The role of deception in red team ops
Learn how red teams leverage deception for their tradecraft.
Deception is a powerful tool. Both attackers and defenders use it to mislead, confuse, and outmaneuver each other.
Red teams rely on deception to stay undetected and achieve their objectives. They often mimic legitimate users and network traffic, use valid credentials and move through systems in a way that does not trigger alerts. Camouflaging malicious actions is another common tactic, where payloads and tools are named to resemble normal system files, and encryption or obfuscation is used to hide malicious code.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.
Social engineering is a major deception technique in red team’s arsenal, where red team opertors impersonate people to gain trust or craft fake emails and phone calls to trick users into revealing sensitive information. Additionally, red teams may plant false trails by leaving misleading evidence to confuse defenders or using decoy infrastructure to distract security teams.
Another deception technique is Living off the Land (LotL), where red teams use built-in system tools instead of introducing external malware. By leveraging legitimate executables red team operators perform malicious activities while blending in with normal system operations.
Red teams may also generate unnecessary logs to bury malicious actions under legitimate-looking events. By flooding logs with benign system activity or executing redundant commands, red team operators make it challenging for defenders to identify real threats amidst the noise. Similarly, they may manipulate timestamps to mislead forensic investigators about the actual timeline of an attack.
Red teams may further leverage false attribution tactics, where they leave misleading indicators of compromise (IOCs) to misdirect security teams. This might include using IP addresses, file names, or language settings that resemble a known threat actor to divert attention away from the true origin of the attack.
Attackers do not always use brute-force techniques; instead, they rely on trickery to bypass security measures. Understanding deception allows red teams to simulate real-world threats more effectively, evade detection, and improve their ability to think like real attackers. At the same time, red teams must be aware of defensive deception techniques. Falling for a well-placed honeypot or decoy credential can expose a red team operation too early, reducing the effectiveness of the engagement.
Red Team Notes
Deception is used by red teams to stay hidden and achieve their objectives. Techniques such as blending in with legitimate traffic, social engineering, Living off the Land, and generating unnecessary logs help red team operators avoid detection.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.