Marketing Guerrilla

This is a different approach to the Red Team Mindset. Written by "Jon" a Senior Brand Strategist and Planner in the Boston area, this post presents another side of the Guerrilla Red Team.

To be clear, I’m not a Red Teamer. I’ve never been contracted to security test a facility, office, or database. But, everyday I go to work, I red team. It’s absolutely integral to what I do and I make my teammates read the Red Teams book. I don’t hack systems or facilities, but I hack people everyday. I’m a marketing strategist by trade.

At first glance, marketing and red teaming might seem worlds away from each other, but the mindset often mirrors each other. As a marketing strategist, my job is to fully understand the brand, category, and consumer for any client that I work with. My team fully immerses ourselves into qualitative and quantitative research around these three verticals. With the goal being to drill down to the core strengths, weaknesses, and unique attributes of the client and the consumer and find the overlaps between the two.

To do this we gather industry research, interview stakeholders and customers, survey consumers, and review the competitive landscape. This is our version of reconnaissance. After we’ve gathered all of this data we start analyzing. Trying to see the whole picture that those verticals create, find the themes that run through them, and begin identifying voids in the market or in the way the marketing has been done. After full analyzing the research we’ve collected we poke holes wherever we can, getting input not only from our teammates, but other coworkers to see what holds water and what leaks like a sieve. Once we’ve found the insights that hold a truth for the brand and consumer it’s time to develop the strategy that will drive the rest of the project. It needs to not only synthesize what we learned, but communicate it in actionable way for all the departments to act in unison on the strategy. This is our marketing equivalent of the mission plan. Then it’s time to execute. For us this can mean coming up with a marketing campaign, launching a product, or rebranding a company.

Throughout the entire process, the strategy team is representing the consumer of whichever company we’re working with. We put ourselves in their mindset to see how they might interpret what we create, or how they see our client. Everything we do is put through this lens. It’s seeing the business world through an adversarial mindset. When we fail to do so, we usually fail at our project. It’s a harsh reality of failing to consider a problem from the unexpected angles. You try not to learn it more than you have to, but a reminder failure often sneaks in when we become complacent or overly confident.

Red Teaming to me is a mindset. It’s a willingness to think about things in a different way, in a way that might not align with your own opinion and ideas, but in the end only makes a plan stronger or proves you need a new plan. I’m a marketing red teamer.

Use a Plan and ACE it - how to evolve situational awareness

This story was submitted by a german Air Force officer with a large scale of Force Protection experience resulting from the German engagements in Asian and African missions and multinational (NATO) deployments in Afghanistan and the Balkan’s.

When I was deployed the last time to AFG (ISAF) as the Force Protection Commander of Mazar-e Sharif airfield I deployed with the question: “what will be the improvement in the villages around the airfield in the last two years, as I left MeS airfield?”. The two JOC battle captains tried hard to explain me the so-called progress, but I can´t notice a big step. What I really missed in this moment was a clear statement of the overall situation of the afghan villagers (in the sense of: religion, schools, who is the major, who is the political leader, where do they live from, what kind of military and police units are responsible …) and their main problems. Additionally I asked the question, why in some parts of our AOR (20 clicks x 25 clicks) the threat level is so enormously high with IED attacks and in other parts not mentionable and where we are invited to marriages.

So I established a responsibility for each of my patrol leaders to take care (in every means) of one AFG village. Usually they are NCO´s and they stay for four until six months in AFG and spent their time with patrolling the fields for 80 % of their deployment time - heading back after one year. We created a village folder and used different layers on a map for the different aspects.

What I tried to do is, establish a pattern baseline around the base, with clear responsibilities, a information line structure, a patrol report memory and a map of non- and governmental, religious and military authorities etc. in our area of interest.

On the other hand, me and a small team of experts taught them, how to read or detect minor changes in the environment to prevent attacks when engaging the danger zone and I ordered the battle captains to make use of a Red Team for the patrol and sweep plans. This Red Team consists of Norwegians, Swedish, German SOF and intel soldiers and an afghan born but german airforce infantry man. The first patrol and sweep plans were changed in average three times until we could say: its sounds like a plan. What I learned quickly, was, that this plan has to have an Alternate plan, a Contingency plan and an Evacuating plan. The assessment of the Red Team and the learning process was outstanding. As time goes by, we were able to establish a baseline security “feeling” and measure it by using a five scale area accessibility (situation controllable/yet/ prevalent/ not prevalent/ not controllable).

