THE RULES OF RED TEAMING
Note: this is a work in progress.
These are lessons learned during almost 15 years of Red Teaming. Keep an eye on the page as we add the text under each Rule.
1: The purpose of a Red Team is to become the adversary, to be the worst case scenario.
Red Team engagements deliver end-to-end realistic attack scenarios based on the organization's possible adversaries. The role of a good Red Team is to attack using the same steps and TTPs as an adversary, often creating new attack methodologies in order to adapt to the ever changing realities on the ground.
By planning for the worst-case scenarios, leaders can understand and address the risks in every aspect of their business, and organizations can develop and realistically test their defense and detection capabilities, and significantly improve responses associated with security incidents that look and feel like the real thing.
2: People lacking imagination, skepticism, and a perverse sense of humor should not work as a Red Teamer.
It's all about the mindset. You can be an expert in different fields related to or in support of Red Teaming, however if you can’t think outside the box (actually understand that there is no box), if you can’t find ways to bend the rules, to think like a bad guy, to social engineer your target, to cheat and to really want to find a way to succeed, then you won’t be able to work as a Red Teamer..
3: Red Teaming is mostly about paying attention.
Red Teaming provide alternative and adversarial analysis of plans, operational orders and tactical decisions. Like an adversary, it identifies patterns that lead to vulnerabilities and often expose alternative ways to examine the breaking point of policies and plans. For this to happen, Red Teamers need to remain open, never discarding something at face value without checking every possible angle.
Stop, look and listen. Collect information, study your target and connect the dots. Only then, make a decision.
4: Understand the thing you are Red Teaming, If you don't, the results will be poor. Spend time learning.
You have to immerse yourself in what you are Red Teaming. You have to learn and remain flexible to adsorb knowledge in an agile and useful way. The more you can do this, the better will be the results on your engagement. You need to know what you are Red Teaming.
5: Don't play by the rules. Make your own and adapt.
6: If you’re happy with your plan, you are not doing it right.
7: The efficacy of security is determined more by what is done wrong than by what is done right.
7a: Build on this. The bad guys typically attack deliberately and intelligently, not randomly. Mimic that.
8: A Red Team is most vulnerable to detection and disruption just prior to an attack. Don't make mistakes.
9: If you're not failing when you're training, you're not learning anything.
10: There are an unlimited number of security vulnerabilities for a given system, program, or plans, most of which will never be discovered. Tap into that.
11: When in doubt, Red Team it.
12: We are never prepared for what we expect.
12a: During a stressful moment, take a step back and look at the whole system. Analyze whether this is real stress or a deception by the defenders.
12b: Act, don't react. Plan 2-3 steps ahead.
13: The solution is in the problem. “When in doubt, develop the situation.”
Assess the situation, solutions naturally evolve when you know what you are dealing with.
14: The more sophisticated the technology, the more vulnerable it is to primitive attacks. People often overlook the obvious.
14a: Most organizations will ignore or seriously underestimate the threat from insiders. That's your in.
15: Make it asymmetrical. Advantage-stacking is your friend..
16: Remember PACE: Primary, Alternate, Contingency and Emergency. Always have a PACE for everything.
17: Use ACTE: Assess the situation; Create a simple plan; Take action and Evaluate your progress.
18: If there’s a question about if it’s necessary, remove it. KISS.
18a: Stay small. Stay light.
19: Don’t become predictable.
20: Prioritize and execute.