How to Create an Internal/Corporate Red Team

Simulating Adversaries Since 1984

Congratulations! Your organization has approved the creation of an internal Red Team program and tasked you to do it! Here are some quick easy tips to get this program off the ground as simply as possible, based on Q&A I have done with a number of old/mature corporate Red Teams, brand new corporate Red Teams, and lessons I’ve personally learned (some of which were the learned the hard way). I am publishing this here as a reference for others who reach out and request help getting their programs started. This is just one way you could do it — take it for what you paid for it.

Step 1 — Build Relationships with Blue

Also, repeat this periodically. At least annually, if not more often.

Step 2 — Unit Test Your Detections

You can check your detection coverage for FREE with Atomic Red Team, and if your organization likes it, you can scale up to a number of commercial products that can automate this for you. Run a test for a specific set of TTPs from the MITRE ATT&CK Matrix on various hosts with different vantage points on the network and check to see if they result in alerts to your SOC. If not, dig in with your SEIM and EDR/AV analysts and find out why not. The output of this should be a pretty good map for where your organization has good detection coverage and where it doesn’t. This is VERY PURPLE.

Bonus Points: dig into the specific test cases themselves and mutate a few details about them, to determine how brittle the detection is. For example, maybe your AV only detects the presence of Mimikatz by the nice French words that Benjamin Delpy put into its menu system, so modify those away, or compile modified source code and try again. Or maybe your EDR only detects live off the land binaries when they are executed from the path where they are installed by default, so copying them to a temporary directory or renaming them may break the detection. Use your imagination.

Step 3 — Draft Your Rules of Engagement

I strongly recommend you identify a “trusted agent” who will be a member of the Blue Team who is not in a direct response role for the exercise but can observe both sides’ activity transparently to ensure the rollercoaster stays on the rails. This person (or people) should also be responsible for grabbing copies of logs on systems that roll off quickly so better data is available during debrief, which could be several weeks later.

If you’re going to do physical (going onsite without authorization) attempts at initial access, now is also a good time to figure out who from the physical security side will be your backstop for escalations and approvals. I recommend approaching this person with the attitude of “we are going to use physical means to access cyber resources” which clearly respects the ownership of physical security with the leadership that is likely outside of the Information Security department. You are not trying to take their job; you are showing the blend of the two disciplines has a legitimate impact to the “cyber” aspects of your organization.

Step 4 — Baby’s First Red Team Exercise

I recommend the following:

  • Pick a specific access objective (but keep it simple, like access to an Accounting system, or privileged access to an IT system); “king of the hill” could be a reasonable first objective, but probably shouldn’t be the goal of a mature red team program.
  • Setup an internally hosted VM to run your single and only C2 server (for the first one, skip all of the drama of procuring external VMs for redirectors, DNS domains, categorization, etc.), but note that this completely avoids a very important set of telemetry with your egress stack. The tradeoff is welcome in exchange for a simple first exercise.
  • Use an “assume breach” methodology: ask your trusted agent to provide access to an internal target system (e.g. workstation), and prepare a payload to execute on a target system or use credentials provided to you to live off the land. Going full outside-to-inside is difficult (as it should be!) and you will gain more benefit to your organization by getting more repetitions in with the post-exploitation part of the attack chain, than the initial access phase. (You’ll add this in later.)

Because of Step 2, your Red Team will know where your organization’s detections are strong and where they are weak (or non-existent). Use these strategically. For example, perhaps you can identify a chain of TTPs that do not have solid detections that can be used to reach your objective. Once the objective is reached, you can choose to use some of the TTPs that do have solid detections to effectively raise the alarm bell and create an opportunity to test the organization’s ability to respond to the alert and contain the threat. Or, sprinkle in a mix of known detected and known undetected TTPs to create an event to which the Blue Team can respond prior to reaching the objective.

After the exercise is complete, ask the larger Purple Team the following 3 questions: what went well, what did not go well, and what should we change?

And repeat those 3 questions after every exercise going forward.

Step 5 — External Infrastructure

Start with Domain Fronting (if that’s still available for CDNs that you are allowed to use) or use a whitelisted domain, such as a free DNS domain suffix provided by any of the common cloud providers. This will get you a mostly categorized and definitely aged DNS domain to make your first external redirector simple. You can even ask a Trusted Agent to specifically whitelist the domain as assistance for a first exercise.

Over time, add in complexity:

- Multiple redirectors/domains for different compromised hosts

- Separate domains/infrastructure for staging and gating payloads

- Different external hosting providers to start adding in variety

- DNS domains that the Red Team procures, ages, and categorizes

Open up your creativity, while continuing to use a mix of known detected and undetected TTPs, just like in Step 4.

Step 6 — Advanced Objectives

For example, if your organization’s top threats are FIN actors, pick data objectives and TTPs that match. This could be emulation of a specific threat actor group, or more likely, a collection of TTPs from a composite of several similar threat actors. Also, modify your target objectives to match. A FIN group probably doesn’t want long term sneaky access — they want to smash and grab monetizable data. A nation state APT, by comparison, probably does want long term sneaky access, and probably doesn’t care about things like credit cards. Leverage your threat intel program for this information, if possible.

Step 7 — More Initial Access Vectors

There are primarily 5 ways an organization can be breached. It’s important at some point to begin to move away from the assumed breach methodology and start from the outside in using those 5 methods of initial access, because that’s how real breaches happen and as a result that will train responders to see all of the event breadcrumbs of a real attack. The level of time commitment here will vary with each organization, its size/scale, and the talent and specialties of members on the Red Team.

Definitely spend time looking at email-borne phishes as a means of external-to-internal access, because these happen to major organizations every single day and are the biggest threat by volume. While I do not recommend that you limit your Red Team to only the email-borne phish vector, I do recommend that you take a phased approach and focus only on one at a time.

As you continue to ask the team “what went well, what didn’t go well, what should we change?” after each exercise, you will likely see patterns emerge for certain skillsets that would be beneficial on the team. Use that knowledge to shape future hires when expanding the Red Team, so that you can feel comfortable with any of the 5 methods of initial access.

Timeline

Most brand new Red Teams tend to underestimate the amount of time that is necessary for a new exercise, basing it upon their past experiences with penetration tests. A 3–4 week penetration test is a long test, but it’s a short Red Team exercise, especially as you get to Step 5 and have to spend time setting up and aging external infrastructure.

I would expect a new Red Team program to take as long as 2 years or more before they’re likely really ready to start digging into Step 6 or 7, but overall this is just one set of recommendations and you may be successful blending the steps or even doing a couple of them in parallel. Overall, a large and well equipped team could follow the steps laid out above for several years before they run out of areas to work on. By then, you’ll have lessons to share back with us.

Red Team Leader at Fortune 1. I left my clever profile in my other social network: https://www.linkedin.com/in/malcomvetter