Taking a 180 degree turn on the original plan

One thing you have to be ready for when working as an adversary, is the need to adapt to what's in front of you. Often you research your target, you perform a good recon (either physical or digital) and you have a good initial penetration of the target, only to find out that all that you thought was there, isn't.

Big corporations have (often) fixed networks with well known and expected defenses. Because they are so big, they are also slow to change. However, some of these organizations have really good security teams. They may have different ways to fool an attacker by creating false network segments, changing routing tables, firewall access and other defensive devices in those false networks on the fly. If you were lured into that network you might find yourself battling a good blue team, they often have a lot of good monitoring in place. On smaller networks things tend to be more chaotic and subject to changes. of course you can plan for this too.

In order to be able to adapt this way two things need to happen, in my opinion. The first is a simple plan. One that addresses all the possibilities that you thought of during your research, recon and planning phases, but that is simple and agile enough that if you need to change it, or go to plan B, your whole operation will not fall on its ass. The second is a small, agile team. Small teams can adapt faster to changes and plan on the spot when things happen. Having the right members, then, is key. A good red teamer is not only subject matter expert on his field (coding, lock picking, strategy, tactics, psychology, social engineering, others) but he or she knows how to help other members on his/her own subjects. That way if a new attack tool is needed on the fly, several people can attack the problem by writing different tools and selecting the best for the task. Or maybe one member can see the solution but he is not knowledgeable enough to write the exploit himself, so it benefits from the other team member by explaining what needs to be exploited.
When it comes to planning or on-the-fly change of plans, the more experienced and varied the team is, the easier it will be to draft a new plan of action based on the information from the field.

A good team then needs to be small and be able to adapt to the different tasks required on a project.

One book I made my team read is one already reviewed in the blog: Pete Blaber's fantastic The Mission, The Men, and Me.

He points three things I think are key to adapt and be nimble:

  1. Always listen to the guy on the ground
  2. It’s not reality unless it’s shared
  3. When in doubt, develop the situation

With point 3 being of key importance here.

One exercise I made my team go at random times during the year is what I call a "mind-fuck readiness exercise". In these exercises I drop a false project, they are not aware that these are false. And we go through the whole research, recon, planning and execution only to find out that what was supposed to be there is no longer true. This forces the team to have to come out with a solution fast. I throw at them more stress by having a blue team (me) kill their shells, or shut down systems. It's a good readiness exercise that keeps the team from getting too complacent.

So, are your plan and your team ready for a 180 turn?

Think about this. Think about Rule 9 and Rule 19.

Quote of the day

Testing yourself