red teaming

Key Things To Have In Mind While Red Teaming by Modern Adversary

Red Teaming is the art of thinking like the adversary, finding what that adversary will do, and go do it before they have a chance. In doing so, red teamers help build resiliency and create an overall more secure organization. 

There are a few things you should consider when you begin to engage a new project, or while deep into an assessment. These things can be applied to all domains of Red Teaming, from digital to physical to human.

INTELLIGENCE LEADS TO PWN

Gathering intelligence is essential for understanding your target and to guiding actions and behaviors. Learn your target, its industry, its people, and its competitors, and have a means to understand their real-time digital/physical behavior. Then make a plan.

"DEVELOPING THE SITUATION" IS THE MOST IMPORTANT OVERLOOKED SKILL

Most plans and field actions might fail because of lack of visibility or understanding of what's happening on the field. The environment was not fully analyzed, the target's 3rd party providers were not taken into account, the new leadership approach was not understood... In short, the information and potential problems were not analyzed and developed.
During your planning, make sure you don't ignore what the environment if giving you, do you homework, perform a situation analysis, run that extra OSINT and get your facts right.

DATA IS KEY, COLLECT IT

Without data to inform you on your progress, success, and direction, you will not be able to understand if you are successful or not. Use ACTE: 

  • Assess the situation

  • Create a simple plan

  • Take action

  • Evaluate your progress

Once you loop, address your problems based on the data, re-orient, and execute.

DETAILED PLANNING IS A MUST

Before every project or assessment, or even training, you need to spend hours, if not days, on planning and preparing for every scenario that might come up. This is key if you are to be successful. However, as we all know, Mr. Murphy is always present, and things will not go as planned. It's ok, spending time on planning helps you react better and faster when unplanned situations materize. The more you plan, the more of a SOP (Standard Operating Procedure) you have, and the more you can fall back on what worked on similar situations in the past. Things repeat themselves.

HAVE A BACKUP PLAN

Rule 4. You know plan A will more than likely fail, or the reality int he field will cause it to have to be re-arranged or droppped altogether. Having a plan B is a default in any red team assessment. Always plan this, understand the threats and risks, address them and make a plan B. Always have a PACE (Primary, Alternative, Contingency, Emergency).

FIND THE MAIN VULNERABILITY AND ATTACK IT

Every system can be defeated by understanding its weak point and attacking it with full force. The same applies to people and physical targets. If you think of everything as a system that has vulnerabilities, it will get your mind in the right place. Scan your target as if you were sniper, from far to close, then close to far. Then left to right, and right to left. Create a grid and walk it, make sure you analyze and collect all information.
The weakest areas are usually the joints: where two networks connect, where one area of responsibility ends and another begins, etc. The most vulnerable areas, those most likely to exploited, are where two things connect. There is no such thing as seamless connection. Seek those areas and attack them.

SEPARATE THE SIGNAL FROM THE NOISE

Things can get too big to understand. Huge networks, huge numbers of systems, unknown variables, too many people to phish, and unpredictable situations. It's easy to get overwhelmed. You need to be able to separate the signal from the noise, focus on what's relevant and discard the rest. Identify the crital areas of your target and focus first on those. Then begin to go down to smaller and smaller pieces, until you find the vulnerabilities to exploit.

AT THE END OF THE DAY, IT'S ALL ABOUT EXECUTION

You might have the perfect plan. Your team is ready and you have found the right things to exploit. If you fail on the execution, then it's all worthless. Make a dry-run. Run your plan and contingencies. See what breaks and what can go wrong. Get ready to execute to the best of your capabilities.

(Note: originally posted on the Red Teams Blog)

Red Teaming the Plans by Modern Adversary

Note: posted originally on Red Teams.

One of the most important things you can do when you have a plan is to make sure it will survive Mr. Murphy, to the best of your effort.
We’ve talked about this many times in the blog, but here’s a small brain dump of what Red Teaming the plans would look like. your mileage may vary, thought, depending on the plan.

Once you have a plan in place, bring your team and identify the risks, threats and vulnerabilities.

  • Risk: is the the likelihood of being targeted by a given attack.

  • Threat: is what could happen.

  • Vulnerability: is the weakness that an adversary will exploit to make the attack successful.

Translated to the plan: what could break the plan, how and by what.

There are three steps to follow now.

  1. Identify the key aspects of the plan.

  2. Identify threats most likely to impact those parts of the plan.

  3. Determine the vulnerabilities that might make those threats real.

Start by listing the most important parts of the plan, those parts that would cause it to fail if they don’t happen. Rank them by criticality:

  • Critical: the plan will fail.

  • Essential: the plan might fail but you can still run a contingency.

  • Non-Essential: good to have, but it if doesn’t happen the plan will still succeed.

Write them on a whiteboard, make a table listing each one by critical ranking.

