your arrival; however I prefer to do this myself or have someone from my team do it, you learn the topography better. I usually arrive two or three days earlier and recon the area.
You can also carry carry an antenna to help you boost and map the WIFi signals from a safe distance.
During the recon you can also perform some basic HUMINT and social engineering if you need. You can ask the locals where the best cafes are and if they know a good place to take business people for lunch. Then go to those places and ask whether your target comes to these places. Knowing where your target will be sometimes might give you a chance to actively scan him (vulnerable phones with bluetooth open, using a laptop on an open network and entering login credentials, etc). A short but useful recon can help you prepare the gear and software you will need.
Basic computer or tablet preparation
The computer and, more recently, a tablet or smart phone, are your main tools, and as such they have to be ready for the project. Ideally you would have a blank, brand new hard disk for each project. You then install your preferred OS, virtual machine with other OS's and tools. Alternatively, you need to prepare the disk prior to the project. Start by wiping the disk clean. Formatting it is not enough, information can still be retrieved from there and we don't want information from previous projects, or worst, sensitive information gathered on other operations, to be accessible. Once you have your disk wiped, install the OS and tools. But be careful, don't install anything that is not needed. Also, make sure you disable system services if you don't need them: basic system hardening. The tools you need vary from project to project and you have to adapt. I usually have also several boot-on-cd or boot-on-USB OSs ready to go.
The next thing to do is to create an electronic dead drop. Create an email account on any free webmail (Gmail, Yahoo! Mail, etc). Give the username and password to the team members at HQ and agree to 4 times during the day where you will check the email and where the team will check it. You will use this email address as a dead drop. The way it works is as follow: You have information you want to send to you team for analysis. Zip the files, encrypt them and attach them to a new message, however don't send the message, save it on the Draft folder and logout. Your team will login to the account and see a new message waiting in the Draft folder. They will download it and erase the draft message, then work on it. If the team has information for you or a reply, they'll upload a new encrypted file and leave it inside the Draft folder. This way there is no email trail.
It is important to mention that this email account will only be used for this project. After the project is finished you need to delete the account or forget about it. Do NOT reuse the account.
If an emergency arises and you need to either send information out faster or have your team act on whatever you sent pronto, you can do several things. The two things we found work are a simple SMS (text message) from a burner cellphone that I carry, to a burner cellphone the team at HQ has with a keyword that basically says "go check the email" or "I need to get our of here" or whatever. Or, if you don't to use cellphones, agree to a public online forum and leave there a message, the team at HQ would be monitoring that forum constantly.
Another way of sending information via the dead drop is to use Steganography, essentially hiding information in plain view. You can hide the encrypted information in pictures, mp3 files, or even in the white space of text files. The advantage of steganography is that if the email dead drop gets compromised all they'll see is a picture or an mp3 song.
Finally use a full disk encryption program to encrypt the entire disk.
Although I like to rely on my mind more than my gear, having the right gear can mean the difference between success and failure.
As part of the recon, you should also prepare a list of things you might need based on the information you gathered. DOPE can also help here. DOPE is a sniper term that means Data On Previous Engagements or Data On Personal Equipment (depends on the branch). Learn from past projects, check what worked and what didn't and adapt the kit.
For example, if you are going to try to penetrate a network and need more than one computer, bring along several ethernet wires and a switch, that way you can repeat the signal from a wireless access point or a plug in the wall you found. Remember Rule 16: Target dictates the weapon, and the weapon dictates movement. Get the right tools for the job.
Try to get a backpack with all you need, but try to blend (see below). Do not bring a large duffle bag, or a bright colored backpack for example, you'll stick out. If you have too much gear, grab the gear you will need for the day and leave everything else behind at the hotel or safehouse. If you are in a bar frequented by college students try to get a small hiking pack or something similar, blend in.
Bring backup gear. Two is one and one is none.
One of the most important things is to blend with your environment. Try to adapt to whatever environment you are. If you are in a cafe, buy a coffee, grab a newspaper, alternate between the computer and the newspaper. If you are on a park using an open wireless network move to different locations inside the park. Observe what people are doing where you are and try to mimic what they do. But don't forget to Red Team this: if you were to perform recon, what would be the best place? Is there anyone there already? Is there anyone observing you?
Blending in will give you a way to remain anonymous and not draw attention to you. Be the gray man.
The recon you performed prior to the project should also provide information about this. For example, if you go to a cafe where most people are executives from companies around the cafe, and all wear suits and ties, do not arrive wearing a Hawaiian shirt. You don't have to wear a suit, but try to wear a business casual attire at least.
Blending in also means keeping your footprint as small as possible. If you are sitting on a cafe or the reception of a company, do not bring out the laptop, tablet, network switch, three external hard drives, a collection of USB drives, etc. That will make you noticeable. Instead, try getting longer wires and leaving everything hidden inside the backpack. Just the laptop and the occasional portable hard drive will be on the table or your lap. If you are wardriving by foot, do not have the antenna visible, hide the rest inside the pack. If you want to scan an area, disable the sleep mode on your laptop, open your network stumblr and set it to log everything on disk, close the lid and stash the running laptop and stumblr on your backpack. Then just walk. No one will pay attention and you'll have a neat log with all the networks available around you. Be smart. Learn from your environment.
Another thing is the need to move. Don’t stay too long in one spot, people might notice you. In the case of a coffee place, don’t stay longer than 40-60 minutes. During the recon of the area prepare a map with all the different locations where there are wireless signals, for example. Or locations where there is a good view of the target. have that list memorized and move around the different points randomly, or as the target dictates. Remember to Red Team this, and perform SDRs. On each point blend in.
Try to randomize the locations you use and do not use the same location two days in a row. By doing this you avoid people noticing and remembering you. You want to fly under the radar. Moving helps. In order to move you have to be light, so prepare your gear accordingly
Always test your gear and software as if it were the actual project. More often than not you'll find what works and what doesn't. Red Team your plan. You can avoid nasty surprises when you test your stuff, from software and driver incompatibilities, to hardware that needs to be replaced. Test your gear and bring batteries!!!!. Remember to replace ALL batteries prior to the actual run. Mr. Murphy is always at your side. Plan for this.
Rule 4: Always have a backup plan.
Sometimes what you think is going to happen, doesn’t. That wireless signal you found during the recon and spent 4 hours breaking in? Gone. The owner went on vacation and powered off the device. Have a backup plan. Move to the next location.
Everything you prepare for the project, from traveling methods to gear used, must have a contingency plan as well. we found ourselves many times in situations where the train didn't run, or the hardware stopped working. We immediately adapted. Failing your project because you were not prepared is not an option.
Rule 1: Always have an escape plan.
This applies to projects where you are providing your services to track criminals for examples, or you are supporting the Mil. You don't know how these people will react if you are made, so plan accordingly.
Always know the best way to exit your location and escape. If you need to evade the security guards from your customer, know the exits, which one leads to where, which one is the best to reach the street. When you recon the area and the different locations, take note of stair cases, doors, cameras, one way streets and shopping malls. Shopping malls provide a great place to hide. Stash gear in different locations. If you find yourself in need of running, leave everything behind and grab the gear from the next stash point. The disk on the laptop should be encrypted so it'll be OK.
Rule 1 is followed closely by Rule 5: Never get caught.
I hope this made sense to you and that it will help with the preparation and execution of your next digital operation.
Remember the 7 Ps:
Proper Planning and Preparation Prevents Piss Poor Performance.