Question from a reader: When you start a red teaming engagement, how do you know where to focus and what to do?
Well, beyond any information that the customer might give us, we usually focus on the following three activities - at least with the normal engagements. These three are designed to cover the usual three domains: Digital, Physical and Social. The areas are:
- Passive Red Teaming
- Active Red Teaming
- Plans Red Teaming
Let's get to each one.
Passive Red Teaming involves: external recon, infiltration and passive OSINT. Active Red Teaming includes: external recon, infiltration and exploitation, internal recon (moving inside and asset mapping), exfiltration and defense bypass, and disruption (physical or DOS). Finally, Plans Red Teaming involves: policies, controls and Blue Team reaction.
These activites cover the intial map of the engagement, but you have to tailor it to the target. Each type of activity contains a lot of things to check. For example:
External recon: public footprint mapping, network scanning, social network scanning, profile building of key players, social engineering, phishing, others...
Infiltration and exploitation: manual run of exploits, attack code infiltration via various methods, hardware tampering, physical entry, supply chain compromise, covert entry, others...
Internal recon: mapping, pivoting, credentials and data sniffing, key asset identification and compromise, key data store control, physical mapping, wireless access, wireless device introduction (rogue access point installion), others...
Exfiltration and defense bypass: data exfil, C2 access to shells inside, malware updates, physical assets exfil, personnel kidnapping, personnel equipment exfil, access and control of key defense software and devices, installation of firewall rules and routing table options for exfil, bypass of endpoint protection, remote desktop access, others...
Disruption (physical or DOS): destruction of physical assets, data center and key systems DOS, network devices disruption, others...
Policies: mimic various attackers and force the policies to fail (introduce random changes to the way attackers react).
Controls: actively probe the controls and stress test them to failure points.
Blue Team reaction: actively probe the quick reaction teams.
There is a lot to check and plan when you begin an assessment, but once you have a better idea of what the target is like and you can form a basic plan, you can then decide what to do and how.