Post

Red Team Fundamentals and Methodologies

Posted Updated
By bughra
10 min read
Red Team Fundamentals and Methodologies

Introduction to Red Teaming

Red teaming is an advanced form of security assessment that simulates real-world attacks against an organization’s people, processes, and technology to identify vulnerabilities and test defensive capabilities. Unlike traditional penetration testing, red teaming adopts an adversarial approach, emulating threat actors’ tactics, techniques, and procedures (TTPs) to provide a realistic evaluation of security posture.

Core Principles

  • Adversary Emulation: Mimicking the behavior of specific threat actors relevant to the target organization
  • Stealth & Persistence: Operating with minimal detection for extended periods
  • Comprehensive Scope: Testing across technical infrastructure, physical security, and human factors
  • Realistic Scenarios: Using plausible attack chains that reflect actual threats
  • Objective-Driven: Focusing on specific high-value targets and business impacts

Red Team vs Penetration Testing

AspectRed TeamPenetration Testing
GoalAssess detection & response capabilitiesFind and exploit vulnerabilities
ScopeBroad, often includes multiple attack vectorsTypically limited to specific systems
KnowledgeLimited information (black box)Often detailed information (white/grey box)
TimeframeExtended (weeks/months)Limited (days/weeks)
StealthCritical componentNot typically prioritized
Target AwarenessLimited or no prior notificationUsually announced and coordinated

Red Team Fundamentals

Red Team Mindset

The red team mindset requires shifting perspective from defensive to offensive thinking:

  • Adaptive Problem Solving: Overcoming obstacles through creative solutions
  • Persistence: Continuing efforts despite setbacks and roadblocks
  • Situational Awareness: Understanding the environment and adapting accordingly
  • Continuous Learning: Staying current with evolving threats and techniques
  • Ethical Boundaries: Operating within defined scope and rules of engagement

Red Team Engagement Types

  • Full-Scope: Comprehensive assessment including technical, physical, and social engineering
  • Targeted: Focus on specific critical assets or systems
  • Assumed Breach: Beginning with access already established to test post-compromise controls
  • Purple Team: Collaborative approach with defenders actively involved
  • Tabletop Exercises: Scenario-based discussions without actual system exploitation

Red Team Methodologies and Frameworks

The Cyber Kill Chain (Lockheed Martin)

Seven phases of a targeted attack:

  1. Reconnaissance: Gathering information about the target
  2. Weaponization: Preparing malware or exploit packages
  3. Delivery: Transmitting the weapon to the target environment
  4. Exploitation: Executing code on the target system
  5. Installation: Establishing persistence
  6. Command & Control (C2): Creating a communication channel
  7. Actions on Objectives: Accomplishing the attack goals

MITRE ATT&CK Framework

A knowledge base of adversary tactics and techniques based on real-world observations:

  • Initial Access: Techniques to gain entry into a network
  • Execution: Techniques to run attacker-controlled code
  • Persistence: Maintaining access across system restarts
  • Privilege Escalation: Gaining higher-level permissions
  • Defense Evasion: Avoiding detection
  • Credential Access: Stealing account names and passwords
  • Discovery: Learning about the environment
  • Lateral Movement: Moving through the environment
  • Collection: Gathering data of interest
  • Command and Control: Communicating with compromised systems
  • Exfiltration: Stealing data
  • Impact: Manipulating, interrupting, or destroying systems and data

Red Team Operations Framework

  1. Planning & Preparation
    • Defining objectives and scope
    • Threat intelligence gathering
    • Team organization and resource allocation
  2. Intelligence Gathering
    • Open-source intelligence (OSINT)
    • Target profiling
    • Network and infrastructure mapping
  3. Assessment & Analysis
    • Vulnerability identification
    • Attack vector prioritization
    • Defense capability evaluation
  4. Execution
    • Initial compromise
    • Persistence establishment
    • Privilege escalation
    • Lateral movement
    • Data exfiltration
  5. Reporting & Remediation
    • Documentation of findings
    • Attack path visualization
    • Mitigation recommendations
    • Knowledge transfer

