Chapter 35 Further Reading: Red Team Operations

Essential Reading

"Red Team Development and Operations" by Joe Vest and James Tubberville (2020). The definitive guide to building and running a professional red team program. Covers engagement planning, infrastructure design, operational security, and reporting methodology. Required reading for anyone leading red team operations.

"The Red Team Guide" by MITRE. Available free online. Covers red team fundamentals, adversary emulation, C2 infrastructure, and the relationship between red teaming and ATT&CK. Excellent companion to the ATT&CK framework documentation.

"Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK): Design and Philosophy" by Blake Strom et al. (2018). The original paper describing the design philosophy behind ATT&CK. Essential for understanding why the framework is structured the way it is and how it should be used.

MITRE ATT&CK Resources

ATT&CK Website (attack.mitre.org). The primary reference for all techniques, groups, and software. Read the technique descriptions and the associated detection guidance for every technique you plan to test.

ATT&CK Evaluations (attackevals.mitre-engenuity.org). Results from all evaluation rounds. Study the methodology documents to understand how MITRE conducts adversary emulation evaluations.

Center for Threat-Informed Defense (ctid.mitre-engenuity.org). Research projects including ATT&CK Flow (visual attack modeling), Adversary Emulation Library, and Top ATT&CK Techniques project.

MITRE Adversary Emulation Library. Available on GitHub. Provides step-by-step emulation plans for specific threat actors (APT29, FIN6, Sandworm). These plans serve as templates for your own adversary emulation exercises.

Purple Teaming Resources

"Purple Team Exercise Framework (PTEF)" by SecurityRisk Advisors. Open-source framework for planning and executing purple team exercises. Includes templates, procedures, and scoring methodology.

Vectr Documentation (vectr.io). Free tool for tracking purple team exercise results and measuring detection improvement over time. The documentation covers campaign setup, technique tracking, and reporting.

"Detection Engineering with Sigma" by the Sigma project. Understanding Sigma rules is essential for purple team detection development. The SigmaHQ repository on GitHub contains thousands of detection rules mapped to ATT&CK.

C2 and Offensive Tooling

Cobalt Strike Documentation. The official documentation for the industry-standard commercial C2 framework. The Malleable C2 profile documentation is particularly important for understanding traffic manipulation.

Sliver Documentation (github.com/BishopFox/sliver). Comprehensive documentation for the open-source C2 framework. Covers implant types, C2 channels, and multi-player operation.

"Red Team Infrastructure Wiki" by Steve Borosh. Available on GitHub. Detailed guides for setting up C2 infrastructure including redirectors, domain fronting, and operational security practices.

"A Red Teamer's Guide to GPOs and OUs" and similar SpecterOps blog posts. SpecterOps (creators of BloodHound) publishes detailed technical content on Active Directory attack paths, which are central to red team operations.

Physical Security Testing

"Unauthorized Access: Physical Penetration Testing for IT Security Teams" by Wil Allsopp (2009). Despite its age, this book provides foundational knowledge for physical security testing. Covers reconnaissance, social engineering, lock picking, and electronic access control bypass.

"Social Engineering: The Science of Human Hacking" by Christopher Hadnagy (2018, 2nd Edition). Comprehensive guide to social engineering techniques applicable to both physical and digital red team operations. Covers pretexting, elicitation, and influence techniques.

"The Art of Intrusion" by Kevin Mitnick (2005). Real-world stories of social engineering and physical intrusion that provide valuable insights into human vulnerability.

Advanced Techniques

SpecterOps Blog (posts.specterops.io). Technical blog covering Active Directory attacks, offensive .NET development, EDR evasion, and advanced red team techniques. Essential reading for technical depth.

"Evading EDR" by Matt Hand (2024). Dedicated book covering endpoint detection evasion techniques including userland hooks, ETW, AMSI, and memory forensics evasion. Technical and current.

"Red Team Field Manual (RTFM)" by Ben Clark. Quick reference for red team operations covering Windows, Linux, and network commands. A practical companion for operational work.

"Operator Handbook: Red Team + OSINT + Blue Team Reference" by Joshua Picolet (2020). Comprehensive reference guide organized for rapid access during operations.

Regulatory Frameworks

TIBER-EU Framework. Published by the European Central Bank. The definitive guide to threat intelligence-based red teaming for financial institutions. Includes detailed specifications for threat intelligence, red team testing, and white team management.

CBEST Intelligence-Led Testing Framework. Published by the Bank of England. The UK's framework for testing the cyber resilience of financial market infrastructure. Predated and influenced TIBER-EU.

DORA (Digital Operational Resilience Act). EU regulation requiring financial entities to conduct threat-led penetration testing. Understanding DORA's requirements is increasingly important for red team providers serving the financial sector.

Conference Talks and Training

Red Team Village at DEF CON. Annual collection of talks focused on red team operations, tooling, and methodology. Past presentations are available on YouTube.

SANS SEC565: Red Team Operations and Adversary Emulation. Professional training course covering the full spectrum of red team operations. One of the most respected training programs in the field.

Wild West Hackin' Fest (WWHF). Conference with strong red team and purple team content. Past talks are available online and cover practical operational topics.

SpecterOps Training Courses. Adversary Simulation, Red Team Operations, and Active Directory attack and defense courses from one of the leading red team firms.