Some months later two of my platoons were attacked 10 clicks far of our base in the danger zone by a small Taliban commando about 330 yards in front of a village. After responding fire the patrol leader decided to follow them and catch them quickly by sweeping the village. He wanted to surround the village as soon as possible with a diminished platoon and send the other one -supported by cover fire and sharpshooters- for the sweep (one of the main tasks for experienced infantry). The patrol leader has got his ok from me and they started with a quick survey of the baseline.

What they found out, was that the all-the-time-present shepherd’s and the birds weren’t there, they heard some barking dogs in the surrounding area and some of the villagers flee south. So the patrol leader decided to use a handheld UAV to have a look into the village (and the cover fire positions on higher hill tops). To cut a long story short: the cover fire positions were manned by enemy forces, the village was prepared for a deadly U form ambush by roundabout 35 bad guys with RPG´s and some of them were waiting as a reserve some 100 yards east with the typical with-yellow Toyota Jeeps or cabs. As I was sitting in my TOC and looking surprised at the transmission of this live stream, I realized that they have learned our tactics very well. The patrol leader decided to ask for urgent CAS on the positions of the hills and their reserve force. Finally he marks his position with green fog and changed his plan to the Evacuating plan. He used the time frame of the CAS attack to regroup, to cordon the area and to reinforce with the reserve infantry unit using his Contingency plan. They caught 7 wounded and 15 suspects which was a great day for the boys.

  • Use a plan and ACE it
  • Focus on your aim, but don´t let yourself be attracted by quick wins or red herrings
  • Use your ACE to win the game
  • Reflect the after action with the (team) leaders
  • Change your habits (tactics)
  • Look at the baseline and evolve your situational awareness

A couple of stories

This post was sent by Neal Bridges, he is a contributing editor at the Red Team Journal.

RTJ Red Team Law #51 (“The Obvious”): Sometimes your red team will execute what you think is an ingenious attack and borderline impossible. It must not be too impossible if they were able to pull it off.

I want to tell you a couple of stories. These stories come from real penetration tests that I have executed in the first half of 2015, but they will share a common theme. The names of the companies have been changed to protect the innocent.

In March of 2015, we began an engagement for a very large collections company. They were the second largest in the state and were in possession of over eight million unique pieces of credit card information, and twice as much personal information including social security numbers, names, addresses and phone numbers. They had hired us to come in and do an engagement in preparation for a compliance inspection. We performed open source intelligence (OSINT), we targeted their personnel, we reviewed as much of the physical areas that we could from the internet, and we attempted to attack from the outside. Not surprisingly, their external was relatively secure. This, of course, meant that we had to go to their physical location.

Upon arriving at the client’s location, we noticed a very prominent back door. We would later learn that this was the back door to the break room, near the rear of the building. After examining the habits of the individuals entering and exiting the building we decided that was our way into the facility. We had taken a thumb drive and programmed it in such a way that the computer would recognize it as a human interface device (i.e. keyboard or mouse) instead of a thumb drive. We labeled it as "Pay adjustments and layoffs" and placed it in their break area. As expected, we were successful in gaining access to their networks.

Upon talking to the leadership of the organization, we were discussing the merits of the attack vector. When we explained to the client that this attack vector was not what we would have done, it sparked a conversation that the client would not soon forget.

Client: Well, why didn't you do the attack you wanted to do?
Us: We didn't have the funds.
Client: was expensive?
Us: In a way. When we observed the individuals coming in and out of your break room, and combined it with what we knew about your organization, we wanted to do something a bit
Client: How so?
Us: Well, when we researched your organization, none of your employees had a LinkedIn profile claiming to work for your organization. We interpreted that to mean no one was proud to be working here enough to brag about it as a career path. When we arrived on site and started to observe your people we noticed that most of the folks were very casually dressed. On their breaks, they would check their phones or go to their cars. We profiled them as being run-of-the-mill overhead and presumed that most would be around the minimum wage market, if not much above that.
Client: Wow - so far you are about spot on. However, what does that have to do with your attack?
Us: Well, put yourself in my shoes. I am a Russian hacker. I make my living hacking and selling credit cards on the black market where I have a 1,425% return on investment. What if I profiled the single mom or dad who is trying to make a living for their family? The one who does not really hang out with the group. What if I offered that individual $1000 to plug this thumb drive into their computer? How many of your employees would turn down $1000?