Planning and Preparation

Rules of Engagement (ROE)

A formal document defining:

  • Scope: Systems and networks in-scope and out-of-scope
  • Timeframe: Start and end dates for the assessment
  • Constraints: Prohibited actions and techniques
  • Authorization: Written approval from appropriate stakeholders
  • Communication Plan: Points of contact and escalation procedures
  • Safe Harbor: Protection for the red team from legal consequences

Target Selection and Prioritization

  • Crown Jewels Analysis: Identifying the organization’s most valuable assets
  • Threat Modeling: Understanding likely adversaries and their capabilities
  • Attack Surface Analysis: Mapping potential entry points
  • Impact Assessment: Evaluating potential damage from compromises

Team Composition and Roles

  • Red Team Lead: Overall management and client communication
  • Technical Lead: Technical direction and tooling decisions
  • Operators: Specialists in different attack vectors
  • Infrastructure Manager: C2 infrastructure and operational security
  • White Cell/Exercise Control: Independent observers ensuring adherence to ROE

Intelligence Gathering Phase

OSINT Collection

  • Digital Footprint Analysis: Websites, domains, subdomains
  • Employee Information: Professional profiles, organizational charts
  • Technology Stack: Used applications, frameworks, infrastructure
  • Document Metadata: Information leaked in public documents
  • Social Media Analysis: Company and employee presence

Technical Intelligence

  • Network Scanning: Identifying active hosts and services
  • Service Enumeration: Determining running applications
  • Vulnerability Scanning: Identifying potential weaknesses
  • Cloud Resource Discovery: Identifying cloud assets and configurations
  • Wireless Network Analysis: Discovering and assessing wireless networks

Physical Intelligence

  • Facility Reconnaissance: Building layouts, entry points, security controls
  • Security Personnel Assessment: Patterns, procedures, response capabilities
  • Physical Security Controls: Badges, locks, cameras, sensors

Execution Phase Techniques

Initial Access Vectors

  • Phishing Campaigns: Targeted emails with malicious attachments or links
  • Social Engineering: Manipulating personnel to divulge information or perform actions
  • External Vulnerability Exploitation: Leveraging vulnerabilities in external-facing systems
  • Physical Access: Gaining unauthorized entry to facilities
  • Supply Chain Compromise: Targeting third-party providers with access to the organization
  • Wireless Access: Exploiting insecure Wi-Fi networks

Persistence Mechanisms

  • Persistent Malware: Implants that survive system reboots
  • Backdoor Accounts: Creating or modifying user accounts
  • Scheduled Tasks/Jobs: Executing code at regular intervals
  • Registry Modifications: Altering Windows Registry for automatic execution
  • Boot/Logon Scripts: Running code during system startup or user login
  • Legitimate Tool Abuse: Using built-in features for malicious purposes

Privilege Escalation

  • Vulnerability Exploitation: Leveraging local security flaws
  • Credential Theft: Capturing and reusing authentication credentials
  • Access Token Manipulation: Impersonating other users or processes
  • DLL Hijacking: Forcing an application to load malicious code
  • Group Policy Abuse: Exploiting misconfigured policies

Defense Evasion

  • Living Off The Land: Using legitimate tools and binaries
  • Fileless Malware: Operating entirely in memory
  • Timestomping: Modifying file timestamps to avoid detection
  • Indicator Removal: Clearing logs and evidence
  • Traffic Obfuscation: Disguising C2 communications
  • Process Injection: Hiding code within legitimate processes

Lateral Movement

  • Pass the Hash/Ticket: Reusing credential hashes without knowing passwords
  • Remote Service Exploitation: Leveraging vulnerabilities in internal services
  • Internal Spear Phishing: Targeting users from compromised accounts
  • RDP/VNC/SSH Hijacking: Taking over existing remote sessions
  • WMI/PowerShell Remoting: Using administrative tools for remote execution

