How to build a red teaming playbook

Red teaming is an iterative process that includes three main components: recon, enumeration, and attack. First, we emulate a defined adversary (anything from a script kiddie to an APT threat actor). Then we iterate through the recon/enumeration/attack components repeatedly until we have obtained our defined goal, such as obtaining sensitive client data.

3 ways to obtain sensitive client data

1. Network-based tactics. This may include network enumeration, vulnerability scans (both network layer and application layer), and exploitation of vulnerabilities discovered.
2. Social engineering. This may include phone-based phishing, email-based phishing, or even in-person social engineering.
3. Physical intrusion. This may include picking locks, climbing through ceilings, or draping carpet over barbed wire fences and climbing over.

At any point in the red teaming process, any of these tactics can be performed interchangeably, depending on what leads us to our goal in the most effective way.

For example, during an assessment, we may perform network recon of the client's network perimeter and find that it’s locked down. At that point, if the client is permitted on-site assessment techniques, we may pose as a key figure that others typically trust (e.g., mail carriers, a key figure's relative) to gain entry inside the perimeter. With physical access, we would then be able to establish a foothold into the network (perhaps attach a wireless device to their network), from where we would do further recon.

5 things to consider when building a red team

Every red team assessment follows a different path, but it always has the same elements of recon, enumeration, and attack. When building a red team at your organization, talk to your key stakeholders and find out what really concerns them. Here are a few types of questions to consider when identifying what the goals of your red team assessments should be:

1. What types of things could happen in my organization that would cause it to go bankrupt? Exfiltration of sensitive client data? Prolonged service downtime?
2. What is the common infrastructure used throughout the organization (both hardware and software)? Is there some component that everything depends upon?
3. What are the most valuable assets in my organization (could be data or systems)? What happens if those get compromised?
4. Who will be performing the red team assessment? Will it be one person or 20? Will they have insider knowledge, or will it be a third-party firm? Should they have a lot of experience performing red team assessments? Or should they be fairly new so they can offer a fresh perspective on the process and targets?
5. Will we inform the blue team of the red team's activities? Or will we keep it a secret to see how they perform without knowledge of an ongoing attack?

There are no right answers to these questions, but you should consider them when building out your red team personnel.

How to choose the right red teaming tools

You must also determine what types of tools you’ll use in the attack. Some questions to ask include:

• Do I want to use open source tools like Kali and Metasploit, or do I prefer to buy tools like Canvas or Core Impact?
• Would I like to build our own in-house toolchain to perform our assessments?
• Do I want to do a combination of all of the above?

Whichever tools you choose, they’ll only be as good as the people using them. To perform a realistic red team exercise, no amount of automated tools will do as good of a job as a person who is using tools to follow the process of recon, enumeration, and attack. This is because tools miss things that clever red team assessors can understand.