The blood drained from my clients faces. They had never considered their employees were an attack surface in that way.

The next story involved a large healthcare organization in the Midwest. Our process was the same as the previous story. In this scenario, however, I noticed that there was a hotel less than a quarter of a mile from the client's data center. In addition to that, I could use "Street View" on Google Maps to see that it was pretty much an unobstructed line of sight to their building. With this being the case, I procured a two-foot Yagi directional antenna ahead of flying to the customer’s site.

Upon arriving at my hotel, I applied a little social engineering (I asked nicely) and was able to obtain a room on the side of the building directly facing my target. I proceeded to the client’s site, where I walked into their data center without confrontation and wandered my way around to the corner that faced my hotel. It happened to be in a massive training room, with numerous connected computers. I unplugged one of them and plugged in my wireless access point. Later that night, in my hotel room, I successfully connected to my Wi-Fi access point with my Yagi directional antenna and subsequently accessed their internal network.

The next day I spoke with the leadership of the organization. I showed them pictures of the setup and the view of their building from my hotel room. I showed them the path I took into their facility and explained that no one had challenged me. I showed them how I hid my access point. Ironically enough, they had a meeting in there sometime after I executed my attack and no one noticed my equipment. Their response and I quote was "W-O-W".

So with those two stories, I present to you Red Team Rule #51. Your adversary has the benefit of looking at your organizational defenses and asking itself "how can we defeat these". You don’t have the luxury of money, time, or personnel to look at their attacks and ask yourself, "how can we defend against these". The red teamer will always just come up with something else.

The Red Teamer Sniper

This was sent by SL. He is a retired Army sniper with 4 deployments to AFG.

The last time you guys were around, I remember sitting in the intel shop and hearing you go through some ideas with G, the intel guy.
Some of the "bad guy" mentality concepts really resonated with me, being a sniper.

Snipers typically have a closer, more reach-out-and-touch connection with their targets than, say, a fighter pilot. Snipers are trained to undertake different types of missions, of which stalking and ultimately killing a target is one of them. Sometimes you really need to study your enemy and apply that "bad guy" mentality idea you were talking about. Being so connected with the target creates a much closer human connection than in any other part of the armed forces. Being able to understand what the targets do, and why, is a very different experience, leading to better kill or don’t-kill choices. Yes, I think understanding the enemy in that unique way a red team is trying to, would be very beneficial to snipers. There are a great many variables that need to be taken into account before you decide to squeeze the trigger. That's for sure.

But I think the other types of missions are the ones that would benefit the most from this type of mentality. Snipers are also trained as reconnaissance assets for the units their are attached to. So we essentially could sneak in, observe the enemy and report back, unnoticed. Snipers also receive training in counter-sniper operations. Those are the scariest ones, in my opinion. You are going against another sniper, another person that is supposedly trained like you.
In the reconnaissance operations it is very clear why the "bad guy" meltality could be useful. It helps understand the enemy and ultimately we can report back to the chain also our assessment of the situation. A useful thing to have. However, it is during the counter-sniper operations that I think this kind of mentality is crucial.

You learn to develop the ability to locate enemy snipers and threats on your area of operations. We must be able to imagine what the other sniper would do, get into position and think like the enemy, like the bad guy. We work sometimes with some of the soldiers, in the units we are attached to, to pay attention to small details and track a target. Nothing goes unnoticed. Imagine now if you were trained to think like the enemy. Try to think one or two steps ahead and see what he would possibly do. It's a dangeroud game, but you can help save lives.

All this really got me fired-up. And after you guys presented the findings, I convinced the Captain to let the sniper team train and form its own red team when we rotated back. We have been doing this for the past few months. It's challenging and frustrating, but we have a lot of patience and it's already showing some good.

The red team mentality, or ideas, is a valuable tool to have.

Take care and come visit when you are around.

Act II: What Harm Can Come Of A Little Classroom Activity...

Act II by ZN

A couple of years ago, I was tasked with bringing redteaming to the classroom*. A fun activity (all legal) to help students understand how theory is put into practice, which in turn we develop new theories to put into practice. In the course we had done extensive reading on topics like, media concentration, privacy & phonetic urges, and a personal favorite, geodemography (Wikipedia is a good starting point and David Lyon if you want to get complicated).

