It was early 2003 in central Iraq, a couple of hours before dawn, 30 degree heat, and everything had a green tint through the night vision goggles. I was on an operation with a team from the US Psychological Operations forces (psyops) and an ODA (Operational Detachment Alpha) from the US Special Forces. We’d spent days gathering HUMINT (Human Intelligence) and undertaking reconnaissance on the target. The ODA team was set up for the assault, the psyops were ready to run diversionary tactics and I was on the team providing comms and perimeter security. Authorisation was given from above, the operation began, and the sky lit up with tracer rounds.
Fast forward to early 2021 in central England, and I’m sat in a car with a colleague undertaking covert reconnaissance on a building. This time there were no weapons, there will be no gunfire and no explosions. We were armed with hazelnut latte’s, laptops, lock pics and various other gadgets to bypass security controls and access networks. The target on this occasion was a data centre.
Instead of HUMINT, we performed days of OSINT (Open Source Intelligence) on the organisation, looking for anything that would get us in, whether that be ID cards to clone, phone numbers to call and security systems to bypass. The intrusion started days before with a malicious phishing email that harvested credentials from a simple click of a link and login to a cloned portal by an unsuspecting member of staff. Unbeknownst to the target, we were already in and snooping around the network. Our way into the building was not going to be through force, but through a crafted pretext that would gain trust and an acceptance that we should be there. The pretext would be that we were electricians surveying a lighting system. The security guard accepted this and we were in. With our issued RFID card, we had access to all floors. We planted a malicious device and made our exit. An hour later we were remotely accessing their internal networks.
The first scenario was in a war zone, the second was a Red Team Assessment authorised by a paying client to test various staff and network security policies. At a glance, they seem worlds apart and in essence, they are. However, they have a number of parallels that require similar thought processes and skillsets. You certainly don’t have to have a military background to do red teaming, far from it, however, there are skills that are built up through time in the military that can certainly bring benefits to the world of Social Engineering and red teaming, both complimenting and adding to an assessment.
There is a saying in the military, ‘Prior Planning and Preparation Prevent P**s Poor Performance’; ‘the 7 P’s’, it gets drilled into you from day one, and you get sick of hearing it as a junior soldier. Red Teaming is no different and planning is essential to a successful engagement. The client wants you to test them, they’re paying lots of money for your skills; they want you to achieve the goals set by them, using attack methods used by the very criminals that are likely to target their organisation. This is where those hours sat in an OP (Observation Post) or sifting through intelligence reports comes to the fore. Whether you’re looking at an intelligence report or data found during OSINT, the same analytical skills are required to use that information to come up with a plan of action, a plan that will pass scrutiny and be adaptable to achieve the goal.
Both roles require a specific mindset, neither are for the faint-hearted and certainly demand a high level of confidence and security awareness to undertake. Working in a hostile environment, by virtue of what it entails, builds up that confidence and awareness.
Red Teaming is not just about testing the physical security of an organisation or challenge policies of its staff. The majority of attacks to organisations are on their networks, so we use several covert network intrusion methods to gain a foothold onto a network to egress or ingress data, move laterally around the network or simulate ransomware attacks. Unless you’re part of a military cyber unit, it’s unlikely you’ll have done any of this, I certainly hadn’t. This is where the hard studying comes in, but we’ve been here before, studying through phase 2 training, cadre courses and promotion. This is no different, it’s bringing in analytical thinking and situational awareness to solve a big puzzle.
We’re back to Iraq, the sun is up and the smoke has cleared…a successful operation with no casualties; now time to debrief. As ends any military operations a red teaming engagement ends with a debrief and report. This is the deliverable the client ultimately pays for. They want to read a concisely written account of what you did, the impacts to their business and endpoints of any attack vector and how you moved around them. This is where soft skills come in and they’re just as important, if not more important than technical skills. The soft skills are what get you past the security guard or the password from a vishing call. The soft skills are what helps the client understand the impacts and how to remediate and communicate any issues to their staff members to help their awareness training.
As a military veteran, the military is the place where I feel I’ve gained the skills to develop and undertake assessments for the Pentest People Red Team. However, as I said before, being in the military is not a prerequisite for red teaming, there are just some great skills that can complement such a team. A Red Team needs to be diverse, it needs people from all backgrounds, all walks of life, and with various skills to make it work.