Next, ID the threats. Ask questions like: What can happen? When? What is most likely to happen? How? Write the questions and the answers next to each part identified. Give a probability rank to those threats:

  • High: this will most likely happen.

  • Medium: there is a chance of this happening, but we have mitigating controls.

  • Low: it will rarely happen.

You should have in front of you now, a table with the most important parts of the plan, how critical they are and the threats to those parts marked by probability. You can begin to see already the parts that are most likely to fail and how important they are.

The next step is thinking about the vulnerabilities. Which of the threats identified above have the greatest likelihood of disrupting the plan? How? What is the thing that can break that would cause that threat to become real? Things like equipment failure due to batteries, weather causing traffic and delaying execution, etc.

Add them to the table you are drawing.
You should have, at this point, a clear picture of the things that could go wrong with the plan.

Now focus on the critical parts and high probability threats. Discard for now anything else. List the possible solutions for those and add them to the plan.

When you are done, bring the 10th man. Bring an external party and show him/her the entire plan. Check what he/she can see. Now you are ready.

Remember Rule 29: If you’re happy with your security, so are the bad guys.

by Modern Adversary

tumblr_oshl62N9NC1td6qt9o2_1280.png
tumblr_oshl62N9NC1td6qt9o1_1280.png

Adapt. That’s the name of the game.

What worked once will not necessarily work twice. Use proactive failure analysis. Essentially, you have to methodically discard the plans and possible solutions that would likely fail based on the analysis of the problem at hand.

After collecting as much intelligence as you can, after you have performed recon and observed your target, either physical or digital, you then can red team your own solutions. You use proactive failure analysis to discard the solutions that might fail based on the intelligence you just collected. Then red team the plan. Adapt the remaining solutions to this same intelligence and prepare the main, contingency and emergency plans.

This same technique is used by attackers. They adapt based on their failed attacks, they analyze what happened and factor this into their future attack plans.

When it doubt, red team it.

Aikido Principles Applied To Red Teaming by Modern Adversary

Maybe it’s the day, or maybe it’s my age… I think it’s time to get a little philosophical.

I’ve practiced Aikido (and other martial arts) for many years. Like Red Teaming, you are always practicing and learning. Morihei Ueshiba, the creator of Aikido, once said:

“If we stop growing, technically and spiritually, we are as good as dead.”

In Aikido you are always training, you are always discovering new things about yourself and about your possible opponents. Over the years, the different Sensei (plural) that I’ve had the privilege of training under, mentioned different Aikido Principles. Some resonated with me and I can see how you would also apply them to Red Teaming and security in general. Bear with me, please, while I try to make sense of this.

Masakatsu Agatsu

Or “True Victory is Victory over Onself”. This is one of the hardest things to learn in Aikido. In Red Teaming, in order to know what security issues you might have, you need to know your enemy. To know your enemy, first you need to know yourself. It is a recursive problem, I know, but one that has to really be addressed during a Red Team assessment.

Principle of Circular Motion

In Aikido, the circle is a key element. Regardless of the ways the opponent attacks, linear, circular or angular, a circular motion allows you to blend into the attack and gain control of your opponent. The same can be said in Red Teaming. Try to force something, try to stop something and more likely you will fail. However, if you blend in, if you find that circular way in, the gaps in the security of your “opponent” (the organization or plans you are red teaming), then a much greater chance for success is achieved.

Extend Ki Forward

In Aikido, Ki is energy, our life force which keeps us alive. Ki is the binding force of our mind and body. Think of it as “The Force”. Aikido practitioners focus on harnessing this energy and using it to achieve both a greater control over their bodies and minds, and to control the opponents. Extending Ki Forward means to present to the world an image that you are in control, that you are sure of yourself and, while you are calm, you can defend yourself if needed. This means to be alert, to be always aware, in Red Teaming parlance. Always project that sense of being aware of your environment, of being confortable and sure during stressful situations. It will help you and your team.

Keep One Point

Similar to the provious principle, keeping one point means being centered. Being in control of your emotions and your body. Once you achive this, you can begin to control your opponent. Think about this when you are trying to find the holes on a plan, the vulnerabilities on a network or that gap that will allow you to break everything. Keep your focus, your “one point”.

Aikido is the act of redirecting the attacker’s energy

In Aikido redirecting the opponent’s attack and its energy is key for the techniques. Rendering the attack harmless to you is what you are trying to achieve, blending it and controlling the attacker. In Red Teaming, think of this as the art of misdirection. Try to get the Blue Team “attack itself”, send them in a wild chase after a ghost. Think about this.

Shodo-o-Seisu

Or “controlling the first move”. In Aikido, you get to a point where your situational awareness allows you to “see the opponent’s move before he has made it”. This allows you get control of the attack better by “being there” before it happened. Those precious seconds can save you or those around you. This is a general situational awareness tip. Very relevant not only to Red Teaming, but in all aspects of life.

(originally posted on Red Teams)