The Red Teamer Sniper

This was sent by SL. He is a retired Army sniper with 4 deployments to AFG.

The last time you guys were around, I remember sitting in the intel shop and hearing you go through some ideas with G, the intel guy.
Some of the "bad guy" mentality concepts really resonated with me, being a sniper.

Snipers typically have a closer, more reach-out-and-touch connection with their targets than, say, a fighter pilot. Snipers are trained to undertake different types of missions, of which stalking and ultimately killing a target is one of them. Sometimes you really need to study your enemy and apply that "bad guy" mentality idea you were talking about. Being so connected with the target creates a much closer human connection than in any other part of the armed forces. Being able to understand what the targets do, and why, is a very different experience, leading to better kill or don’t-kill choices. Yes, I think understanding the enemy in that unique way a red team is trying to, would be very beneficial to snipers. There are a great many variables that need to be taken into account before you decide to squeeze the trigger. That's for sure.

But I think the other types of missions are the ones that would benefit the most from this type of mentality. Snipers are also trained as reconnaissance assets for the units their are attached to. So we essentially could sneak in, observe the enemy and report back, unnoticed. Snipers also receive training in counter-sniper operations. Those are the scariest ones, in my opinion. You are going against another sniper, another person that is supposedly trained like you.
In the reconnaissance operations it is very clear why the "bad guy" meltality could be useful. It helps understand the enemy and ultimately we can report back to the chain also our assessment of the situation. A useful thing to have. However, it is during the counter-sniper operations that I think this kind of mentality is crucial.

You learn to develop the ability to locate enemy snipers and threats on your area of operations. We must be able to imagine what the other sniper would do, get into position and think like the enemy, like the bad guy. We work sometimes with some of the soldiers, in the units we are attached to, to pay attention to small details and track a target. Nothing goes unnoticed. Imagine now if you were trained to think like the enemy. Try to think one or two steps ahead and see what he would possibly do. It's a dangeroud game, but you can help save lives.

All this really got me fired-up. And after you guys presented the findings, I convinced the Captain to let the sniper team train and form its own red team when we rotated back. We have been doing this for the past few months. It's challenging and frustrating, but we have a lot of patience and it's already showing some good.

The red team mentality, or ideas, is a valuable tool to have.

Take care and come visit when you are around.

Act II: What Harm Can Come Of A Little Classroom Activity...

Act II by ZN

A couple of years ago, I was tasked with bringing redteaming to the classroom*. A fun activity (all legal) to help students understand how theory is put into practice, which in turn we develop new theories to put into practice. In the course we had done extensive reading on topics like, media concentration, privacy & phonetic urges, and a personal favorite, geodemography (Wikipedia is a good starting point and David Lyon if you want to get complicated).

I had first tasked the students to organize themselves by skill sets, derived from their understanding and favorite RT rules. They came up with cute names like TeamAmerica, TeamGotcha, Teammyopsarebetterthanyourops, and TeamChair (they happen to love Rule 62) and even took to occasionally carrying one they decorated around campus (not subtle, but cute). For the most part, students were in full team mode and weren’t sharing anything with anyone or me unless they had successfully completed tasks. Assuming this might happen, I had implanted into these groups several course members who had also served in the military, so teams thought these individuals were their ringers, when in fact they were moles regularly sending me updates via coordinated dead drops (campus by this point thought we were setting up GeoCaches, so particular types of objects hidden in bushes didn’t seem that odd), had provided backdoors to their teams FB groups, or acted as double-agents to prevent groups from completing tasks in a timely manner.

All groups were then tasked with completing four (4) objectives that had to be completed in order each task took 1 day, to complete all tasks took a full academic week or 4 days:

  1. Scope out the AO with official college logo (22 possibilities), get picture taken with at least 2 group members with the logo without being seen by other teams. Any photos with your team and the symbol turned in by other teams negate your submission.
  2. Go to local food establishment and get following info about 3 employees: Name, Favorite Menu Item, and Physical Description. Bonus points if you can social engineer your way to a meal.
  3. Learn about the institution’s security protocols. Who worked where, if there was an observable daily patrol, and specific jobs they have.
  4. Without B&E, using social engineering, get someone to let you into a designated space and remove an item proving violation of space.

