Chapter 35 Key Takeaways: Red Team Operations

Core Concepts

  1. Red teaming is not penetration testing. Penetration testing finds vulnerabilities; red teaming tests detection and response. Red teams emulate specific threat actors, operate with stealth, pursue objectives rather than vulnerability lists, and test people and processes alongside technology.

  2. Engagement planning determines success. Rules of Engagement must be signed by authorized leadership before any activity begins. Threat profile selection should be intelligence-driven, based on realistic adversaries that target the organization's industry and geography.

  3. MITRE ATT&CK is the universal language. Use ATT&CK for planning (selecting techniques to test), execution tracking (documenting which techniques were used), and reporting (mapping findings to technique IDs for actionable defense improvement). The ATT&CK Navigator enables visual gap analysis between threat actor techniques and detection coverage.

  4. Adversary emulation provides the most realistic testing. Emulate specific threat actors' TTPs using similar tools and procedures. Use C2 frameworks (Cobalt Strike, Sliver, Mythic) with proper infrastructure design including redirectors, short-haul and long-haul channels, and fallback plans.

  5. Physical security testing is integral to red teaming. Social engineering, tailgating, badge cloning, and physical implants often provide the easiest path into an organization. Always carry authorization documentation and prioritize safety above all else.

  6. Purple teaming is the bridge between offense and defense. Collaborative exercises where red and blue teams work together to develop and validate detections produce the most durable security improvements. Track metrics like detection coverage, MTTD, and MTTR across exercises.

  7. Reporting must drive improvement. Red team reports should map every action to ATT&CK techniques, document detection results for each technique, and provide actionable recommendations. The debrief process is not about blame; it is about organizational learning.

  8. Red teaming is a continuous improvement cycle. Single engagements provide point-in-time value. Continuous programs with regular exercises, automated validation (Atomic Red Team, BAS), and tracked metrics deliver sustained security improvement.

Practical Skills

  • Distinguish when to recommend penetration testing vs. red teaming for a given organization
  • Create comprehensive Rules of Engagement documents
  • Map threat actor TTPs using the ATT&CK Navigator
  • Plan and document attack chains with ATT&CK technique IDs
  • Design resilient C2 infrastructure with redirectors and fallback channels
  • Conduct physical security assessments safely and legally
  • Plan and facilitate purple team exercises with detection development
  • Write professional red team reports with ATT&CK-mapped findings

Common Mistakes to Avoid

  • Skipping the planning phase and jumping directly into testing
  • Testing without signed authorization documentation
  • Using red teaming when the organization needs a penetration test first
  • Failing to maintain operational security during the engagement
  • Exfiltrating real sensitive data instead of using proof tokens
  • Neglecting physical security and social engineering vectors
  • Providing findings without actionable, prioritized remediation recommendations
  • Treating red teaming as a one-time event rather than a continuous program

Key Frameworks and Tools

  • MITRE ATT&CK: Technique taxonomy for planning, execution, and reporting
  • ATT&CK Navigator: Visual technique mapping and gap analysis
  • Atomic Red Team: Individual technique testing for continuous validation
  • Caldera: Automated adversary emulation platform
  • Vectr: Purple team exercise tracking and metrics
  • TIBER-EU: Regulatory framework for intelligence-led red teaming in finance