01: THE PURPOSE OF A RED TEAM IS TO BECOME THE ADVERSARY, TO BE THE WORST CASE SCENARIO.
Red Team engagements should deliver end-to-end realistic attack scenarios, based on the organization's possible adversaries, or while mimicking a specific actor. Whether a digital attack, physical engagement, social engineering campaign, or all of the above, the role of a good Red Team is to attack using the same tactics, techniques and procedures (TTPs) as an adversary would, often creating new attack methodologies, adapting to the ever changing realities on the ground. By planning for the worst-case scenarios, leaders can understand and address the risks in every aspect of their business, and organizations can develop and realistically test their defense and detection capabilities. This will significantly improve the response associated with security incidents that look and feel like the real thing.
02: UNDERSTAND THE THING YOU ARE RED TEAMING, IF YOU DON'T, THE RESULTS WILL BE POOR.
Spend time learning. Go through the phase of absorbing knowledge. You have to immerse yourself in what you are Red Teaming. You have to learn, and remain flexible to adsorb knowledge in an agile and useful way. Success depends many times on the little details that are tied to the industry, the specific language, and culture of the organization being attacked. You can’t just rely on technical capabilities alone. Fail to learn and the results will be poor.
03: RED TEAMING IS MOSTLY ABOUT PAYING ATTENTION.
Red Teaming provides not only a direct way of attacking the security controls of an organization, but it also provides an alternative and adversarial analysis of plans, operational orders, tactical decisions, and organizational policies. Like an adversary, it identifies patterns that lead to vulnerabilities, and often expose alternative ways to examine the breaking point of policies and plans. For this to happen, Red Teamers need to remain open, never discarding something at face value without checking every possible angle. Observe the patterns, make a plan, blend in and execute. Collect information, study your target, and connect the dots. Only then, make a decision.
04: THE EFFECTIVENESS OF SECURITY IS DETERMINED MORE BY WHAT IS DONE WRONG THAN BY WHAT IS DONE RIGHT.
Adversaries typically attack deliberately and intelligently, not randomly. On the other hand, opportunistic attacks do happen. Both cases have something in common - the identify weak and poorly planned security. It is important to observe the whole picture, paying attention to the places where two different parts connect. It is there, in those seams, that weakness will begin to appear. Work your way to the real target from there. Do not get stuck following predetermined attack patterns or techniques, you have to connect the dots across the entire attack surface of an organization, unless the weakness if very obvious - in which case, be wary of the jumping guards...
05: IF YOU’RE HAPPY WITH YOUR PLAN, YOU ARE NOT DOING IT RIGHT.
The real world is not static. Things change. Sometimes by accident, some things are based on a predetermined action, but they never stay the same. Once you have connected the dots and formulated your plan, do not take it as “being carved in stone”. Have a contingency for everything, things will change. Have a PACE (Primary, Alternate, Contingency and Emergency) for everything, and remain fluid. Treat your original plan as a “best case scenario” but do not count on it being successful.
06: WE ARE NEVER PREPARED FOR WHAT WE EXPECT
Plans don’t work. Unexpected things happen. Batteries die. The wireless has a new password. Such is life. During those stressful moments, take a step back, and look at the whole system. Analyze whether this is a real stress or a deception by the defenders. Act, don't react. Plan 2-3 steps ahead. The solution is in the problem. “When in doubt, develop the situation.” Assess the situation, solutions naturally evolve when you know what you are dealing with.
07: IF YOU'RE NOT FAILING WHEN YOU'RE TRAINING, YOU'RE NOT LEARNING ANYTHING.
In order to be ready, you need to train. You need to simulate real stress, and learn to thrive in it. Fail, and fail often during training, it will both build resiliency, and teach the lessons to be applied on the field. Incremental steps and failure will build a better mindset, better methods, better tools, and will bring a team together.
08: THERE ARE AN UNLIMITED NUMBER OF SECURITY VULNERABILITIES FOR A GIVEN SYSTEM, MOST OF WHICH WILL NEVER BE DISCOVERED.
The more sophisticated the technology, the more vulnerable it is to primitive attacks. People often overlook the obvious. Look at the system as a whole, from the outside in, and from the inside out - most organizations will ignore or seriously underestimate the threat from insiders, that's your way in. When everything seems to be tight and secure, then stress, fractures will appear. Focus on the seams, where two things meet: where two networks join by a firewall, where two physical security controls overlap, where two departments share equal responsibility about something. Stress test this. Magic does happen.
