Question from a Reader: Building a Red Team

Question:

How would you build red team? What positions would you create?

Dan and I talked about this on Episode 3 of the Red Team Podcast, but maybe this question warrants going a little deeper.

The Red Team

Usually a good Red Team, as we think of it, is composed of two very distinctive sub teams: the Operational Team and the Support Team.

The Operational Team usually is forward deployed. Whether performing physical reconnoissance, or open source intelligence. Whether actively trying to get into things, or on the phone working the social engineering angle. They are the people that learn the target, research the possible adversaries, and help identify the vulnerabilities and define the plan of action.
The Support Team, on the other hand, usually stays back, whether at the office listening to shells getting back, monitoring radio, providing access and intelligence to the Operational Team, and coordinating with the customer if needed.

One thing to note is that the Team Leader moves between the two sub teams, however, most often - in our case at least - he or she is on the Operational Team.

The Operational Team

As we mentioned, the Operational Team is in charge of recon, identifying the weaknesses, and executing the plan. Members of this sub team, take different roles, based on their strengths. Though the team composition might vary with each engagement, it is a good idea to cross train each person with another, thus having redundancy.

Usually the Operational Team members include:

  • Physical security expert
  • Digital security expert
  • Surveillance and recon expert
  • OSINT expert
  • Security generalist (someone that can fit on either position)
  • Team Leader

The Support Team

This sub team takes care of all the needs of the team while things are happening. They provide an extra set of eyes when needed, they perform the initial recon once a foothold on the network is gained, the execute further exploits and gain persistence on other systems, the identify more targets and generally speaking, they are in charge of connecting the dots, and the Find and Fix and Analyze on the 3FEAD.

Usually the members are:

  • Digital security expert
  • Exploitation and code writing expert
  • System and networks expert
  • Physical security countermeasure expert
  • Main planner

Again, in both cases individual team members have to cross train in multiple areas of responsibility, covering for each other, and often rotating between those 2 sub teams.