tjboudreaux/thinking-red-team

Red Team Thinking

Overview

Red teaming, borrowed from military and security practice, involves deliberately attacking your own plans, systems, or ideas to find weaknesses. A dedicated "red team" assumes an adversarial role, trying to defeat the "blue team's" defenses. This reveals vulnerabilities that defenders' blind spots hide.

Core Principle: Attack yourself before others do. The best defense is knowing your weaknesses.

When to Use

• Security architecture review
• Pre-launch preparation
• Validating critical decisions
• Stress-testing plans and assumptions
• Disaster preparedness
• Competitive strategy
• Code and system review

Decision flow:

Building or planning something important?
  → Have you tried to break it? → no → RED TEAM IT
  → Are you confident in your defenses? → yes → RED TEAM YOUR CONFIDENCE
  → Has an adversary tested you? → no → BE YOUR OWN ADVERSARY

The Red Team Process

Step 1: Define the Target

What are you attacking?

## Red Team Target

System: User authentication system
Scope:
- Login flow
- Password reset
- Session management
- API authentication

Out of scope:
- Physical security
- Social engineering of employees
- Third-party services

Goal: Find vulnerabilities that could lead to:
- Unauthorized account access
- Session hijacking
- Privilege escalation

Step 2: Adopt Adversary Mindset

Think like an attacker:

## Adversary Profile

Who would attack this?
- Script kiddies: Automated scanning, known exploits
- Sophisticated attackers: Custom exploits, patience
- Insiders: Already have some access
- Competitors: Want data or disruption

Attacker motivations:
- Financial gain (steal data, ransom)
- Disruption (take down service)
- Credential harvesting (sell on dark web)
- Competitive advantage (steal IP)

What would I do if I were them?

Step 3: Enumerate Attack Surfaces

Where can attacks happen?

## Attack Surface Enumeration

Entry points:
| Surface | Exposure | Attacker Access |
|---------|----------|-----------------|
| Login form | Public | Anyone |
| API endpoints | Public | Anyone with API key |
| Password reset | Public | Anyone with email |
| Admin panel | Internal network | Employees |
| Database | No direct access | Only if compromised |

Trust boundaries:
- Public internet → Web server
- Web server → Application
- Application → Database
- User → Authenticated user
- User → Admin

Step 4: Execute Attack Scenarios

Systematically try to break things:

## Attack Scenario 1: Credential Stuffing

Attack: Try known breached credentials against login
Goal: Compromise accounts with reused passwords

Execution:
1. Obtain breach database (simulated)
2. Run credentials against login endpoint
3. Document rate limiting behavior
4. Test account lockout triggers
5. Attempt bypass techniques

Findings:
- Rate limiting triggers at 10 attempts/minute
- No account lockout
- No breach credential detection
- Login response time reveals valid usernames

## Attack Scenario 2: Session Hijacking

Attack: Steal or forge session tokens
Goal: Access accounts without credentials

Execution:
1. Analyze session token structure
2. Test token entropy
3. Attempt token prediction
4. Test XSS vectors for token theft
5. Check secure cookie flags

Findings:
- Session tokens use secure random
- Cookies missing HttpOnly flag ←VULNERABILITY
- No session binding to IP
- Tokens don't expire on password change

Step 5: Attempt Bypass

For each defense, try to bypass it:

## Defense Bypass Attempts

Defense: Rate limiting on login
Bypass attempts:
| Attempt | Result |
|---------|--------|
| Distribute across IPs | BYPASSED - no IP correlation |
| Vary username slowly | Works - only per-IP limit |
| Use different user agents | No effect |
| Target password reset instead | BYPASSED - no rate limit |

Conclusion: Rate limiting is per-IP only, easily distributed
            Password reset has no rate limiting

Step 6: Document Findings

Create an actionable report:

## Red Team Findings Report

### Critical Vulnerabilities

#### CRIT-1: Password Reset No Rate Limit
Severity: Critical
Attack: Brute force password reset tokens
Impact: Mass account compromise
Remediation: Add rate limiting to password reset
Timeline: Immediate

#### CRIT-2: Session Tokens Vulnerable to XSS
Severity: Critical
Attack: Inject XSS, steal session cookies
Impact: Account takeover
Remediation: Add HttpOnly flag to session cookies
Timeline: Immediate

### High Vulnerabilities

#### HIGH-1: Rate Limiting Easily Bypassed
Severity: High
Attack: Distributed credential stuffing
Impact: Account compromise at scale
Remediation: Add account-level rate limiting
Timeline: 1 week

