The Challenges and Limitations of Red Team Operations Today

1 year ago I had read a very interesting article by Florian Roth, talking about the problem today of Red Teaming, I thought some parts were brilliant and decided to do my own. If you want to read his article, follow the link:

https://cyb3rops.medium.com/the-problems-with-todays-red-teaming-7b8ed1e735c9

Let's Go!

This article reflects only my opinion. If you disagree, your viewpoint is welcome. My intention is not to offend anyone or to upset any individual. Feel free to disregard this article if you wish.

Red Teaming is a crucial area for any company, understanding where it can be attacked and testing this scenario is the main objective of a Red Team. Their focus is to simulate attacks, understand APT groups, and put their tactics into practice to improve the company's defenses. However, there are some points that I notice from some colleagues in the field that I see as a problem:

1)Each has a defined schedule to conduct Red Team operations in their company, usually performed at least 2 or 3 times a year depending on the team's size. However, in some scenarios, operations end up not being as effective, and the main issue is that many professionals stick to basic formulas when conducting their campaigns, repeating frustrated attack attempts or focusing on scenarios that have no relative impact on the company's business. It is crucial for the Red Team to know their organization's attack surface and develop scenarios for it. For example, it is very common to see spear-phishing campaigns to obtain access credentials, but is that enough to assess a company's security and test the efficiency of its controls, processes, technology, and incident response? Is obtaining an access credential sufficient? Should the operation stop if a credential is collected or, conversely, if no credential is collected? The Red Team's goal is to simulate the experience of a motivated attacker as much as possible and use their skills to achieve this objective. Limiting oneself to a specific modus operandi or tactic is very restrictive; in this case, you are not even conducting a real operation but rather a simple campaign or specific test. A true operation involves planning, coordination, objectives, and motivations, much like in the military world. Therefore, limiting oneself to one modus operandi is not effective; preparing several plans is fundamental.

As Florian Roth says in his article, the Red Team tends to focus too much on a ready-made recipe and forgets the rest, i.e., focusing only on following an easier or more specific, shortened path to save time and meet the team's goal. This often results in not compromising the target, as they limited themselves to using only one privilege escalation technique or just performed persistence in the environment and ended the exercise, forgetting everything else such as exfiltrating data and performing lateral movements. However, this is just one of the paths an adversary will take in the end. Attacks are not always sophisticated; sometimes adversaries use modus operandi like smash-and-grab or short attack paths. Therefore, the Red Team's idea is to think: after the environment is compromised, what can an attacker do? If I exfiltrate data, would I be detected? How is the incident response in case of detecting abnormal behaviors in the environment?

Finally, Red Team Operators often worry too much about executing a perfect attack, which is not the point. Adversaries do not always create their own C2 agents/implants, have sophisticated evasion techniques, and usually use available tools on Github with small adaptations. However, I see that many operators are too concerned about the success of the attack, but that is not a simulation; it is merely attempts to evade solutions, which is indeed part of the Red Team. However, if you are detected, that is great. You do not need to panic and declare the exercise a failure. Try new approaches and strategies. Sometimes we do not need to "succeed" in our operations to achieve good results.

2) This second item is more about a point I notice among some professionals confusing the purpose of the MITRE ATT&CK framework. I see some treating it as a methodology, even though the purpose is clearly stated on the sites. These resources are very poorly used, with some limiting themselves to just replicating TTPs and following the entire MITRE ATT&CK map, but it is merely a knowledge base you can consult and use as a reference to build your emulation plan and assist in the red team's report. On the other hand, the Cyber Kill Chain is a model that describes an attack chain in 7 steps, being a way to base a Red Team operation and plan accordingly based on 7 steps.

But the main point of confusion is thinking one outshines the other, but they complement each other, which is why the Unified Cyber Kill Chain emerged. However, in general, some professionals think MITRE is all about taking the entire map and trying to cover it completely or think it is a methodology for executing operations. However, MITRE does not focus on detailing an attack chain but serves as a reference for you to build your attack chain based on TTPs and adversary group information.

3) Despite being redundant, no, the Red Team does not need to follow a ready-made recipe. The biggest mistake is thinking attacks have to be perfect and error-free, but in real life, attackers forget to obfuscate code, configure their domains correctly, perform adequate OPSEC, and use ready-made tools with signatures. Therefore, do not worry if there are detections. You only need to have resilience to improve your tactics as much as possible. Set objectives in your operations, knowing how to develop your own tools and malware is fundamental, but create more than one attack chain, focus on mixed modus operandi, study more than one APT group, and mix their techniques while knowing your company's business well.

"And for those wanting to enter the Red Team field, understand that it is a cycle of much learning. It is not limited to a certification or specific knowledge, as the day-to-day is very dynamic. Interestingly, I have friends who work in companies of different sectors and technologies, but no one was born knowing, and many did not enter the company with the expertise to conduct exercises, but they studied and sought knowledge in various ways. The main tip I give is not to stick to magic formulas; always think outside the box. To do this, you need to truly understand the cybersecurity landscape, know current and emerging technologies, and understand the threats they may face."