Red Team Fundamentals

Foundation

Red teaming is a goal-oriented, adversarial approach to testing security defenses by simulating real-world attacks. The primary objective is to achieve a specific mission (e.g., steal sensitive data, access the crown jewels) while remaining undetected, thereby exposing gaps in detection and response capabilities.

Core Principles

1. Goal-Oriented

Success is defined by achieving the objective, not finding vulnerabilities. If you can steal the data without exploiting any CVEs, that's a win.

2. Stealth-First

Avoid detection at all costs. Real attackers don't announce themselves. Use living-off-the-land techniques and avoid noisy tools like Nmap full port scans.

3. Realistic Adversary Emulation

Mimic real threat actors. Use the same TTPs, tools, and infrastructure that APT groups use. Don't use Metasploit if your adversary wouldn't.

4. Collaboration, Not Confrontation

Red teams exist to improve blue teams. The goal is to expose weaknesses so they can be fixed, not to embarrass defenders.

When to Conduct Red Team Operations

Red teaming is for mature security programs. Organizations should have:
  • • An established SOC with 24/7 monitoring
  • • Deployed EDR/XDR solutions
  • • Incident response procedures
  • • Regular vulnerability management
If your organization doesn't have these, start with penetration testing instead.

Red Team Methodology

Phase 1: Pre-Engagement

  • Define specific objectives (e.g., "Access the CEO's email and exfiltrate financial data")
  • Establish Rules of Engagement (ROE) with legal and C-suite approval
  • Conduct OSINT to understand the target organization
  • Build infrastructure (domains, C2 servers, phishing infrastructure)
  • Select adversary profile to emulate (e.g., APT29, FIN7)

Phase 2: Initial Access

  • Phishing campaigns targeting specific employees
  • Physical breach (tailgating, lock picking, RFID cloning)
  • Supply chain compromise (malicious USB drops, software supply chain)
  • External perimeter exploitation (VPN vulnerabilities, exposed services)

Phase 3: Establishment

  • Establish C2 beacon with secure, covert communication channel
  • Create persistence mechanisms for long-term access
  • Conduct internal reconnaissance to map the network
  • Identify high-value targets and credential access paths

Phase 4: Objective Completion

  • Lateral movement toward objective (e.g., domain admin access)
  • Privilege escalation to gain necessary permissions
  • Data exfiltration or objective completion
  • Maintain stealth throughout to test detection capabilities

Phase 5: Post-Engagement

  • Debrief with blue team to reveal tactics used
  • Compare red team actions with blue team detections
  • Deliver executive report with strategic recommendations
  • Conduct purple team exercises to improve specific detection gaps

Legal Protection is Critical

Always have signed authorization from C-level executives before starting. Include:
  • • Explicit scope (IP ranges, physical locations, employee targets)
  • • Out-of-scope items (production databases, critical systems)
  • • Emergency contacts and stop conditions
  • • Indemnification clauses

Related Topics

Adversary Simulation

Rules of Engagement

Internal Pentest