Joe Vest - Red Team Development and Operations: A practical guide

This book is the culmination of years of experience in the information technology and cybersecurity field. Components of this book have existed as rough notes, ideas, informal and formal processes developed and adopted by the authors as they led and executed red team engagements over many years. The concepts described in this book have been used to successfully plan, deliver, and perform professional red team engagements of all sizes and complexities. Some of these concepts were loosely documented and integrated into red team management processes, and much was kept as tribal knowledge. One of the first formal attempts to capture this information was the SANS SEC564 Red Team Operation and Threat Emulation course. This first effort was an attempt to document these ideas in a format usable by others. The authors have moved beyond SANS training and use this book to detail red team operations in a practical guide.

The authors goal is to provide practical guidance to aid in the management and execution of professional red teams. The term Red Team is often confused in the cybersecurity space. The terms roots are based on military concepts that have slowly made their way into the commercial space. Numerous interpretations directly affect the scope and quality of todays security engagements. This confusion has created unnecessary difficulty as organizations attempt to measure threats from the results of quality security assessments. You quickly understand the complexity of red teaming by performing a quick google search for the definition, or better yet, search through the numerous definitions and interpretations posted by security professionals on Twitter. This book was written to provide a practical solution to address this confusion.

The Red Team concept requires a unique approach different from other security tests. It relies heavily on well-defined TTPs critical to the successful simulation of realistic threat and adversary techniques. Proper Red Team results are much more than just a list of flaws identified during other security tests. They provide a deeper understanding of how an organization would perform against an actual threat and determine where a security operations strengths and weaknesses exist.

Whether you support a defensive or offensive role in security, understanding how Red Teams can be used to improve defenses is extremely valuable. Organizations spend a great deal of time and money on the security of their systems. It is critical to have professionals who understand the threat and can effectively and efficiently operate their tools and techniques safely and professionally. This book will provide you with the real-world guidance needed to manage and operate a professional Red Team, conduct quality engagements, understand the role a Red Team plays in security operations. You will explore Red Team concepts in-depth, gain an understanding of the fundamentals of threat emulation, and understand tools needed you reinforce your organizations security posture.

Who is the best audience for this book?

• Security professionals interested in expanding their knowledge of Red Teaming
• Penetration testers or ethical hackers looking to understand how Red Teaming is different from other security testing types
• Defenders who want to understand offensive methodologies, tools, and techniques better
• Auditors who need to build relevant technical skills and understand how to measure success
• Red Team members looking to understand their craft as professionals better
• Threat hunters looking to understand better how red teaming can increase their ability to defend
• Computer Network Defense or Exploitation (CND/CNE) Teams
• Forensics specialists who want to understand offensive tactics better
• Information security managers who need to incorporate red team activities into their operations

In summary, this book will prepare you to:

• Learn what Red Teaming is and how it differs from other security testing engagements
• Understand the unique view of the offensive security field of Red Teaming and the concepts, principles, and guidelines critical to its success
• Design and create threat-specific goals to measure and train organizational defenders
• Learn to use the Get In, Stay In, and Act methodology to achieve operational impacts
• Design, operate, and run a professional red teaming program
• Make the best use of a Red Team and apply it to measure and understand an organization's security defenses

Writing this book has been an intense journey and many roadblocks have shown their face. Life doesnt stop and give you time to meet deadlines. Without the support of family, friends, coworkers, and the infosec community, this book would not have been written. Thank you all!

This book is a collection of thoughts, ideas, and experiences. Many of these ideas and concepts would not have been developed without the people worked with over the last ten years. We want to thank everyone who listened to us ramble on for what may have felt like hours. You are as much as part of this book as we are.

We especially need to thank family and close friends. Reading early drafts, listening to ramblings about security, giving advice, keeping us honest, and encouraging us to stay on track are just a few ways you helped. This book would not have been written without your encouragement and support. We thank and love you all!

We want to name everyone by name, but do not wish to miss someone unintentionally. Well shake your hand or give you a hug the next time we see you.

We encourage all of you to reach for your goals.