This article will review team interaction, tools and methodologies for conducting Red Team operations. The operations of the Red Team allow simulating the attack of a group of professional external intruders in the most naturalistic way to identify infrastructure vulnerabilities.

Red Team vs Blue Team

The term Red Team comes from a military environment and defines a “friendly” attacking team. In contrast, there is a team of defenders – Blue Team.

The difference between Red Team operations and the classic pentest is primarily in the rules of action and anticipation of the protected side. Also, in the “classic” penetration test, “white lists” are often used, restrictions on the time of work carried out, the level of interaction with the system. When conducting Red Team operations, there are practically no restrictions, a real attack on the infrastructure is carried out: from attacks of the outer perimeter, to attempts at physical access, to “hard” socio-technical techniques (not fixing a link, but, for example, a full-fledged reverse shell).

The Blue Team’s task is to blindly protect the infrastructure: the defense team is not warned about an attack or its differences from real attackers – this is one of the best factors to test both defense systems and the ability of specialists to identify and block attacks, and subsequently investigate incidents. After the operation is completed, it is necessary to compare the worked out attack vectors with the recorded incidents to improve the infrastructure protection system.

The Red Team approach is closest to a targeted attack – APT (Advanced Persistent Threat). The Red Team should consist of experienced professionals with extensive experience in both building IT / IS infrastructure and experience in compromising systems.

What distinguishes Red Team operations:

  • Duration. Attacks can be carried out over several months.
  • Hardcore. Attackers can toughly influence the infrastructure, which can lead to the failure of some of the infrastructure components.
  • Lack of familiar penetration testing patterns. (Case from practice – during the bypass of the ACS system at one of the audit objects, the team carried out the removal of office equipment containing critical data outside the company – of course, in agreement with the work manager).

Red Team – attempts to gain access to the system by any means, including penetration testing; physical access; testing communication lines, wireless and radio frequency systems; testing employees through social engineering scenarios.

The concept of Red Team Operations allows penetration testing work to be carried out as realistically as possible.

Team approach

Red Team is similar to a military operation: targets or objects of attack, areas of responsibility and roles of team members are determined. Often, a Red Team team can be represented by an insider who transfers data from within the company, or performs auxiliary functions.

A clear distribution of roles, systems of operational interaction and data analysis determine several roles of a sniper, a medic :

  • team leader – leadership;
  • operatives – active phase of the attack;
  • insiders – this role may not be present;
  • analysts – analysis and normalization of the received data.


The use of a particular toolkit in a particular case may be due to the specifics of a particular application or service and differs little from conventional penetration testing. When conducting Red Team operations, the question of team interaction and systematization of the results arises – these are reports of various analysis tools and vulnerabilities identified in manual mode – all this represents a huge amount of information in which something can be missed without proper order and a systematic approach important or “rake” possible duplicates. There is also a need to reduce reports and their normalization and reduction to a single form.

Typically, Red Team operations cover rather large infrastructures that require the use of specialized tools:

  • Scanners and utilities for perimeter inventory, with the ability to separate work areas and aggregate results.
  • Data processing systems for penetration testing.
  • Using tools for analyzing and managing vulnerabilities.
  • Systems for conducting socio-technical campaigns.

Specialized software:

Cobalt Strike
Cobalt Strike is a penetration testing framework. This is an advanced analogue of Armitage, which in turn is a GUI add-on over the Metasploit Framework. An advanced embedded scripting language system allows for the most effective attacks.

The Dradis Framework is an open source platform for simplifying information security collaboration and reporting. Dradis is a standalone web application that centralizes information storage. There are two versions – Community Edition (free) and Professional Edition (from $ 59). The pro version has more functionality, including integration capabilities, reporting system, support (including priority support), available methodologies, etc. Expansion of functionality in the form of plugins / addons is possible.

Faraday IDE
Faraday is the most powerful collaboration environment, true multiplayer penetration testing. Supports work in ArchAssault, Archlinux, Debian, Kali, OSX, Debian. Works in real time, instantly processing the results sent by one or another pentester. This framework is based on the concept of gamification, and specialists are given the opportunity to measure their skills in terms of the number and quality of fixed vulnerabilities.

One of the most popular vulnerability scanners developed by Tenable Network Security. Until 2005 it was free and open source software, and in 2008 a paid version of the product was released.

OpenVAS (Open Vulnerability Assessment System, the original name of GNessUs) is a framework consisting of several services and utilities that allows scanning hosts for vulnerabilities and managing vulnerabilities.

SE Toolkit
Social Engineering Toolkit (set for social engineering), a classic multi-tool for conducting social engineering attacks.

OpenSource phishing framework. Allows you to carry out massive phishing attacks.

Logstash / Elasticsearch / Kibana
Solutions for a wide range of tasks for collecting, analyzing and storing data.

In the comments, I am ready to answer your questions, both on the software presented and on the Red Team operations.