The different genres of red team assessments
Understand the comparison between a red team assessment, adversary simulation, and adversary emulation through a simple analogy.
Imagine a writer wants to write a book on a particular genre. Let’s say the writer picked up crime as the genre.
Therefore, the objective of the writer is to write a story that revolves around a particular crime. Now, the writer can write this story in either of the following ways:
Fiction - Writer uses their imagination to write the story. All characters, their back stories, the crime, everything is born out of the writer’s mind.
Fiction inspired by true crime - Writer uses a real-world crime incident as a model for their book. The larger story is based on the true crime incident but the writer also leverages their creative freedom to adapt the story as per their taste.
Non-fiction - Writer bases the book on a real-world crime incident and portrays, each character, every angle, every detail as they were in real-life. It involves in-depth study of the incident and characters involved so creative freedom is hardly leveraged in this process.
Ok, so writer wrote their book, what’s this got to do with red team assessments, adversary simulation and adversary emulation?
In a pure theoretical sense,
Red Team Assessments are similar to writing a fiction book with a particular genre in mind. In these assessments, the objective is defined (for example, sensitive data exfiltration) but tools, tactics and procedures (TTPs) to achieve the same are left to the red team to figure out.
Adversary Simulation Exercises are similar to writing a fiction inspired by true crime. In these exercises, the objective is defined based on the TTPs used in a real-word breach (for example, is it possible to deploy ransomware within the organisation by phishing an employee?). Here, the red team usually model their operations on mix of TTPs used by ransomware operators and their own. It is a type of red team assessment.
Adversary Emulation Exercises are similar to writing a non-fiction book. In these exercises, the red team selects a real-word threat group (for example, APT 29) and execute the exercise using exactly same TTPs as that of the selected threat group or actor. Here, the red team mostly does not use any custom TTPs unless it is absolutely necessary to do so (for example, the red team may not have resources to execute a particular TTP used by the threat actor). It is also a type of red team assessment.
Red Team Notes
- In a red team assessment, the objective is defined but the red team is free to use tools, tactics and procedures (TTPs) of their choice.
- In an adversary simulation exercise, the objective is defined based on the TTPs used in a real-world breach. The red team may use a mix of TTPS (threat actor's + custom) i.e. they use the real-world breach as a model for their operations.
- In an adversary emulation exercise, a real-world threat actor is selected and the objective is to identify whether or not the organisation is vulnerable to that threat actor's TTPs. Here, the red team uses exactly same TTPs as used by their selected threat actor i.e. they emulate or mimic the TTPs of the threat actor.
- Adversary simulation and adversary emulation are a type of red team assessment.
Follow my journey of 100 Days of Red Team on WhatsApp or Discord.