The first 90 days of a new Red Team

When creating a new Red Team, the first 90 days are crucial for establishing a solid foundation that ensures long-term success.

Team Structure and Roles

Building a Red Team requires a mix of technical, tactical, and strategic roles to ensure comprehensive assessments of the security landscape.

Key roles to establish:

• Red Team Manager/Lead: The strategic leader who defines the team’s mission, aligns it with organizational goals, and ensures governance. They act as the liaison with senior leadership, communicating risks and results.

• Operators (Red Team Analysts): These team members execute day-to-day operations, including reconnaissance, exploitation, and post-exploitation activities. They specialize in adversary emulation, focusing on stealth and persistence.

• Tool Developers/Engineers: Individuals responsible for building and maintaining the infrastructure used by the Red Team, such as custom exploit tools, Command and Control (C2) frameworks, and automation scripts.

Governance of the Red Team

Effective governance is the backbone of a well-functioning Red Team. It ensures that operations align with organizational goals and regulatory requirements, while maintaining transparency and accountability.

Key governance elements to focus on during the first 90 days:

• Establish a Red Team Charter: This document defines the mission, objectives, scope, and boundaries of Red Team operations. The charter should clearly outline the types of activities the team will engage in, including adversary emulation, vulnerability discovery, and scenario-based testing.

• Define Reporting Lines and Accountability: Red Team activities often involve sensitive operations. It’s crucial to establish clear reporting structures to ensure oversight. Define which stakeholders need to be informed (CISO, senior leadership) and at what stages.

• Adherence to Legal and Compliance Requirements: Operations should always align with legal standards and organizational policies. Engage with legal teams to ensure that Red Team activities (such as penetration testing or phishing exercises) comply with laws and industry regulations (e.g., GDPR, HIPAA).

• Governance of Access and Authorization: Implement robust identity and access management policies to ensure that only authorized individuals have access to Red Team tools and data.

• Meeting with Security Leadership: Align expectations, goals and KPIs.

Attack Surface Analysis

Key steps to analyzing the attack surface in the first 90 days:

• Mapping the Attack Surface: Identify exposed assets, critical services, and potential attack vectors (passive and active reconnaissance).

• Conduct Vulnerability Scans (Internal and External): Use vulnerability scanning tools to identify critical flaws.

• Leverage Threat Intelligence Tools: Collect relevant information about external threats and groups that may target your organization.

Infrastructure and Technology

The technical infrastructure for a Red Team must support both stealth and flexibility, while minimizing the risk of discovery by the Blue Team or operational impact on production systems.

Key technology considerations for the first 90 days:

• Command and Control (C2) Infrastructure:

  • Set up a secure, isolated environment for C2 operations using tools like Cobalt Strike or Sliver. Ensure the C2 infrastructure can handle varied scenarios, such as long-term persistence and rapid exploitation.

• Testing Environment:

  • Create segmented testing environments to avoid unintended disruptions in production. A robust sandbox is essential for running simulated attacks, malware detonation, and testing evasion techniques.

• Tool Development:

  • Build or acquire custom tools for exploitation, privilege escalation, and persistence. Rely on both open-source and proprietary tools but also develop internal capabilities to avoid detection by known security solutions.

Documentation

The documentation created in the first 90 days will serve as a foundation for all future operations and strategic decisions. Thorough and accessible documentation ensures that knowledge is retained, even as team members change.

Essential documents to create:

• Red Team Charter: A high-level document outlining the mission, objectives, and governance protocols.

• Threat Emulation Plan: A detailed document defining the tactics, techniques, and procedures (TTPs) to be emulated during Red Team engagements. This should align with known adversary behavior using frameworks like MITRE ATT&CK.

• Incident Handling and Coordination Playbooks: Clear playbooks for how the Red Team interacts with Incident Response teams during operations.

• Reporting Templates:

  • Operation Reports: Templates for documenting objectives, attack paths, discovered vulnerabilities, and impact analysis.

  • Executive Reports: High-level reports tailored to leadership, focusing on business impact and remediation recommendations.

• Develop a report template that addresses results, impact, recommendations and KPIs.

First Red Team Campaign

The first Red Team campaign is a critical milestone. It sets the tone for future operations and demonstrates the value of the team to the organization. For this first campaign, the focus should be on adversary emulation based on realistic, known attack patterns.

Steps to design and execute the first campaign:

• Objective: Choose an objective that aligns with the organization’s critical assets. For example, simulating a data breach targeting sensitive customer data.

• Tactics and Techniques:

  • Begin with reconnaissance, exploring open ports and services.

  • Simulate phishing or password spraying attacks to gain initial access.

  • Move laterally across systems using privilege escalation techniques like token impersonation (e.g., Pass-the-Hash).

• Post-Operation Review:

  • Analyze how the Blue Team responded, identifying blind spots in detection or areas where response times were delayed.

  • Document findings in a clear, actionable format for both technical teams and leadership.

KPIs (Key Performance Indicators) for Red Team

Establishing KPIs early on is critical to measuring the effectiveness and efficiency of the Red Team.

Suggested KPIs:

• Time to Initial Access (TTIA): Measure how long it takes the Red Team to gain initial access to a target asset during an operation. Shorter times indicate potential weaknesses in detection and prevention mechanisms.

• Time to Detection (TTD): Track how long it takes for the Blue Team or security tools to detect the Red Team’s activities. If the Red Team can remain undetected for extended periods, it indicates gaps in monitoring.

• Percentage of Undetected Operations: Measure how many Red Team operations were executed without being detected by security systems or the Blue Team. A higher percentage may highlight weaknesses in defensive monitoring or alerting systems.

• Vulnerability Discovery Rate: Track the number of vulnerabilities or weaknesses discovered during Red Team engagements. This KPI helps quantify the value of Red Team operations in terms of improving security posture.

• Remediation Implementation Rate: Measure the percentage of discovered vulnerabilities that are successfully remediated after reporting. This demonstrates the effectiveness of Red Team reporting in driving action.

• Red Team/Blue Team Engagement Effectiveness: After every operation, evaluate the effectiveness of Red Team and Blue Team collaboration through post-operation reviews. This can be based on the number of successful incidents escalated by the Blue Team and how efficiently the Red Team’s tactics were countered.

• Coverage of MITRE ATT&CK Techniques: Track how many techniques from the MITRE ATT&CK framework were simulated during the first 90 days. Broad coverage indicates that the Red Team is testing a wide range of adversarial behaviors.

• Completion Rate of First Campaign Objectives: Measure how many objectives of the first Red Team campaign were successfully completed. This includes initial access, persistence, lateral movement, and data exfiltration simulations.