### Medium Vulnerabilities

#### MED-1: Username Enumeration via Timing
Severity: Medium
Attack: Determine valid usernames
Impact: Enables targeted attacks
Remediation: Constant-time response for login
Timeline: 2 weeks

Red Team Patterns

Security Red Team

## Security Red Team Checklist

Authentication:
- [ ] Credential stuffing
- [ ] Brute force attacks
- [ ] Session hijacking
- [ ] Token prediction
- [ ] Password reset flaws

Authorization:
- [ ] Privilege escalation
- [ ] IDOR (insecure direct object reference)
- [ ] Missing function-level access control
- [ ] JWT manipulation

Input validation:
- [ ] SQL injection
- [ ] XSS (stored, reflected, DOM)
- [ ] Command injection
- [ ] Path traversal

Business logic:
- [ ] Race conditions
- [ ] State manipulation
- [ ] Price manipulation
- [ ] Workflow bypass

Plan Red Team

## Plan Red Team: Product Launch

Red team the launch plan:

What could go wrong?
| Failure Mode | Attack Vector | Mitigation |
|--------------|---------------|------------|
| Traffic spike | Product goes viral | Auto-scaling, load test |
| PR disaster | Journalist finds bug | Bug bash before launch |
| Payment failure | Provider outage | Backup payment provider |
| Support overwhelmed | Many questions | FAQ, chatbot, staff up |

Assumptions to challenge:
| Assumption | What if wrong? | How to verify? |
|------------|----------------|----------------|
| Users will understand new UI | Confusion, support tickets | User testing |
| Infrastructure handles 10x | Crashes | Load testing |
| Marketing will drive traffic | No signups | Organic channel backup |

Architecture Red Team

## Architecture Red Team: Microservices Migration

Attack the architecture:

Single points of failure:
- API Gateway - if down, everything down
- Auth service - if down, no logins
- Message queue - if down, async breaks

Cascade failures:
- Service A times out → retries → overwhelms B → cascade
- Database connection exhaustion → app servers stuck → timeout cascade

Data consistency attacks:
- Eventual consistency window exploits
- Distributed transaction rollback states
- Cache invalidation race conditions

Findings:
1. No circuit breakers between services
2. Shared database = coupled failure domains
3. No chaos engineering to verify resilience

Decision Red Team

## Decision Red Team: Technology Choice

Decision: Adopt Kubernetes for container orchestration

Red team the decision:

Arguments AGAINST:
- Operational complexity high for small team
- Learning curve delays delivery 3-6 months
- Could use simpler solutions (ECS, docker-compose)
- Over-engineering for current scale

Counter-arguments:
- Scale projections justify complexity
- Team wants to learn K8s anyway
- Platform engineering investment pays off

Red team verdict:
The learning curve argument is strongest.
Consider: Managed K8s (EKS/GKE) to reduce ops burden
         Start with single namespace, expand gradually

Red Team Template

# Red Team Report: [Target]

## Scope
Target: [What's being red teamed]
In scope: [What to attack]
Out of scope: [What to skip]
Goal: [What constitutes a successful attack]

## Adversary Model
Who: [Who would attack this]
Capabilities: [What they can do]
Motivation: [Why they'd attack]

## Attack Surface
| Surface | Exposure | Notes |
|---------|----------|-------|
| | | |

## Attack Scenarios Executed
| Scenario | Result | Severity |
|----------|--------|----------|
| | | |

## Findings

### Critical
[Findings requiring immediate action]

### High
[Findings requiring near-term action]

### Medium
[Findings for backlog]

### Low
[Informational findings]

## Recommendations
| Finding | Remediation | Priority | Effort |
|---------|-------------|----------|--------|
| | | | |

## Lessons Learned
[What did the red team reveal about blind spots?]

Verification Checklist

• [ ] Defined clear scope and adversary model
• [ ] Adopted genuine adversary mindset
• [ ] Enumerated attack surfaces
• [ ] Executed multiple attack scenarios
• [ ] Attempted to bypass defenses
• [ ] Documented findings with severity
• [ ] Provided actionable remediation
• [ ] Updated defenses based on findings

Key Questions

• "How would an attacker approach this?"
• "What assumptions am I making that an attacker wouldn't?"
• "What's the weakest point in this system?"
• "If I wanted to cause maximum damage, how would I?"
• "What am I confident about that I haven't actually tested?"
• "What would I find embarrassing if an attacker found it first?"

Sun Tzu's Wisdom (Applied)

"If you know the enemy and know yourself, you need not fear the result of a hundred battles."

Red teaming is knowing yourself as the enemy would. You find your weaknesses before they do. You attack your confidence before it betrays you. The purpose isn't pessimism—it's preparation.