Not all Red Teams are made the same

Posted by Rudy Mitra on Nov 6, 2020 4:45:50 PM
Rudy Mitra
Find me on:

Not all Red Teams are made the same

Red Team operations aren’t a standard cookie-cutter exercise. Every operation is tailored to achieve bespoke objectives while playing to the strengths and weaknesses of the organisation’s defences. Unlike Penetration Testing, which attacks the environment head-on with somewhat brutality, at The Missing Link, we design and plan Red Team operations to blend in with what’s normal in the environment while abusing weaknesses to achieve the objectives.

Just as every organisation’s operational environment is unique, every Red Team operation must be tailored for the environment, and every operator must adapt their tradecraft for a perfect fit.


The Art of Red Team Operations

An effective Red Team must strategically align with the organisation’s goals. We often see Red Team operations that succeed in reaching their defined objectives, but they underwhelmingly failed to provide any value to the organisation. To ensure that doesn’t happen, we always kick off Red Team operations with a design phase.

We study the organisation’s goals, their current environment – or how they perceive their current environment, where they want to go, and how they plan to get there. Then we analyse the data, identify critical factors, and put together an operational approach to shake their ground and challenge them.

By definition, the organisation will always strive to either change something for the better or maintain something that is considered good. When it comes to the organisation’s security posture, our Red Team will challenge the plan to ensure that:

  • The target state is better than the current state
  • The plan, if successful, will lead to the target state
  • The plan is achievable

This explanation is very conceptual – what does it look like in reality?
A recent example is a client that introduced a top-tier PAM solution into their environment to protect privileged accounts. They were in the process of onboarding all the privileged accounts into the solution and told us about it proudly during the kick-off workshop. We proposed to develop the operation around it to challenge that solution and see if it will indeed protect their privileged accounts. We will revisit this example later.

At the end of the design phase, we formalise the Red Team’s intent and then start detailed planning. We tailor every aspect of the execution plan to what we know about the environment to blend in and successfully negotiate the security controls they have in place.

Once we commence the execution of the plan, new information about the environment starts flowing. We absorb this information and adapt our approach and tradecraft accordingly.

If you ever watched a movie or a TV show about hackers, you’d think that during the execution phase, there is a lot of fast-paced hacking, but the reality is quite different. There is a lot of information on drawing boards, a lot of brainstorming and discussion, a lot of development work and testing in lab environments, and as little as possible execution in the target’s environment.

Even on the occasion that the Red Team decides to intentionally make noise and trip an alert, that activity is meticulously planned, in order to help ensure the Blue Team gets the most out of it.


The Science of Adversary Tactics

When our operators execute the Red Team’s plan, they must master the science of adversary tactics. They need to thoroughly understand their options when it comes to the different attack techniques that they can use in every given situation, and how to adapt their procedures or tools to fit the environment in which they operate.

Just like an artist can come up with a genius design but without mastering the science of the paint, brush, canvas, light and shadow, etc. the result will not be a masterpiece. Our operators must intimately understand operating systems, communications protocols, attack tools, human nature, business and IT processes, etc. We strive to seamlessly combine applicable elements of all these factors into every manoeuvre, and we always try to create a masterpiece.

The Red Team operators employ Tactics, Techniques, and Procedures (TTP) in their manoeuvre. Tactics are short-term tactical adversary goals during an attack, such as gaining an initial foothold or establishing a command and control channel with an implant. Techniques are the means of achieving these tactical goals, such as establishing a command and control channel over an application layer protocol and using an encrypted channel. Procedures are the detailed steps prescribing how to execute a technique. Our operators apply the “offence in-depth” principle to the TTPs, which allows them to modify procedures or choose an alternative technique altogether in order to succeed.

The team also works on original research and development projects to devise new techniques and create new tools to expand our ever-growing arsenal. Some of this work has been published in our research blog Shenanigans Labs and has been widely adopted by the offensive security community globally.


Result-Driven Operation

Our Red Team follows the idea of “transitioning from command and control to mission command”. The operators understand the intent and the objectives, and they have the freedom to make tactical decisions on the ground, and even deviate from the execution plan, to achieve their objectives. They will tenaciously work through any challenge to reach their goals.

Let’s revisit the example we gave in the beginning. Our Red Team infiltrated the organisation using a sophisticated phishing pretext with an elaborate payload that evaded all of the client’s defences. Once inside, the operators studied the environment and identified an attack path to compromise the workstation of a person with access to the shiny new PAM solution. Indeed, once they compromised his workstation, they did not have access to any privileged account. However, as soon as the user logged into the PAM solution with his strong password and MFA, the Red Team stole his browser cookie, hijacked his PAM session and gained privileged access to critical systems.

This eye-opening exercise demonstrated to the client that their plan to onboard all privileged accounts into the PAM solution would not improve their security posture unless also fully applying the clean source principle and using privileged access workstations.


Are You Ready for Red Teaming?

At The Missing Link, we’ve got a team of dedicated Red Team operators – among the most qualified in the world, ready to put your defences to the test in more ways than you can imagine.

We recognise that Penetration Testing and Red Teaming require different sets of skills and expertise. Our Red Team operators are well-versed in the art and science of adversary tactics, are specially trained to run red team operations, and conduct cutting-edge security research and development used by red teams throughout the industry, both in Australia and globally.

If you’re interested in Red Teaming and how it can help prepare your organisation to thwart a real attack, call us today. We’d love to chat through the options.

Red-Tem-CTAs_Email-4If you liked this article, you may also like:

Red Teaming and the origins of anonymous hacking

Red Teaming and Penetration Testing: what’s the difference?

Red Teaming: what does success look like?


Rudy Mitra

Marketing Specialist


If your network future-proofed?


Do you believe what you see?

What used to be an internet oddity has developed i...

The end of trust?

Trust no-one! The ‘Zero Trust’ approach sets up a ...