"Observe the patterns, make a plan, blend in and execute."
Red Teaming, in the truest sense of it, is not static, like a good adversary, you have to adapt each time and remain fluid. Over the years, many people have tried, unsuccessfully, to create frameworks and checklists to “red team it”. But, as we’ve seen with pentesting, once you go this route, you become predictable. This is something a Red Teamer should avoid at all costs. Once you become predictable, you are no longer providing the right level of disruption that Red Teaming should bring to the world.
Once you follow a checklist, you are no longer mimicking attackers, you are just following and creating patterns. And patterns will make you fail. This doesn’t mean we, as Red Teamers, shouldn’t have a playbook, and use it to win. No. In fact, the more we can pre-game the game, the better we will perform, and the more successful we will be.
This is the reason behind the Four Elements of Red Teaming.
The idea is to have a supporting model that would provide you with guidance performing the actions needed for a successful engagement or operation. If you take into account all these elements during your project, they will help you remain focused on the things you need to achieve. The Four Elements serve as the foundation to begin Red Teaming the game.
The Four Elements are:
- Observe the Patterns
- Make a Plan
- Blend in
Observe The Patterns
Regardless of whether you are performing a remote or on the field, in-country assessment, whether you are in a semi-permissive or non-permissive environment, you need to start by understanding the thing you will be red teaming. This means, start collecting information about your target. Recon, the most important phase of any project or operation.
Sometimes the target is very clear, sometimes, though, the boundaries of an engagement or operation are very vague and you find yourself having to cover a large "area of operations" - too many people to track, too many sites to learn, to many servers to scan and too many different technologies to learn: too much information to collect and manage. It can make you or your team freeze, not knowing where to begin or move to.
This is where you need to focus on the bigger picture, and drill down to who or what is important for the target. Understand the key players, the needs of the organization in terms of people. Learn the industry the target belongs to, in cases of commercial organizations, the geopolitical situation, in cases of other organizations, for example. Understand the environment you’ll be working on, either by ways of open source intelligence, or more proactive, direct ways of collecting that information. Understand what are the critical assets of those organizations, and what would happen if they are denied the services.
This is key to better simulate their adversary, and key to a successful overall assessment. Concentrating on the people first, will provide an even better view of the organization, even the digital side. More specifically, learning who is important and has the keys to the gates, so to speak, will play a big part in achieving your goal.
This is where patterns begin to emerge. Patterns of life, patterns of data, patterns of things that are relegated to not important and can be exploited. Patterns are essentially learning how people go about their lives in a certain location, it’s understanding their habits or what's "normal" and what's not. It is understanding how to appear normal in a location, and how this normalcy can be used to your benefit. It is understanding the response to attacks, and how resilient they are.
Modern organizations are too complex to really consider themselves “secure”, learn the patterns. Once you see these patterns, you can begin creating a picture of what's important and begin setting priorities. You can quickly shift focus to the people or technology that will give you a better chance of penetrating your target, factoring this in the plan.
Focus first and foremost on the people, their patterns of life, their social landscape. Then go technology and physical location. Then make a plan.
Make A Plan
Now that we have information, it’s time to understand what you want to achieve, and how you want to achieve it. At this point, you need to be sure of what the goal is. Once you have identified the goal, the next step is to plan how to go get it. In reality, however, most plans are rendered useless almost as soon as they are put in motion. So, why plan then?
"Planning is everything, the plan is nothing."--Dwight Eisenhower
Well, there is still a lot of value in planning. First and foremost, it sets your mindset right. It defines the outcome you desire, the end state, the goal. And that is the most important part of the initial plan: connecting the dots and making sure you see the patterns. If you fail to do that, you might end up with lack of visibility or understanding of what's happening. If the environment was not fully analyzed, then the patterns might not be obvious. This is why the first Element, the gathering of information to find the patterns, is so important: it enables the planning, and planning enables the understanding of those patterns.
This second Element should be about fluidity of planning.
Grab your original plan, refocus it, and divide it into smaller plans. Start planning at a very high level, and add as you go. Learn to be flexible. Learn to anticipate things that can go wrong. Red team the plan!
It is important to understand that before every project or assessment, or even training, you need to spend hours, if not days, on planning and trying to prepare for every scenario that might come up. This is key if you are to be successful. However, as we all know, Mr. Murphy is always present, and things will not go as planned. The more you plan, the more of a SOP (Standard Operating Procedure) you will have, and the more you can fall back on what worked in similar situations in the past. Things repeat themselves.