I had first tasked the students to organize themselves by skill sets, derived from their understanding and favorite RT rules. They came up with cute names like TeamAmerica, TeamGotcha, Teammyopsarebetterthanyourops, and TeamChair (they happen to love Rule 62) and even took to occasionally carrying one they decorated around campus (not subtle, but cute). For the most part, students were in full team mode and weren’t sharing anything with anyone or me unless they had successfully completed tasks. Assuming this might happen, I had implanted into these groups several course members who had also served in the military, so teams thought these individuals were their ringers, when in fact they were moles regularly sending me updates via coordinated dead drops (campus by this point thought we were setting up GeoCaches, so particular types of objects hidden in bushes didn’t seem that odd), had provided backdoors to their teams FB groups, or acted as double-agents to prevent groups from completing tasks in a timely manner.

All groups were then tasked with completing four (4) objectives that had to be completed in order each task took 1 day, to complete all tasks took a full academic week or 4 days:

  1. Scope out the AO with official college logo (22 possibilities), get picture taken with at least 2 group members with the logo without being seen by other teams. Any photos with your team and the symbol turned in by other teams negate your submission.
  2. Go to local food establishment and get following info about 3 employees: Name, Favorite Menu Item, and Physical Description. Bonus points if you can social engineer your way to a meal.
  3. Learn about the institution’s security protocols. Who worked where, if there was an observable daily patrol, and specific jobs they have.
  4. Without B&E, using social engineering, get someone to let you into a designated space and remove an item proving violation of space.

Now, tasks 1 and 2 were pretty straightforward with very little issue or institutional risk, but tasks 3 and 4, the manner in which these mildly organized groups of students had accomplished, interpreted the rules, and frankly, had unintentionally (had they been actual bad-people, it could’ve been worse), showed the overarching complacency in a post-Virginia Tech (2007), NIU (2008), UofT, Austin (2010) world. Collectively, they threw the institution into a security panic and caused turnover of security protocols ALL in less then 48hrs. by students just acting like students. I was a very proud, but scared teacher that day!

You might be wondering what could cause such chaos? In task 3 (all groups just watched and were able to turn-in walking pattern maps of how institution security walked the campus, down to the minute. There were a couple of normal health issues that required police and fire department to be called and even noticed a pattern in how then security moved around the campus, they included that in their reports also. There was no sharing amongst the groups and their approaches to the task differed. That was cool, but here is where it gets interesting. One group brought me privately, the CONFIDENTIAL emergency protocol handbook for when things go south for real. I’m not allowed to say how she procured it, but I can share that those protocols have now been changed and require a different kind of access to even read them now.

Now the fun of task 4, one group decided to engage custodial services. The institution told them officially that they couldn’t let them into the designated space directly; they convinced the janitor of that area to let them climb into the rolling trashcan and get wheeled into the space while the janitor was emptying out the trash in that AO. Janitor made it clear that he could not know if someone was in the can or not, so the students spent the next 2 days weighing down the trash can so that the janitor wouldn’t know the difference if a person & item was in the can or not. Personally, I think it was nice of the janitor to play along and being former military he expressed joy in seeing the student’s being creative and trying to sneak around. The group had completed the task successfully by removing a 2ft tall statue and their sheer creativity won them the event (voted on by their classmates).

All in all, it was a good semester, the student’s learned valuable lessons, the dean’s asked me to lay down stricter ground rules (I don’t, it is the real world), and I now consult for the institution in an official/unofficial capacity.

So in conclusion, Rule 33, 79, and 89, until Act III…

*Name of institution and locations have been omitted per request

11 Year Old Red Teamer

This story was sent by Z, one of the Team's members. His son is older now, but this is what he did when he was 11.

When my son was 11 we lived in Europe. He used to take public transportation to go to school and soccer practice. We would give him money for the tickets and for snacks after practice.
One day he came to my wife and me and said he wated to buy a biology set. It was a very expensive set and we told him that he would have to wait until Christmas for it. He was mad. He wanted it right at that moment, not in December. Well, I told him that he needed to wait patiently.

3 weeks later he came with half the money for the set and he told me that he would pay for half. I was surprised, how did he get the moeney? Well, I asked...

