What is Deconfliction in the context of a red team engagement?
Learn what is Deconfliction and why is it required during red team engagements?
Deconflict means to adjust or co-ordinate so as to avoid or prevent conflict. The term is commonly used in the context of military operations. There, the objective of the deconfliction process is to avoid accidental injuries or incidents resulting from overlap of operations.
How does this concept fit into the context of a red team engagement?
During a red team engagement, it may happen that the team discovers an actual breach i.e. there is already an intruder present in the network. In such a case, it is important that the red team has a way to identify which activity was performed as part of the engagement and which was not. Failing this, the organization carries a risk of interpreting activities performed by the red team as that from the actual breach. This may lead to undesirable consequences for red team operators. To avoid this situation, the red team uses the deconfliction process that helps in identifying activities performed as part of the engagement.
Red Team Notes
Deconflict, in the context of a red team engagement, means to avoid or remove conflict between actions performed by the red team and the actual adversary.
Deconfliction Process is the detailed step-by-step action plan that will be used to deconflict real-world activity from that of the red team. It must be created earlier in the red team engagement planning and documented as part of the rules of engagement.
Follow my journey of 100 Days of Red Team on WhatsApp or Discord.
The deconfliction process includes informing trusted agents about activities, maintaining thorough OPLOG (Operations Logs) records, providing updates to the Engagement Control Group (ECG), and exchanging periodic reports with the white cell.
When deconfliction is requested, the red team lead halts activities in the affected area, reviews the rules of engagement (ROE), assesses team actions, confirms findings with stakeholders, and communicates them through email and phone. If the red team is identified as the originator, specific activities and logs are isolated, and the ECG is notified. Proper planning ensures adequate time is allocated for deconfliction during engagements.
This concept is covered in detail in the book, Red Team Development and Operations by Joe Vest and James Tubberville.
Follow my journey of 100 Days of Red Team on WhatsApp or Discord.