Now, tasks 1 and 2 were pretty straightforward with very little issue or institutional risk, but tasks 3 and 4, the manner in which these mildly organized groups of students had accomplished, interpreted the rules, and frankly, had unintentionally (had they been actual bad-people, it could’ve been worse), showed the overarching complacency in a post-Virginia Tech (2007), NIU (2008), UofT, Austin (2010) world. Collectively, they threw the institution into a security panic and caused turnover of security protocols ALL in less then 48hrs. by students just acting like students. I was a very proud, but scared teacher that day!

You might be wondering what could cause such chaos? In task 3 (all groups just watched and were able to turn-in walking pattern maps of how institution security walked the campus, down to the minute. There were a couple of normal health issues that required police and fire department to be called and even noticed a pattern in how then security moved around the campus, they included that in their reports also. There was no sharing amongst the groups and their approaches to the task differed. That was cool, but here is where it gets interesting. One group brought me privately, the CONFIDENTIAL emergency protocol handbook for when things go south for real. I’m not allowed to say how she procured it, but I can share that those protocols have now been changed and require a different kind of access to even read them now.

Now the fun of task 4, one group decided to engage custodial services. The institution told them officially that they couldn’t let them into the designated space directly; they convinced the janitor of that area to let them climb into the rolling trashcan and get wheeled into the space while the janitor was emptying out the trash in that AO. Janitor made it clear that he could not know if someone was in the can or not, so the students spent the next 2 days weighing down the trash can so that the janitor wouldn’t know the difference if a person & item was in the can or not. Personally, I think it was nice of the janitor to play along and being former military he expressed joy in seeing the student’s being creative and trying to sneak around. The group had completed the task successfully by removing a 2ft tall statue and their sheer creativity won them the event (voted on by their classmates).

All in all, it was a good semester, the student’s learned valuable lessons, the dean’s asked me to lay down stricter ground rules (I don’t, it is the real world), and I now consult for the institution in an official/unofficial capacity.

So in conclusion, Rule 33, 79, and 89, until Act III…

*Name of institution and locations have been omitted per request

11 Year Old Red Teamer

This story was sent by Z, one of the Team's members. His son is older now, but this is what he did when he was 11.

When my son was 11 we lived in Europe. He used to take public transportation to go to school and soccer practice. We would give him money for the tickets and for snacks after practice.
One day he came to my wife and me and said he wated to buy a biology set. It was a very expensive set and we told him that he would have to wait until Christmas for it. He was mad. He wanted it right at that moment, not in December. Well, I told him that he needed to wait patiently.

3 weeks later he came with half the money for the set and he told me that he would pay for half. I was surprised, how did he get the moeney? Well, I asked...

So, apparently the machine that accepted the money for the public transport had a small flaw, my son found out about it after observing the people paying for the tickets in the automated machine, he mentioned that it was trivial to see where the fault was. He decided to exploit that vulnerability and save the money. For 3 weeks he essentially rode free and was able to save the money. He observed, he learned and he acted on what he learned.
While I was proud of him for thinking outside the box, I was not proud of what he did, he cheated the public system and that's not good. So, I told him that the next day he was going to have to talk to the driver, explain what he did and return ALL the money. I would pay for the set, in full.

Man, that boy is something.

Act I: You Think You Know Me, I Probably Wear A Mask

This was sent by ZN. He is a journalist and professor who focuses on identity, authenticity, and the power of routine relationships (ethnomethodology, if you want to get geeky as he puts it). His Guerilla Red Team Story is different, he and his students routinely play with the Red Team Mindset and interesting things happen. This is Part 1 of 3. An intro.

