How to Create an Internal/Corporate Red Team

Simulating Adversaries Since 1984

Step 1 — Build Relationships with Blue

Step 2 — Unit Test Your Detections

Step 3 — Draft Your Rules of Engagement

Step 4 — Baby’s First Red Team Exercise

  • Pick a specific access objective (but keep it simple, like access to an Accounting system, or privileged access to an IT system); “king of the hill” could be a reasonable first objective, but probably shouldn’t be the goal of a mature red team program.
  • Setup an internally hosted VM to run your single and only C2 server (for the first one, skip all of the drama of procuring external VMs for redirectors, DNS domains, categorization, etc.), but note that this completely avoids a very important set of telemetry with your egress stack. The tradeoff is welcome in exchange for a simple first exercise.
  • Use an “assume breach” methodology: ask your trusted agent to provide access to an internal target system (e.g. workstation), and prepare a payload to execute on a target system or use credentials provided to you to live off the land. Going full outside-to-inside is difficult (as it should be!) and you will gain more benefit to your organization by getting more repetitions in with the post-exploitation part of the attack chain, than the initial access phase. (You’ll add this in later.)

Step 5 — External Infrastructure

Step 6 — Advanced Objectives

Step 7 — More Initial Access Vectors

Timeline

--

--

--

Red Team Leader at Fortune 1. I left my clever profile in my other social network: https://www.linkedin.com/in/malcomvetter

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

IONChain Project Fortnightly Report [08.05–08.18]

KSM Starter Academy: Integritee Network

CASE TOKEN STAKING SMART CONTRACT AUDIT

KusamaCow NFT HOLDER [Second Airdrop] November 2021 (Closed)

YouTube Account Recovery Phishing

15+ best and free computer forensic tools

RevuToken Airdrop Get 10 REVU + REF

“Data Source” upgrade is live: unlock more data monetization opportunities with HUDI

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tim MalcomVetter

Tim MalcomVetter

Red Team Leader at Fortune 1. I left my clever profile in my other social network: https://www.linkedin.com/in/malcomvetter

More from Medium

CVE Program Report for Q4 Calendar Year 2021

My Experience With Log4j

How do Red Team Exercises help CISO to Validate the Security Controls Effectively?

Log4j Vulnerability Aftermath