It is important that each team member has a saying in the planning phase. Each member has his/her own interpretation of the information and these different views can provide the next level in developing the situation. Hear what each member has to say about the developing issues. Have them state a plan of action and poke holes on your own plan. I usually have a very straightforward way of doing this, a set of steps, that can be followed to guide the process. At the end of these steps, the team leader runs the options by the team, or, if it’s a single person, the options are again listed for completion and to see issues that might have not been obvious before. The steps are nothing special, but over the years this system has helped a lot in organizing my and my team’s thoughts and methods. The same 4 steps can be done on the fly, on the ground or as you work and get more information, in order to adapt the plans, or craft new ones as you go. The best information, however, is real-time situational awareness based on what is actually happening on the ground right now. You have to be open to new ideas, and factor this into the planning. So, having contingencies built into the planning, plus working with a light-weight plan and adding situational awareness will allow you to flow and to achieve your goal.
There are 4 initial steps to planning:
- Know the project or end goal
- Analyze the problems
- Red team the plans
- Perform a dry run and loop into step 2.
The first step, as we mentioned above, is to identify what is the end goal of the project or assessment. During this phase, we really try to analyze what we need, what is the information we have, what is the ultimate goal of this project. It is important to have a clear view of what’s expected. The first draft of the plan is usually created here.
The second step is used to identify the potential problems, trying to focus on the overall plan as well as each part of it. A solid self Red Teaming of the draft plan is performed here.
In the next step, you focus on finding the solutions to the problems found in step 2. It is important to look at the whole plan with each possible solution, because many things can change in the process of fixing a problem. Each issue identified has a solution, if it doesn’t, then you have to rethink that part of the plan altogether.
The final step is a dry run. This is important to test the solutions, tools needed, gear, etc. A good dry run can identify more problems. Go back to step 2 as many times as you need, but be careful not to get your team in an endless loop. At some point decide it’s good enough and commit.
Plans are something you have to have, however once you're in the field, chances are you will have to change the plan. That’s the reality of this business. Be ready for that.
Two parting thoughts: Separate the signal from the noise and PACE.
Things can get too big to understand. Huge networks, huge numbers of systems, unknown variables, too many people to tail, and unpredictable situations. It's easy to get overwhelmed. You need to be able to separate the signal from the noise, focus on what's relevant and discard the rest. Identify the critical areas of your target and focus first on those. Then begin to go down to smaller and smaller pieces, until you find the vulnerabilities to exploit.
PACE: Primary, Alternative, Contingency and Emergency. When things go sideways, have a plan B and also an escape plan.
You understand the patterns and what makes your target vulnerable. You have a plan and a PACE in place. Now it’s time to get dirty and see if your plan and assumptions match reality. It’s time to get up close and personal. It’s time to reach out and touch someone or something. It’s time to get to the field and perform the last part of the pre-game.
Blending in is not just a figure of speech. This Element is both the dry run to file the last details off, and a way to corroborate whether your intelligence was accurate. Observing the patterns is most likely a passive activity, where the target is not aware of your recon and surveillance. Blending in, on the other hand, is an active and more direct approach to information gathering and pattern recognition.
During this phase, the plan is Red Teamed on the field (or the lab if you have a purely digital approach), where the next Element (Execute) is tried, albeit in a way that doesn’t tip the target. During this phase, the last bit of information that can support the planning is collected. Things like wireless network information, physical information about the supply chain, possible avenues of approach and exfil (escaping), are collected and prepared. Everything is checked, and adjustments to the plans are made.
Then, the next step is to find the main vulnerability and attack it.
Every system can be defeated by understanding its weak point, and attacking it with full force. If you think of everything as a system that has vulnerabilities, it will get your mind in the right place. The weakest areas are usually the joints: where two networks connect, where one area of responsibility ends and another begins, etc. There is no such thing as seamless connection. Seek those areas and attack them.
In order to do this, you have to be able to blend in. Become part of your target. Act like you belong. Learn to be your target.
At the end of the day, it's all about execution.
You might have the perfect plan. Your team is ready and you have found the right things to exploit. You made a dry-run. You ran your plan and contingencies. You saw what could break and what could go wrong. If you fail on the execution, then it's all worthless.
The past 3 Elements were used to build this last one. At this point you should be ready, and things should click. Of course, beware of Murphy. He is there, always. And plans never work, so go in knowing that you will have to improvise or fall on contingencies as soon as you hit your target. Whether digital or physical, things most likely will need to be modified and adapted to the ever changing conditions on the field.
If you are stuck, run through the 4 Elements again: Observe the patterns, make a plan, blend in, and execute.
Now it’s time to execute to the best of your capabilities.
Note: posted originally on redteams.net.