So, apparently the machine that accepted the money for the public transport had a small flaw, my son found out about it after observing the people paying for the tickets in the automated machine, he mentioned that it was trivial to see where the fault was. He decided to exploit that vulnerability and save the money. For 3 weeks he essentially rode free and was able to save the money. He observed, he learned and he acted on what he learned.
While I was proud of him for thinking outside the box, I was not proud of what he did, he cheated the public system and that's not good. So, I told him that the next day he was going to have to talk to the driver, explain what he did and return ALL the money. I would pay for the set, in full.

Man, that boy is something.

Act I: You Think You Know Me, I Probably Wear A Mask

This was sent by ZN. He is a journalist and professor who focuses on identity, authenticity, and the power of routine relationships (ethnomethodology, if you want to get geeky as he puts it). His Guerilla Red Team Story is different, he and his students routinely play with the Red Team Mindset and interesting things happen. This is Part 1 of 3. An intro.

Act I: You Think You Know Me, I Probably Wear A Mask

Hi, before I get into my adventures, I thought I’d write a first piece as a bit of an introduction, a voice, or perspective of a Guerrilla RedTeamer, that is often overlooked (thankfully) in the often echo-chambered media world we live in. Publicly, I’m a professor. A dismissive identity by media standards, but what I really am is a filter creator, someone who focuses on human communication, relationships, identity, technology, popular culture, and most recently veteran affairs. Social engineering is one of the many tools I experiment with along with colleagues as we try to figure out how people construct their perceptions and expectations. I spend quite a bit of time exploring how people share their understandings and are part of a “community.” I’ve consulted with various city/state agencies and advocacy groups globally and will share some of the stories that I can.

As I write this, I’m sitting behind the relative safety of a desk, in an office, and many of my colleagues don’t know how to read the subtext of what I do beyond the classroom, nor do I try to explain (the words are often lost between simple constructs of right/wrong, moral/immoral, liberal/conservative, etc.), and even then it’s a story to manage communication with them and my identity. In my office sit four bags packed (based on things I’ve read on the RT site) to be faster/better and to roll at a moments notice if a client calls, the windows written on with dry-erase ideas to test in the field or a current project, and most importantly, artifacts to support the perception of a stable identity.

It is from a strange position that I write about both fascinating and awful phenomenon. I never thought of myself as a “redteamer,” as I don’t have formal military training, but do have formal education and access to fieldwork, research tools, and ability to conduct/construct human experiments (I'll share those soon). Like many of you readers, I’ve read many of the books listed on the bookshelf link by U., along with 15 years of experience experimenting with the ideas from my own discipline, and like the masks that are strategically placed around my office as mementos of my adventures (all with two stories), or the RT rules I sneak into my syllabi for my students enjoyment, which also serve as a constant reminder on how to stay vigilant, or the overt public persona that transverses digital media that is not in your face, but is there so that you will consume the mask I want you to “friend,” “like,” or “follow.” That’s what people think I do, “read, think, break, teach, write, and repeat;” however, to take a kind of ownership, what I am is a “redteamer.” The list is actually quite simpler, “break, fix, break, fix, repeat,” but with people and the breaking and fixing is nuanced. You, as a reader of this site, are drawn to our stories, ideas, gear, and whatnot, so that you too can learn and do. We live in a very complicated world that is often overly simplified through media use. Some redteamers, put their bodies on the line and that is their burden they have chosen to carry. Others, like myself, put our minds on the line, mental vaults holding secrets, attempting to understand the human condition, but not in some psychobabble sense, but how people communicate with one another. How to manipulate, shift, pivot, or change those processes toward a communicative end; human communication is an inherently selfish act and in my world, Rule 63 is our starting point...

Ongoing Process

This was sent by OSCAR. He is a retired Army MP now working as a Security Director for a large corporation. He runs their Blue and Red Teams, as well their CERT.

One of the first things I did when I was told we were hiring you to redteam us, was to create a red team of our own and embed it with you. The idea, as you know, was that we wanted to have a team of that could continuously red team the company, from simple and random social engineering attacks, to more complex, all-in penetration attempts. It took me a while to convince my boss, the CISO, but we did it. On that first engagement with you, the small red team we put together learned a lot. This is what we did a few months after you guys tested us.

