Red Teaming is the ultimate litmus test for an organization’s security posture. While penetration tests find holes in the wall, Red Teams check if the guards are actually watching the cameras.

We simulate real-world Advanced Persistent Threats (APTs). We don’t just “find vulns”; we execute a campaign with specific strategic objectives, testing the people, processes, and technology of the target.

In this comprehensive guide, we will explore the infrastructure, methodologies, and mental models that professional red teamers use to challenge even the most mature defenses.

1. Red Teaming vs. Penetration Testing

The terms are often conflated, but they serve different business needs.

FeaturePenetration TestingRed Teaming
GoalFind as many vulnerabilities as possible.Test detection and response capabilities.
ScopeNarrow (e.g., “Web App X”).Broad (The entire organization).
DurationShort (1-2 weeks).Long (Months).
StealthLow/None.High (Critical).
AccessOften White/Grey Box (Credentials provided).Black Box (Break in yourself).

Think of it this way: Pen testing is a safety inspection. Red teaming is a fire drill.

2. The Mental Model: The Unified Kill Chain

While the original Lockheed Martin Cyber Kill Chain is a classic, modern red teamers prefer the Unified Kill Chain (UKC). It expands the model to better reflect current internal pivots and long-term persistence.

  1. Reconnaissance: Passive (OSINT) and Active scanning.
  2. Weaponization: Developing custom malware or weaponizing documents.
  3. Delivery: Phishing, USB drops, or “Assumed Breach” (starting inside).
  4. Social Engineering: Manipulating humans to execute the payload.
  5. Exploitation: Gaining initial execution.
  6. Persistence: Installing backdoors (Scheduled Tasks, Registry Run keys).
  7. Command & Control (C2): Establishing a beacon back to infrastructure.
  8. Pivoting: Moving laterally (SMB, RDP, WMI).
  9. Action on Objectives: Assessing the target data (The “Crown Jewels”).

3. Red Team Infrastructure: Building the C2

A professional red team never connects directly to the target. We use tiered infrastructure to remain resilient.

The Tiered Approach

  1. Short-Term / Phishing Redirectors: Used for initial delivery. High burn rate.
  2. Long-Term / Interactive C2: Used for deep access. Low noise.
  3. The “Team Server”: The backend where the team logs in. This IP is NEVER exposed to the internet directly.

Techniques for Hiding

  • Redirectors: Disposable VPSs running socat or nginx that forward traffic to the real Team Server. If a redirector is blocked, you spin up a new one and update DNS. The Team Server stays safe.
  • Domain Fronting: Using high-reputation CDNs (Azure, Cloudfront) to mask traffic. The target sees traffic going into ajax.microsoft.com, but the Host header routes it to your C2 bucket.
  • Malleable C2 Profiles: Modifying your C2 traffic signatures to look like idle Google Drive traffic or Amazon shopping requests.

4. Purple Teaming: The Evolution

The ultimate goal of a red team is to make the blue team (defenders) better. The adversarial nature sometimes creates friction (“We beat you!”).

Purple Teaming is a collaborative exercise where Red and Blue sit in the same room.

  1. Red: “I am about to run a Kerberoasting attack at 10:05 AM.”
  2. Red: Executes attack.
  3. Blue: “I see nothing.”
  4. Together: “Why? Is the logging disabled? Is the SIEM rule wrong?”
  5. Fix: Enable logging.
  6. Red: Re-executes.
  7. Blue: “Gotcha. Alert triggered.”

This provides immediate value and tuning validation.

5. Deconfliction (DECON)

During a stealth engagement, the Blue Team might detect you. They have two choices:

  1. Initiate a massive Incident Response (IR) procedure (costing money and panic).
  2. Check with the White Cell (trusted referees) to see if it’s the Red Team.

Deconfliction is the process where the White Cell confirms your activity.

  • Red Team Logs: You must keep meticulous logs of every IP, every command, and every timestamp.
  • The Artifact: “Yes, 192.0.2.50 hitting the Domain Controller at 14:00 UTC was us.”

6. Operational Security (OpSec) for the Operator

You are detecting them; they are detecting you.

  • Clean Source Code: Strip symbols (strip) from your binaries. Remove debug strings.
  • Time Hygiene: Don’t beacon every 5 seconds. Use jitter (e.g., “sleep 60s with 20% jitter”).
  • Credential Hygiene: If you steal “Bob’s” password, don’t use it to log into 500 machines in 1 minute.
  • Burn Rate: Assume every payload will be caught eventually. Have backups.

Conclusion

Red teaming is a strategic discipline. It requires technical mastery to build the tools, psychological insight to trick the humans, and professional integrity to manage the risk. By emulating the adversary, we provide the ultimate stress test for an organization’s defenses, ensuring they are ready for the real thing.

Stay sharp, stay quiet, and always be the “adversary” that the defenders need.

Happy hacking!

References