Act I: You Think You Know Me, I Probably Wear A Mask

Hi, before I get into my adventures, I thought I’d write a first piece as a bit of an introduction, a voice, or perspective of a Guerrilla RedTeamer, that is often overlooked (thankfully) in the often echo-chambered media world we live in. Publicly, I’m a professor. A dismissive identity by media standards, but what I really am is a filter creator, someone who focuses on human communication, relationships, identity, technology, popular culture, and most recently veteran affairs. Social engineering is one of the many tools I experiment with along with colleagues as we try to figure out how people construct their perceptions and expectations. I spend quite a bit of time exploring how people share their understandings and are part of a “community.” I’ve consulted with various city/state agencies and advocacy groups globally and will share some of the stories that I can.

As I write this, I’m sitting behind the relative safety of a desk, in an office, and many of my colleagues don’t know how to read the subtext of what I do beyond the classroom, nor do I try to explain (the words are often lost between simple constructs of right/wrong, moral/immoral, liberal/conservative, etc.), and even then it’s a story to manage communication with them and my identity. In my office sit four bags packed (based on things I’ve read on the RT site) to be faster/better and to roll at a moments notice if a client calls, the windows written on with dry-erase ideas to test in the field or a current project, and most importantly, artifacts to support the perception of a stable identity.

It is from a strange position that I write about both fascinating and awful phenomenon. I never thought of myself as a “redteamer,” as I don’t have formal military training, but do have formal education and access to fieldwork, research tools, and ability to conduct/construct human experiments (I'll share those soon). Like many of you readers, I’ve read many of the books listed on the bookshelf link by U., along with 15 years of experience experimenting with the ideas from my own discipline, and like the masks that are strategically placed around my office as mementos of my adventures (all with two stories), or the RT rules I sneak into my syllabi for my students enjoyment, which also serve as a constant reminder on how to stay vigilant, or the overt public persona that transverses digital media that is not in your face, but is there so that you will consume the mask I want you to “friend,” “like,” or “follow.” That’s what people think I do, “read, think, break, teach, write, and repeat;” however, to take a kind of ownership, what I am is a “redteamer.” The list is actually quite simpler, “break, fix, break, fix, repeat,” but with people and the breaking and fixing is nuanced. You, as a reader of this site, are drawn to our stories, ideas, gear, and whatnot, so that you too can learn and do. We live in a very complicated world that is often overly simplified through media use. Some redteamers, put their bodies on the line and that is their burden they have chosen to carry. Others, like myself, put our minds on the line, mental vaults holding secrets, attempting to understand the human condition, but not in some psychobabble sense, but how people communicate with one another. How to manipulate, shift, pivot, or change those processes toward a communicative end; human communication is an inherently selfish act and in my world, Rule 63 is our starting point...

Ongoing Process

This was sent by OSCAR. He is a retired Army MP now working as a Security Director for a large corporation. He runs their Blue and Red Teams, as well their CERT.

One of the first things I did when I was told we were hiring you to redteam us, was to create a red team of our own and embed it with you. The idea, as you know, was that we wanted to have a team of that could continuously red team the company, from simple and random social engineering attacks, to more complex, all-in penetration attempts. It took me a while to convince my boss, the CISO, but we did it. On that first engagement with you, the small red team we put together learned a lot. This is what we did a few months after you guys tested us.

Like I mentioned, we wanted to have our red team engage us constantly, testing not only the current security plans/measures but also see the reactions of the blue team and our group of capable CERT.
During the mid-year company assessment, where we review earnings, product stock, new customer needs and other things, I asked the red team to begin analyzing how we handle the customer support. This is a crucial part of the public face of our company and we wanted to be sure that no "bad guy" could hit us there. The team spent several days going over the different procedures: things like how to authenticate an actual customer, or what information can be disclosed over the phone and what's off limits. They reviewed every little procedure and they learned to be customer support representatives. And then it began.

Over the period of 4 months, and at random intervals, the team would pretend to be an old or new customer. Their target was to extract personal information about "themselves" from the customer support representative. They played all the weaknesses they found on the procedures and, without going into details, they successfully extrated personal information about our customers in over 75% of the tests. it was magnificent to see this!

