Common Ground: Planning is Key

Organizational Fit

Red teams generally do not fit well inside of an organization, as their job is to find flaws with hypotheses and poke holes in organizational plans and intentions. In the military’s doctrine for “Command Red Teams,” JP1–16 , it is stated:

Assessment Models

Overview

Over the past several years, I have seen various implementations of red team engagements and I believe there are considerable strengths in the different forms of engagements depending on the goals of the organization. The maturity of the organization influences the type of engagement they will benefit from most. It does not make much sense to carry out a full-scope, no-knowledge network red team engagement against a small office supplies distributor with no SOC or security personnel other than to show they will fail miserably at responding. This organization could be better served by a hands-on assessment with an abundance of information sharing between red and blue teams. Conversely, a large multinational company with a fleet of SOC personnel and established incident response and hunt teams could benefit greatly by a more independent red team with less blue team contact.

Full-Scope Assessment

A full-scope assessment is what you most often think of when people imagine a network red team. This is an assessment from an adversarial perspective with the purpose of engaging incident response to measure their ability to successfully respond. For this type of engagement, the threat the red team represents is generic rather than specific. As a generic threat, the red team has the freedom to utilize their own TTPs and tools as long as it aligns with the level of sophistication in the threat model (more on that below). This freedom truly exercises the IR process by not drawing a box around the activities of the red team.

  • It measures the ability to recognize and respond to unknown threats. The majority of realistic threats an organization faces will be unknown.
  • Allows for the comparison of previously unknown tactics with known signatures and intel to practice categorizing activity.
  • Training of personnel with their real tools in the real environment and a debrief on the results from the attacker perspective.
  • Exercise of the C3 plan and possibly contingency plans depending on the levels of compromise.
  • Training is self guided by the blue team and their management. Such training requires buy-in and the willingness to participate in the fullest capacity
  • Requires careful coordination with a trusted agent inside of the blue team. This relationship will ensure proper deconfliction and prevent the engagement from being “gamed”
  • Sometimes will require trial and error. The red team has to be threat representative and sometimes will underestimate/overestimate the abilities or maturity of the targeted

Red Cell Engagement (Threat Emulation)

In a red cell or threat emulation engagement, the level of sharing and training is similar to a full-scope assessment but instead of being generic, the red team will emulate a specific adversary. In this engagement, the team will need to study in-depth available intelligence on the known adversary and prepare to operate as such. They will mirror the TTPs and tools (if safe) of that adversary. This is a cutting edge area of red teaming and has numerous benefits:

  • It measures the ability to respond to known threats that are targeting or have previously targeted the environment. This is the equivalent of doing a retest or reenactment of previous activity (if it had occurred).
  • It tests the adequacy of threat intelligence teams, tools, managed defense teams or signatures in the environment.
  • In the private sector, very few threats are properly known or understood. Battling a known threat limits the training opportunity.
  • In the private sector, the detailed coverage of tradecraft of known adversaries is generally lacking outside of popular threat reporting. This means that the red team will be restricted to a small set of available data and might not adequately test the organization.
  • While sexy to the decision makers, this form of engagement provides less training to the defensive teams because it will restrict the red team from adapting rapidly like a real adversary.

Adversary Simulation

This engagement is a subset of a threat emulation exercise. In an adversary simulation, a very specific tactical scenario is devised for the red and blue team to work through. The red team is expected to act exactly as a specific threat while the blue team goes through the motions to train on that threat. These engagements are typically heavily scenario-based (rather than one large assessment) and time-constrained. The focus in this assessment is honing specific defensive TTPs or tools and educating the blue team about threats. This shares many of the benefits and downsides of a red cell.

Cooperative Engagement

A cooperative engagement similar to a full-scope engagement with a heavy focus on information sharing and hands-on training. Other teams frequently refer to these as purple teams . Throughout this engagement, the red team will provide debriefings to the blue team and possibly even task a defensive minded team member to sit with the blue team. The purpose of this interaction is to hone in on the malicious activities of the threat in the environment and use the tools at their disposal.

Threat Models

Microsoft defines threat modeling well:

Training Objectives

After deciding on the engagement model and identifying realistic threats to the organization, the red team must work with the stakeholders to identify the training objectives of the assessment. Due to the time-constrained nature of an assessment, specific goals for training are useful to maximize the value of the exercise. I define training objectives as:

Master Scenario Event List (MSEL)

In formal exercise planning, the teams typically form a Master Scenario Event List which is defined as:

Escalatory Events

I believe there is value in having defined specific “events” that are escalatory in nature. These are similar to the events defined in a MSEL but with a focused intent. In a number of major exercises I have participated in, the red team reaches the objective with zero detection. While this could be seen as a success of the red team because they have identified flaws, it also limits the exposure and training the blue team receives.

  • Action: Lockout Workstation Admin account
  • Time/Date: 1930 on June 23rd 2016
  • Red Team Procedure:
  • Utilize agent to attempt RDP access to a terminal server with a known bad password
  • Repeat previous step until lockout occurs
  • Indicators and Detection Methods
  • User Ticket Creation
  • Event ID 4740
  • Netflow traffic to/from Terminal Server after hours

Wrap Up

This post did not detail every facet of successful network red team planning, rather it attempts to highlight some planning components that will heavily shape a successful engagement. It also attempts to bring light to areas I have not seen discussed in depth related to network red teaming. In the end, the goal should be to execute a well-thought-out exercise with clear objectives and intentions for training all parties involved. This level of coordination and planning is useful for the blue team and allows for greater reception of the results at multiple levels in the organizations.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store