Adversarial Thoughts

Red Teams

Adversaries want something from someone else, which means that you can’t build an adversarial profile without knowing some fundamental things about their target.

To truly understand the target, you need to understand the adversarial mindset and what adversaries are interested in. To help take on the adversary mindset, it pays to answer some key questions.

Core Business

  • What does the target do?
  • Do they sell products or provide a service?
  • Where are they based?

Knowing the target’s core business is crucial because you need to know what sort of industry they operate in and what type of specific threats exist in that particular industry.

Customers

  • Who are your target's customers?
  • Are they individuals, businesses, or governments?
  • What do they do?
  • What geographic regions do they primarily operate in?

Knowing who your target’s customers are is vital because adversaries often target one organization to get to another. Supply chain targeting takes place because adversaries know that high-value targets can be challenging to compromise directly.

There is often the perception that it is easier to compromise an organization through the target’s supply chain and use that access to compromise the high-value target. If a target has customers that are high value, the likelihood that adversaries will target that organization significantly increases.

Competitive Advantage

  • What is your target’s competitive advantage?
  • In what areas do they rank ahead of the competition?

An organization’s competitive advantage is what uniquely identifies its success and differentiates them from their competition. For adversaries motivated to obtain information or resources to benefit their state or corporation, there is a keen awareness of what the competition has that they do not.

Having a good understanding of your target’s competitive advantage in this way will not only guide your efforts in identifying potential adversaries, but it can also help the target’s defensive efforts to ensure those elements are exceptionally well protected.

Competitors

  • Who are your target’s competitors?
  • How do they rank compared to your clients?
  • What geographic regions do they primarily reside or do business in?

It is essential to know who your target’s competitors are. Like it or not, your target’s competitors, or those acting on behalf of those competitors, must always be considered likely suspects when it comes to identifying possible adversaries.

The term competitors, however, in this context, requires a broad definition, and even then, this doesn’t mean that a competitor is actively involved in targeting an organization. For example, it may mean that a third party has an interest in a competitor succeeding, and your client becomes a target, so they don’t get in the way of that success. Either way, understanding who your target’s competitors maybe is a useful place to start when it comes to identifying likely adversaries.

Value of Information

  • What valuable information does the target possess?

As an adversary, it’s often your best guess about what valuable information you think an organization may have. As a general rule, however, adversaries will be on the lookout for some specifics:

  • Product/service information
  • Strategic business information
  • Operational business information
  • Financial information
  • Personal information
  • Intellectual property

To develop a target risk profile, you need to understand the target and understand likely adversaries, and then match them up. It is knowing what sort of valuable information/assets the target has allows you to hypothesize which adversaries are most likely to attack a particular target.

Knowing what sort of motivations, resources, and capabilities particular adversaries have allows you to hypothesize what they may focus on and what type of strategies/tools they may use.

Once an adversary has an idea about what they want from an organization, their next step is to find out all the information they can about that organization to help plan their attacks.

In red teaming, the goal is to simulate the behaviors of the adversary. This means that red teamers need to undertake this information gathering/reconnaissance phase in the same way that an adversary would. This means that every piece of information about the target, network, employees etc. has to be researched and identified, the same as adversaries do in the real world – and this means that open source needs to be the primary method for obtaining the information. For example, this means that if an organization has lots of employees on social media with open profiles, an adversary can compile a list of employees by name, job title, location and other information that immediately gives them an advantage.

During this first reconnaissance phase, this also means that nothing is out of scope. There may be scope limitations regarding the attack simulations that follow, but this should not impact the reconnaissance stage.

Just like red teaming attack vectors – there are three aspects of reconnaissance adversaries need to consider – social, digital and physical – and we will look at these in greater depth in the following posts.

ADVERSARIAL SIMULATION TRAINING

OVERWATCH OFFENSIVE DEVELOPMENT JOURNEY