How do you think like an enemy without knowing the enemy?

During a red team engagement the team either simulates or emulates a real-world adversary. Threat intelligence plays a pivotal role in this process by helping the team identify potential adversaries, their tactics, techniques, and procedures (TTPs), and the vulnerabilities they commonly exploit.

This profiling provides insight into:

• Adversary Categories and Interests - Are they financially motivated criminal groups, nation-state actors, hacktivists? Why would they want to attack the target orgainzation?

• Attack Vectors - What kind of attacks does the adversary leverage? Do they use email phishing, web application vulnerabilities, or insider threats as initial access point? etc.

A red team can obtain threat intelligence from a wide variety of sources, such as:

• Open Source Intelligence (OSINT) - Publicly available information from websites, social media, forums, and news outlets.

• Commercial Threat Feeds - Subscriptions to curated threat intelligence services that provide timely and relevant data.

• Human Intelligence (HUMINT) - Insights gathered from experts, industry reports, or direct engagement with the security community.

• Dark Web Monitoring - Specialized tools and services that scan hidden forums and marketplaces where threat actors exchange information.

• Internal Data Sources - Network logs, incident reports, and SIEM outputs that reveal patterns of anomalous activity.

• Computer Emergency Response Teams (CERTs) - Information published by various CERTS, including both, regional and industry specific.

This can be complemented by using frameworks like MITRE ATT&CK and Threat Intelligence-based Ethical Red Teaming (TIBER‑EU).

MITRE ATT&CK can help the red team to adjust their methods and tools so that their simulated attacks closely resemble those of actual attackers.

Threat Intelligence-based Ethical Red Teaming (TIBER‑EU) requires the red team (or a threat intelligence provider) to prepare a customized report that outlines an organization’s digital footprint, identifies potential vulnerabilities, and profiles likely threat actors. This report serves as the foundation for the red team to develop detailed, intelligence-driven attack scenarios.

Traditionally, threat intelligence has been primarily leveraged during the planning phase of a red team engagement. However, it can be woven into every phase to ensure a realistic assessment.

• In the planning phase, it helps define the scope and prioritize critical assets by identifying vulnerabilities and potential attack vectors.

• During execution, the red team can leverage real-time intelligence to adapt its tactics and simulate genuine adversary behavior, ensuring that their attacks are current and relevant.

• In the post-engagement phase, threat intelligence insights can be used to contextualize findings, refine incident response strategies, and provide actionable recommendations for remediation.

Red Team Notes
- Threat intelligence enables identification of likely adversaries, mapping of their tactics using frameworks like MITRE ATT&CK and TIBER‑EU, and prioritization of critical vulnerabilities.
- Integrating threat intelligence into red team operations, enables the team to build more realistic attack scenarios, tailor their test methods to mimic real-world adversaries.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.