Command and Control (C2) Infrastructure

C2 Architecture

  • Infrastructure Planning: Designing resilient and covert communication channels
  • Domain Selection: Using domains that blend with normal traffic
  • Traffic Blending: Making C2 traffic appear legitimate
  • Redirectors: Implementing intermediary systems to hide true C2 servers
  • Fallback Mechanisms: Creating redundant communication paths

C2 Communication Methods

  • HTTP/HTTPS: Web-based communications
  • DNS Tunneling: Hiding data in DNS queries
  • Domain Fronting: Leveraging trusted domains for communication
  • Protocol Tunneling: Encapsulating C2 in legitimate protocols
  • Covert Channels: Using unconventional methods (timing, steganography)

Data Collection and Exfiltration

Data Identification

  • Target Data Location: Finding valuable information
  • Data Classification: Prioritizing based on sensitivity and value
  • Access Methods: Determining how to access target data
  • Volume Assessment: Estimating data volumes for exfiltration planning

Exfiltration Techniques

  • Protocol Tunneling: Hiding data in legitimate traffic
  • Steganography: Concealing data within other files or communications
  • Staged Exfiltration: Moving data to intermediate collection points
  • Timed Exfiltration: Transferring during periods of lower scrutiny
  • Size Management: Breaking large files into smaller chunks

Operational Security

Infrastructure Management

  • Anonymous Infrastructure: Using non-attributable servers and domains
  • Tiered Architecture: Separating operational infrastructure from attribution
  • Domain Rotation: Regularly changing C2 domains
  • Traffic Obfuscation: Disguising malicious traffic as legitimate
  • Infrastructure Compartmentalization: Limiting damage from infrastructure discovery

Communication Security

  • Encrypted Channels: Protecting data in transit
  • Out-of-Band Communication: Using separate channels for team coordination
  • Secure Authentication: Protecting access to team resources
  • Time-Based Operations: Conducting activities during optimal timeframes
  • Minimal Command Execution: Limiting actions to reduce detection chances

Documentation and Reporting

Engagement Documentation

  • Activity Logs: Detailed record of all actions taken
  • Evidence Collection: Screenshots, data captures, and artifacts
  • Timeline Reconstruction: Chronological sequence of events
  • Attack Path Mapping: Visual representation of compromise routes
  • Tool and Command Usage: Documentation of all tools employed

Report Components

  • Executive Summary: High-level overview for leadership
  • Methodology: Detailed approach and framework
  • Findings: Vulnerabilities and weaknesses discovered
  • Attack Narratives: Storyline of successful compromises
  • Risk Assessment: Impact and likelihood analysis
  • Strategic Recommendations: Long-term security improvements
  • Tactical Recommendations: Specific vulnerability fixes
  • Metrics and Statistics: Quantitative analysis of the assessment

Adversary Emulation

Threat Intelligence Integration

  • Threat Actor Profiling: Understanding relevant adversaries
  • TTP Mapping: Aligning techniques with threat actors
  • IOC Awareness: Knowledge of indicators associated with threats
  • Campaign Simulation: Replicating known attack campaigns
  • Tools and Malware: Emulating attacker toolsets

Specific Adversary Scenarios

  • Nation-State Emulation: Sophisticated, persistent, and targeted attacks
  • Criminal Group Emulation: Financial motivation and specific TTPs
  • Hacktivist Emulation: Ideology-driven attack patterns
  • Insider Threat Emulation: Testing against internal threat actors
  • Supply Chain Emulation: Attacks through trusted relationships

Measuring Red Team Effectiveness

Success Metrics

  • Time to Detection: How quickly defenders identify attacks
  • Time to Containment: Speed of response after detection
  • Coverage: Percentage of tested controls that were effective
  • Objective Achievement: Success rate in reaching defined goals
  • Security Control Validation: Effectiveness of specific controls
  • Mean Time to Compromise: Average time required to achieve objectives

Continuous Improvement

  • Lessons Learned: Documenting and applying insights from operations
  • TTPs Refinement: Updating techniques based on effectiveness
  • Threat Intelligence Integration: Incorporating new adversary behaviors
  • Tool Enhancement: Developing and improving custom tools
  • Team Development: Enhancing operator skills and knowledge