Needless to say, these on-going tests, still being performed today, helped us pinpoint the weaknesses in our procedures and we had now fixed them.

Stability Operations and Getting in their Minds

This was sent by KL. He was a Army Special Forces member in charge on helping fight the Taliban in Afghanistan.

A couple of years ago my team and a group of locals were tasked with what was then known as stability operations. The Taliban was supposedly gone, but we all knew they were still hiding among the villagers.
While the officers and interpreters were working with the different villages' elders, we were trying to figure out a good way to make the bad guys stick out. Just to make them come out so we could take care of them.

At that time we were working closely with our Red Team, a group of former SF guys that had also some civilians attached. They were helping us polish the plan and provided a very good analysis of what they were seeing on each village after the visits.
One of these guys attached to the Red Team, one of your guys, had this ingenious idea to draw the bad guys out. He proposed that some of smaller people in the our team or some of the locals dress with full-on burkas and that they walk without a male escort in the streets of each village. This would, hopefully, make the Taliban guys mad and they would try to stop the women.
At first, it sounded like a stupid idea. What if the villagers came out and stopped the women? That didn't mean they were Taliban. But, after giving this some thought we all began seeing the logic behind this and agreed to try it.

We agreed to try this on villages were we suspected the bad guys were hiding. And then it happened. The first village was a no-go, the villagers were outraged about a single woman walking alone in the street, but they came to us to go ask her to go back to her husband, we said no and they just approached the woman and began screaming at her (him), but nothing else happened. The second and third villages, however... It worked.
When the villagers came to ask us to make that woman go back to her husband and we said no, well, a few guys just went ballistic and they even brought out some rifles, screaming about the dangers of women and blah blah... We grabbed them right there.

80% of the people we grabbed turned out to be bad guys. The villagers were really happy to have them out of their villages and we were happy to have them, period.

It was good thinking.

Introducing the new Red Teaming community

Last week we introduced the Red Teaming Community idea. The basic idea is to have an organization composed of Red Teamers - ranging from civilians to military and everything in between - that would work toward promoting the need for Red Teaming in today's world. However, this community would also have a secondary purpose, one we think is very important: The members of this community will provide other members with Red Teaming and related help when the need arises.

We asked many of the people that already sent stories and they are all in.

But we want to keep this within the family, so we are in the process of making a simple calling card, high quality, that will be given to each person that send a story to the Guerrilla Red Team. This card will be his membership and if he or she needs helps, he just need to show this and the rest will follow.

We have been working with many readers on a possible logo for this card, and after a few possible options, here's the logo that is being printed:


Created by DG, a long time reader. He has been extremely patience with all of us and he managed to grab all the comments (mine and the Team's) and get a simple logo that was based also on the Oni idea, similar to the Red Teams logo, but with some elements of a Tengu (as suggested by another reader, CCh).

Thank you DG (and CCh for the extra info)!

Personally, I think the card will look really good.

The hidden fault

This post was sent my Friedrich. He was an officer on one of our allies' special operation forces.


A few years back, we were deployed together with the Americans. Word came down the chain of command about insurgents in an area that has previously been cleared and a new plan of action was needed to help bring quiet to that area again. We were told to make a plan and show it to the Americans. We needed to work together in this and their commaning officer had control.
After a few days of working together with the senior enlisted men, the intel officers and some local assets, we had something we thought was a good plan. Not too complicated but called for the different parts to work simultaneously in the different AOs.
We prepared the Powerpoint and our senior enlisted guy and I went to present it to the Americans. The first thing they asked us was whether we ran this by the Red Team. So, I asked: what Red Team?
Well, it turned out that a civilian Red Team was contracted to help with some planning for the Americans and they (the Americans) like the way the plans and tactics were attacked by this Red Team, so they wanted our plan to be tested too.
I said OK and I went looking for this Red Team. They were located on a tent next to the intel shop. Their TOC was simple but very busy. I introduced myself and the guy running the Red Team introduced himself and the team to me. We sat and for the next 2 days we worked together on the plan. They would "attack it" and we would provide a better solution. They would talk about an alternative method to certain pieces of the plan that made a lot of sense, so in those cases we combined their ideas with ours.
After 48 hours, I have to admit the plan looked very good. They showed us possible problems that we didn't account for, hidden faults that needed to be extracted. But not in a negative way, no. You could see that they were trying really hard to see this from the side of the insurgents, and well, actually from all sides. Even our own side was going to have problems (mostly on the chain of command comms) if parts of the plan were not clarified better.
Overall we were very impressed, and after the rotation was over I discussed this with my commanding officer. I am happy to say that a Red Team is part of our planning too now.


