Disruptive Red Teaming

Lately we've been seeing more and more pentesters and red teamers (more on that later) fall into very specific patterns of work and standard operating procedures (SOP). Rule 10 states: don't become predictable. That rule is there for reason. Once you start doing the same things again and again, you become predictable.

That's where pentesters are currently. Same with red teamers. What people call red teaming today is still pentesting, so I will make no differentiation here. As such, people expect you and your team to act like a pentester. They know you will be following a pattern, they've seen this before. They know you will scan them, you will use tools to recon their websites and networks, that you will use frameworks like Metasploit and others. They know you will remain within the boundaries considered good pentesting.

Disrupt that.

Red Teaming, the real thing, is about mimicking the adversary, testing all aspects of an organization's security. The point is to really stress test all domains, including policies and those things called assumptions. You have to change your SOP every time, adapting to what you have in front of you, the organization and capabilities in front of you. Red Teaming is about become the adversary and, like them, using any and all possible avenues of attack, usually going at it by means that were not expected.

Disruptive Red Teaming should be your aim. Disruption of what they think pentesting is. You are a red teamer, NOT a pentester. Pentesting is good, it's a great tool to have in the toolbox to test security, but you are a red teamer, your job begins once the pentest finishes.

Change your mindset, change their mindset. Make them more resilient by being a disruptive force.