Each and every Red Team Operation is conducted consistently using globally accepted and industry-standard frameworks which help make up our red teaming methodology. At a minimum, the underlying framework is based on the NATO CCDCOE, OWASP, PTES, US Army Red Teaming Handbook v7, but goes beyond the initial frameworks themselves.
Red Teaming Steps
The first phase in a red team operation is focused on collecting as much information as possible about the target. Reconnaissance, aka Information Gathering, is one of the most critical steps. This is done through the use of public tools, such as Maltego, LinkedIn, Google, Twitter, Facebook, Google Earth, etc. As a result, it is usually possible to learn a great deal about the target’s people, technology, surroundings and environment. This step also involves building or acquiring specific tools for the engagement.
An important phase in a red team operation focuses on collecting information about infrastructure, facilities and employees. Open Source Intelligence Gathering can be quite telling about a target, its people, its facilities and its technical makeup, such as: physical/logical security controls, foot traffic, terrain, infil/exfil points, etc. Through thorough analysis, it begins to paint a picture of the target and its primary operations.
Effective weaponization involves preparation of the operation specific to the target taking into full account intel gathered from the reconnaissance stage. This commonly includes: crafting custom malicious file payloads, prepping RFID cloners, configuring hardware trojans, acquiring social engineering costumes, creating falsified personas/companies and much more.
The Delivery stage is a critical stage of the execution phase. This marks the active launch of the operation in totality. Here, RedTeam consultants carry out the actions on the target(s) intended to reach the Red Team Operation’s goals. Things like physically cloning badges, social engineering face-to-face targets, analyzing cyber vulnerabilities, planting hardware trojans for remote network persistence, etc. Among one of the most important objectives is to note the best opportunities for exploitation.
Exploitation is exactly what it sounds like. At this point, the goal is to “break in” or compromise servers/apps/networks, bypass physical controls (ie: gates, fences, locks, radar, motion detection, cameras) and exploit target staff through social engineering by face-to-face, email, phone, fax or sms. The exploitation stage enables the preparation for the escalation and installation phase.
The installation stage’s primary goal is to prepare for persistence. This could amount to cyber persistence or physical persistence, although cyber persistence is generally slightly more common. During this stage, RedTeam establishes a beachhead by taking advantage steps taken in the exploitation step. Things like privilege escalation on compromised servers, shells, malicious file payload installation, usage of physical key impressions and lock picked doors happen here.
Command & Control
Maintaining persistence is the goal for Command & Control. Also generally cyber-focused, RedTeam takes steps to ensure remote access to exploited systems are stable and reliable setting the stage for data exfiltration and other post-exploitation tasks/goals. On the physical and social side, manipulating people into enabling circumvention of physical barriers in order to create backdoors into facilities are key.
Actions on Objective
During this phase of a Red Team Operation, the team aims to complete the mission and realize the agreed-upon objectives set by the client and RedTeam Security. Actions on objective happens through lateral movement throughout the cyber environment as well as the physical facilities. Pivoting from compromised systems and from breached physical security controls all along capturing video, audio and photographic evidence supporting each finding discovered.
Ultimately, the team aims to exfiltrate data, information or physical assets the target deems critically sensitive.
Learn more about RedTeam Security's advanced Application, Network and Physical Penetration Testing, Social Engineering and Red Teaming services.