Intelligence-led Red Teaming

When conducting Red Team attacks, I believe it is important to use an intelligence-led approach when doing scenario planning. This is sometimes also known as threat actor emulation. Such an approach involves doing prior background research on the threat actors targeting that specific industry, choosing a threat actor to emulate, studying the TTPs used by the actor, and finally emulating the actor as closely as possible when performing the attack. This results in an attack that is realistic and is likely to closely match what the organization faces on a day to day basis, thus allowing for an accurate assessment of the detection, containment and remediation capability of the blue team.

The opposite of this approach is threat actor simulation, where a red team simply simulates an adversary without doing prior background research. The red team will be free to use any TTPs desired. The issue with this approach is that the red team will have a tendency to use the most sophisticated techniques available, i.e. fileless malware, memory injection, so as to avoid detection. Upon completion of the exercise, the blue team will then be tasked to focus efforts on detecting these sophisticated techniques. In reality, the threat actors targeting that industry may not be as sophisticated and the techniques they use may end up flying under the radar because the blue team has been so focused on these sophisticated techniques. Not every industry is targeted by state sponsored attackers. Without adequate background research, you may end up preparing for the wrong attack.

It may seem cool for Red Teamers to pick locks, clone access cards or social engineer security guards to gain entry into buildings. However, if we do background research on physical attacks targeting say the financial industry in Singapore, we would realise that none of the bank robbers in the past 20 years has picked a lock, cloned a card or social engineered anyone. They simply walk into the bank with a weapon or claim that they have one. These sophisticated attacks are as unrealistic as James Bond rappelling down from a helicopter straight into a bank vault with motion detecting sensors.