Like I mentioned, we wanted to have our red team engage us constantly, testing not only the current security plans/measures but also see the reactions of the blue team and our group of capable CERT.
During the mid-year company assessment, where we review earnings, product stock, new customer needs and other things, I asked the red team to begin analyzing how we handle the customer support. This is a crucial part of the public face of our company and we wanted to be sure that no "bad guy" could hit us there. The team spent several days going over the different procedures: things like how to authenticate an actual customer, or what information can be disclosed over the phone and what's off limits. They reviewed every little procedure and they learned to be customer support representatives. And then it began.

Over the period of 4 months, and at random intervals, the team would pretend to be an old or new customer. Their target was to extract personal information about "themselves" from the customer support representative. They played all the weaknesses they found on the procedures and, without going into details, they successfully extrated personal information about our customers in over 75% of the tests. it was magnificent to see this!

Needless to say, these on-going tests, still being performed today, helped us pinpoint the weaknesses in our procedures and we had now fixed them.

Stability Operations and Getting in their Minds

This was sent by KL. He was a Army Special Forces member in charge on helping fight the Taliban in Afghanistan.

A couple of years ago my team and a group of locals were tasked with what was then known as stability operations. The Taliban was supposedly gone, but we all knew they were still hiding among the villagers.
While the officers and interpreters were working with the different villages' elders, we were trying to figure out a good way to make the bad guys stick out. Just to make them come out so we could take care of them.

At that time we were working closely with our Red Team, a group of former SF guys that had also some civilians attached. They were helping us polish the plan and provided a very good analysis of what they were seeing on each village after the visits.
One of these guys attached to the Red Team, one of your guys, had this ingenious idea to draw the bad guys out. He proposed that some of smaller people in the our team or some of the locals dress with full-on burkas and that they walk without a male escort in the streets of each village. This would, hopefully, make the Taliban guys mad and they would try to stop the women.
At first, it sounded like a stupid idea. What if the villagers came out and stopped the women? That didn't mean they were Taliban. But, after giving this some thought we all began seeing the logic behind this and agreed to try it.

We agreed to try this on villages were we suspected the bad guys were hiding. And then it happened. The first village was a no-go, the villagers were outraged about a single woman walking alone in the street, but they came to us to go ask her to go back to her husband, we said no and they just approached the woman and began screaming at her (him), but nothing else happened. The second and third villages, however... It worked.
When the villagers came to ask us to make that woman go back to her husband and we said no, well, a few guys just went ballistic and they even brought out some rifles, screaming about the dangers of women and blah blah... We grabbed them right there.

80% of the people we grabbed turned out to be bad guys. The villagers were really happy to have them out of their villages and we were happy to have them, period.

It was good thinking.

Introducing the new Red Teaming community

Last week we introduced the Red Teaming Community idea. The basic idea is to have an organization composed of Red Teamers - ranging from civilians to military and everything in between - that would work toward promoting the need for Red Teaming in today's world. However, this community would also have a secondary purpose, one we think is very important: The members of this community will provide other members with Red Teaming and related help when the need arises.

We asked many of the people that already sent stories and they are all in.

But we want to keep this within the family, so we are in the process of making a simple calling card, high quality, that will be given to each person that send a story to the Guerrilla Red Team. This card will be his membership and if he or she needs helps, he just need to show this and the rest will follow.

We have been working with many readers on a possible logo for this card, and after a few possible options, here's the logo that is being printed:


Created by DG, a long time reader. He has been extremely patience with all of us and he managed to grab all the comments (mine and the Team's) and get a simple logo that was based also on the Oni idea, similar to the Red Teams logo, but with some elements of a Tengu (as suggested by another reader, CCh).

Thank you DG (and CCh for the extra info)!

Personally, I think the card will look really good.

The hidden fault

This post was sent my Friedrich. He was an officer on one of our allies' special operation forces.