Alright, I think we have a few stories that have been sanitized enough to be posted. They'll start coming in the next couple of days.

In the meantime I wanted to write about a small idea that has been circulating in the Team War Room for a while: a Red Teaming Community. The idea is to have an organization composed of Red Teamers (from different parts of life) that would work toward promoting the need for Red Teaming across the board, and would help its members when they need Red Teaming services or related help. The idea is that if any of the community's members across needs consulting help about a subject, hands-on experience or any other form of help a member of the community will try to help when possible.

How would you become a member of this community? Every person that sends a story to the Guerilla Red Team section, will get a special card we are crafting. This card will make that person or organization a member of the community. The cards will anonymous and will need to be presented when help is needed.

The aim here is twofold:

  • Have a community of Red Teamers that would spread the need for Red Teaming, and
  • Have a community of members that help each other, making Red Teaming better.

We all learn and benefit from this.


A time to Red Team

Note: I wanted the first post on this section of the blog to be by Dr. Mark Mateski, founder and editor of The Red Team Journal. He is a person and a professional I respect and his Red Teaming mindset is always on target. His story shows the need for Red Teaming. The posts coming after this one, in a few days, will all show why Red Teaming is so important. Thank you Mark for the story you are sharing.

Dr. Mark Mateski:

I’m notorious among my colleagues for not sharing red teaming stories due to OPSEC concerns, but I am willing to describe one of the first times the need for systematic red teaming struck me. Out team had run dozens of analytical events for a client when they asked us to compile a list of lessons learned. I remember sitting in a conference room as we assembled for what I anticipated to be a very interesting session. It was a worthy effort, but I was disappointed as the lessons gradually emerged. Time has passed, but I can’t recall any lessons regarding our make-believe REDs. (I use “RED” to denote a notional adversary.) I do remember thinking that we could have handled the RED side of things in a much more interesting and systematic way. This was post-Desert Storm, by the way, so the culture was a bit smug.

I was a very junior analyst then, so I didn’t have much voice. That fact was reinforced a bit later when I was sitting in a different conference room with a group of senior decision makers, one of whom was well known and widely respected. Once again, the RED perspective was overlooked. I got up the nerve during lunch to ask whether a clever RED could hurt us by doing something cheap but unexpected. The response was a hearty round of jibes and chuckles. It was pre-9/11, but even then I was surprised by the lack of respect for RED. I’d like to say that I vowed then and there to promote superior red teaming henceforth and forever, but it was simply another seed planted for future recall.

Introducing Guerrilla Red Team

We are lucky to have met a lot of really cool people during the past few years. Special operations, law enforcement, blue teams, hackers, emergency response teams, and many more.
These guys have a lot of cool stories, some of them we were part of as well. And they want to tell those stories.

So, in a few days we'll be launching a new part of the blog that we began calling Guerrilla Red Team. The name, like most names, just came out during a discussion and well, it stuck.

This part of the blog will have stories from other red teamers, security teams, military units and law enforcement where either our Red Team was involved or the main story includes a Red Team or Red Teaming.

Now, we also want to hear from you. If you have a Red Teaming story, please send it. Please sanitize it, any OPSEC violation will trash the story. If you want to send along a picture with it, wait until we reply to you and attach it to the email.
What can you send? Any personal story recounting your Red Teaming experiences, or experiences with a Red Team.

So, while we compile some of the stories from our friends, send yours.