09: MAKE IT ASYMMETRICAL. ADVANTAGE-STACKING IS YOUR FRIEND.
It’s not what you do, it’s when and how you do it. It’s making sure the odds are in your favor. If you want to be successful you have to make it happen. Fight with small team tactics, a guerrilla. Make things stack in your favor. Then execute. Do not try to fight your target at its level, go smaller, faster, leaner, and be ready to change directions.10: DON’T BECOME PREDICTABLE.
Create something from nothing. Make your target believe there was something substantial happening somewhere on their systems, or organization, when there is in fact nothing, or vice versa. Deceive them with an obvious approach that will take a very long time, while surprising them by taking a shortcut and sneaking up on them. But be aware of how you do it, all patterns, recipes, and formulas are to be avoided. Do not follow checklists, if you can.
11: BE EFFICIENT.
If there’s a question about if it’s necessary, remove it. KISS (keep it simple stupid). Stay small, stay light. Strive to have the simplest tools for the job at hand. Bring it to the smallest possible number of people, keeping an eye on mindset. While carrying out your plans, be flexible enough to take advantage of any opportunity that presents itself, however small. Be nimble! Retain the ability to pivot.
12: DON'T PLAY BY THE RULES. MAKE YOUR OWN AND ADAPT.
When your target seems to be too strong to be attacked directly, then attack something it holds dear (supply chains are your friends). This will force the organization to have to deal with the issue, in order to support assets and deal with its possible breach or weakness. Then, go to the main target. Make your own rules, bad actors don’t have them. As Red Teamers, neither should we.
13: USE A PROXY, DO NOT ATTACK DIRECTLY.
Whenever possible, attack your target by getting a third party to do the deed. Find someone else to do your dirty work. This will also create a seed of uncertainty on the target, as they don’t know what hit them, or how to react. Insiders are the best option, however be wary of double crosses.
14: IT’S ALL ABOUT THE CORRECT TARGET
Focus on taking out the leading asset of your target, denying them the resources needed to detect you or fight you. Spend time observing, connecting the dots and learning what makes your target strong. Once you know the main target, spread misinformation, create misdirections, use social media to spread fake news, to create an atmosphere of doubt, then, execute.
15: THE TARGET DICTATES THE WEAPON, AND THE WEAPON DICTATES THE MOVEMENT.
Don’t get caught on a technique, or a method, or a tool, or on planning. Adapt. Things are dynamic and they depend on your target. The target you are trying to hit will dictate what you use. Once you know what you need to use, or do, then you’ll be able to understand how you will need to move and reach that target. In other words, don’t be stuck using a checklist, adapt to the target, focus on understanding what is the best tool or technique to achieve that target, and then you’ll be able to make it happen.
Disrupt the way of things to throw your target off balance: interfere with their methods of operation, change the rules which they are used to following, go contrary to their standard training. Create doubt. Then you’ll be able to execute and encounter less resistance.
17: RED TEAMERS FIRST PUT THEMSELVES BEYOND THE POSSIBILITY OF DETECTION AND DEFEAT.
Always spend time performing reconnaissance. Learn what makes your target strong, what their capabilities are, and create a way to remain stealthy. Build redundancies, and have multiple avenues of attack and retreat. Do not count on a single method, you will fail if you do.
18: DO NOT UNDERESTIMATE HUMAN STUPIDITY.
Humans are helpful by nature. But more importantly, humans tend to not think when they are not in charge. They become “stupid”. They do things, and act in a way that enables attackers to execute. Exploit that. Always try the human factor first.
19: BEGIN NOTHING UNTIL YOU HAVE CONSIDERED HOW IT IS TO BE FINISHED.
As you create your plan of attack, always have in mind your goal. Whether the plan is successful or not, focus on always having a finished state. Do not part half way.
20: WHEN ALL ELSE FAILS, LEAVE WITHOUT A TRACE.
If your plan fails, clean up (yes, that means all your backdoors), and leave nothing behind. Do not give away your capabilities by leaving anything that can be learned. Worse, do not leave behind anything that can be used by another adversary in order to bypass the target’s defenses.