A few years back, we were deployed together with the Americans. Word came down the chain of command about insurgents in an area that has previously been cleared and a new plan of action was needed to help bring quiet to that area again. We were told to make a plan and show it to the Americans. We needed to work together in this and their commaning officer had control.
After a few days of working together with the senior enlisted men, the intel officers and some local assets, we had something we thought was a good plan. Not too complicated but called for the different parts to work simultaneously in the different AOs.
We prepared the Powerpoint and our senior enlisted guy and I went to present it to the Americans. The first thing they asked us was whether we ran this by the Red Team. So, I asked: what Red Team?
Well, it turned out that a civilian Red Team was contracted to help with some planning for the Americans and they (the Americans) like the way the plans and tactics were attacked by this Red Team, so they wanted our plan to be tested too.
I said OK and I went looking for this Red Team. They were located on a tent next to the intel shop. Their TOC was simple but very busy. I introduced myself and the guy running the Red Team introduced himself and the team to me. We sat and for the next 2 days we worked together on the plan. They would "attack it" and we would provide a better solution. They would talk about an alternative method to certain pieces of the plan that made a lot of sense, so in those cases we combined their ideas with ours.
After 48 hours, I have to admit the plan looked very good. They showed us possible problems that we didn't account for, hidden faults that needed to be extracted. But not in a negative way, no. You could see that they were trying really hard to see this from the side of the insurgents, and well, actually from all sides. Even our own side was going to have problems (mostly on the chain of command comms) if parts of the plan were not clarified better.
Overall we were very impressed, and after the rotation was over I discussed this with my commanding officer. I am happy to say that a Red Team is part of our planning too now.


Alright, I think we have a few stories that have been sanitized enough to be posted. They'll start coming in the next couple of days.

In the meantime I wanted to write about a small idea that has been circulating in the Team War Room for a while: a Red Teaming Community. The idea is to have an organization composed of Red Teamers (from different parts of life) that would work toward promoting the need for Red Teaming across the board, and would help its members when they need Red Teaming services or related help. The idea is that if any of the community's members across needs consulting help about a subject, hands-on experience or any other form of help a member of the community will try to help when possible.

How would you become a member of this community? Every person that sends a story to the Guerilla Red Team section, will get a special card we are crafting. This card will make that person or organization a member of the community. The cards will anonymous and will need to be presented when help is needed.

The aim here is twofold:

  • Have a community of Red Teamers that would spread the need for Red Teaming, and
  • Have a community of members that help each other, making Red Teaming better.

We all learn and benefit from this.


A time to Red Team

Note: I wanted the first post on this section of the blog to be by Dr. Mark Mateski, founder and editor of The Red Team Journal. He is a person and a professional I respect and his Red Teaming mindset is always on target. His story shows the need for Red Teaming. The posts coming after this one, in a few days, will all show why Red Teaming is so important. Thank you Mark for the story you are sharing.

Dr. Mark Mateski:

I’m notorious among my colleagues for not sharing red teaming stories due to OPSEC concerns, but I am willing to describe one of the first times the need for systematic red teaming struck me. Out team had run dozens of analytical events for a client when they asked us to compile a list of lessons learned. I remember sitting in a conference room as we assembled for what I anticipated to be a very interesting session. It was a worthy effort, but I was disappointed as the lessons gradually emerged. Time has passed, but I can’t recall any lessons regarding our make-believe REDs. (I use “RED” to denote a notional adversary.) I do remember thinking that we could have handled the RED side of things in a much more interesting and systematic way. This was post-Desert Storm, by the way, so the culture was a bit smug.

I was a very junior analyst then, so I didn’t have much voice. That fact was reinforced a bit later when I was sitting in a different conference room with a group of senior decision makers, one of whom was well known and widely respected. Once again, the RED perspective was overlooked. I got up the nerve during lunch to ask whether a clever RED could hurt us by doing something cheap but unexpected. The response was a hearty round of jibes and chuckles. It was pre-9/11, but even then I was surprised by the lack of respect for RED. I’d like to say that I vowed then and there to promote superior red teaming henceforth and forever, but it was simply another seed planted for future recall.

Introducing Guerrilla Red Team

We are lucky to have met a lot of really cool people during the past few years. Special operations, law enforcement, blue teams, hackers, emergency response teams, and many more.
These guys have a lot of cool stories, some of them we were part of as well. And they want to tell those stories.

So, in a few days we'll be launching a new part of the blog that we began calling Guerrilla Red Team. The name, like most names, just came out during a discussion and well, it stuck.

This part of the blog will have stories from other red teamers, security teams, military units and law enforcement where either our Red Team was involved or the main story includes a Red Team or Red Teaming.

Now, we also want to hear from you. If you have a Red Teaming story, please send it. Please sanitize it, any OPSEC violation will trash the story. If you want to send along a picture with it, wait until we reply to you and attach it to the email.
What can you send? Any personal story recounting your Red Teaming experiences, or experiences with a Red Team.

So, while we compile some of the stories from our friends, send yours.