Ethical Guidelines

  • Authorized Access: Only accessing systems with proper approval
  • Data Protection: Safeguarding sensitive information encountered
  • Responsible Disclosure: Following established protocols for vulnerabilities
  • Proportional Impact: Minimizing operational disruption
  • Professional Conduct: Maintaining professional behavior throughout
  • Clear Authorization: Formal written approval for all activities
  • Scope Boundaries: Strict adherence to defined scope
  • Data Handling: Compliance with privacy regulations
  • International Considerations: Awareness of cross-border legal issues
  • Documentation: Maintaining records of authorization and activities

Advanced Red Team Concepts

Advanced Persistent Threat (APT) Simulation

  • Long-term Campaigns: Extended operations over weeks/months
  • Slow and Low Approach: Minimizing detectability through patience
  • Multi-phase Operations: Executing complex multi-stage attack chains
  • Custom Tooling: Developing or modifying tools for specific environments
  • Counter-Intelligence: Adapting to defensive responses

Zero-Day Exploitation

  • Vulnerability Research: Discovering unknown vulnerabilities
  • Exploit Development: Creating custom exploitation code
  • Weaponization: Packaging exploits for operational use
  • Responsible Handling: Managing zero-day findings ethically
  • Alternative Paths: Finding ways around patched vulnerabilities

Hardware-Based Attacks

  • Physical Implants: Hardware devices for persistent access
  • BIOS/UEFI Attacks: Targeting firmware level security
  • Side-Channel Attacks: Exploiting physical implementation weaknesses
  • Hardware Security Bypasses: Circumventing hardware security features
  • Supply Chain Interdiction: Intercepting and modifying hardware

Common Tools and Frameworks

Reconnaissance Tools

  • Recon-ng: Web reconnaissance framework
  • Maltego: Visual link analysis for information gathering
  • SpiderFoot: OSINT automation tool
  • Amass: Network mapping of attack surfaces
  • Shodan/Censys: Search engines for internet-connected devices

Exploitation Frameworks

  • Metasploit Framework: Comprehensive exploitation toolkit
  • Cobalt Strike: Advanced adversary simulation platform
  • Empire: PowerShell post-exploitation framework
  • Sliver: Cross-platform adversary emulation framework
  • Immunity Canvas: Commercial exploitation framework

Command and Control

  • Covenant: .NET-based C2 framework
  • Mythic: Multi-platform C2 framework
  • SILENTTRINITY: Python and .NET-based C2
  • Merlin: HTTP/2-based C2 framework
  • Havoc: Modern C2 framework

Post-Exploitation

  • Mimikatz: Credential harvesting and authentication package manipulation
  • PowerSploit: PowerShell post-exploitation framework
  • BloodHound: Active Directory attack path visualization
  • CrackMapExec: Network lateral movement toolkit
  • Rubeus: Kerberos abuse toolkit

Physical Security Tools

  • Proxmark: RFID hacking toolkit
  • LockPickingLawyer: Lock bypass techniques
  • Packet capture tools: WiFi traffic analysis
  • Badge cloners: Access card duplication equipment
  • Dropboxes: Physical devices left for remote access
  • AI-Enhanced Attacks: Leveraging machine learning for attack optimization
  • Cloud-Native Attacks: Specialized techniques for cloud environments
  • DevSecOps Integration: Red teaming throughout development cycles
  • Automated Red Teaming: Continuous automated testing
  • Quantum Computing Impacts: Preparing for post-quantum security

Purple Team Integration

  • Collaborative Assessments: Joint red and blue team exercises
  • Real-time Feedback: Immediate defensive insight during operations
  • Capability Development: Building detection and response capabilities
  • TTP Validation: Confirming effectiveness of attack techniques
  • Defensive Improvement Cycles: Iterative security enhancement process
Exploitation, Red Teaming
This post is licensed under CC BY 4.0 by the author.