What is situational awareness in the context of red team assessments?
Learn what is situational awareness and why is it important during red team assessments.
What is the first thing most people do when they go into an escape room? They look around. They take a cognisance of how the room is laid out, what objects are in the room, are there any tools available, is there anything that they should avoid interacting with, is there a monster chained in the cupboard etc. By doing this, they are creating situation awareness i.e. they are gathering and analysing information about the environment. This situational awareness will help them decide their next steps and ultimately, achieve their objective, to escape out of the room.
In the context of red team assessments, situational awareness means gathering, and analysing information about the target environment. This takes place both prior to and during an assessment. It helps the red team operator adapt their tools, tactics and techniques as per the target environment in real-time.
Red Team Notes
During red team assessments, situational awareness helps you maintain stealth, exploit opportunities, and respond effectively to evolving circumstances, ensuring your assessment is as realistic and impactful as possible.
Follow my journey of 100 Days of Red Team on WhatsApp or Discord.
It involves three key components:
Perception of the Environment
This is about observing what’s happening around you. In a red teaming scenario, this could include noticing network activity, identifying security controls in place, or understanding how employees and systems are responding to your actions.Comprehension of the Situation
Beyond just observing, you need to analyze and understand what those observations mean. For example, if you see unusual logging or an increase in system alerts, it might indicate that the blue team (defenders) is catching on to your presence.Projection of Future States
This involves predicting what’s likely to happen next based on your understanding of the current situation. For instance, if defenders are alerted, you might predict they’ll start monitoring specific areas more closely and adjust your tactics accordingly.
This may sound similar to the reconnaissance phase of an assessment but it’s more than that. During reconnaissance phase, a red team operator focuses on gathering as much information about the target environment, which they later analyse to create situational awareness. Note, that reconnaissance primarily focuses on the gathering aspect rather than analysing.
Also, reconnaissance is a more or less point-in-time activity whereas developing situation awareness is a continuous process. For example, while performing reconnaissance a red team operator will usually not pick-up signals like unusual spikes in traffic or alerts being sent to defenders. This kind of telemetry is picked up as part of creating situational awareness and it helps red team operators to adapt their tradecraft in real-time.
Red Team Notes
- Reconnaissance primarily focuses on the gathering aspect rather than analysing.
- Reconnaissance is a more or less point-in-time activity whereas developing situation awareness is a continuous process.
Situational awareness is important because it enables red team operators to adapt their tools, tactics and techniques as per the target environment in real-time and also helps them avoid accidentally triggering alerts to defenders. For example, an organisation may have backdoor certain common system tools like whoami, ls, cd etc. to send an alert to the security team whenever these tools are used. These are usually the first tools used by a red team operator when they get access to a system. A skilled red team operator will analyse such common tools to identify any backdoors. Thus, creating situational awareness. If the backdoor is present, they will switch to alternate methods or tools.
If you want to know about situation awareness in the context intelligence, read this article by Flashpoint.
Follow my journey of 100 Days of Red Team on WhatsApp or Discord.