Strategy for Building a Red Team
Progress: Outline
Over the last eight years, I've been a member of or a lead on Red Teams for various large software companies. My experiences have shaped how I view Red Teaming and will likely shape my writing. I'm not interested in declaring the conclusive definition of Red Teaming, nor am I interested in debating the term. I'm only interested in documenting my strategy to build and operate Red Teams. Additionally, this repo is not an operational guide for Red Teaming containing the how-to. That guide would likely need to be updated immediately after being written. I recommend using the publicly available resources in the community to learn the how-to, as these were the same resources I used to become employed as a Red Teamer.
I have the following goals when working as a Red Teamer:
- Discover and remediate issues before all levels of attackers
- Collect data to discover systemic issues (root cause analysis and remediation)
- Collaborate with Blue Teams, SOCs (Security Operation Centers), and Incident Responders so they are better able to disrupt and stop real-world attackers from reaching their goals
- Tell Red Team stories to executives that will inspire them to implement company-wide change
Team building
- Roles (Operator, Infrastructure, Researcher, Tool Developer)
- Sourcing talent
- Interviewing
- Hiring
- Interns
Documentation
- Rules of engagement
- TTP (Tactics, Techniques, and Procedures)
- Strategy Guides
- Operational Guides
Communication
- How to engage the Red Team
- Deconflicting Red Team Activity
- Strategy vs Operations
Planning
- Roadmaps
- Initiatives
Team capabilities
- Research
- Exploits development
- Tool development
- Automation
- Command and control
Mapping the business
- Business units
- Deployments
- Public code
- Private code
- Packages
- Public websites
Testing
- Shared Recon
- Continuous
- Data over new testing
- Likelihood
- Systemic issues
Reporting
- Tickets
- Attack Maps
- Reports
- Dashboards
- Readouts
- Data