When the Pentagon wanted to understand how the Soviets might launch an attack against the United States during the Cold War, it created a secret team to think like its adversaries. This approach evolved into a powerful cybersecurity practice called red teaming. 

In a red team engagement, an organization tasks a group of security professionals (the “Red Team”) with carrying out a simulated attack against its technology, people, and processes, while the Blue Team covertly defends against attacks from the Red Team. Regardless of the setup, this approach delivers results—Forrester estimates that Red Team testing results in a 25% reduction in security incidents and a 35% reduction in the cost of security incidents

What makes red teaming so effective is that it requires thinking from an attacker’s perspective. By adopting this adversarial mindset, organizations can improve their security postures by identifying vulnerabilities and gaps that traditional security testing might miss. In this blog post, we’ll explore the psychological principles behind this adversarial approach and how organizations can adopt them to elevate their security postures. 

 

Inside the adversarial mindset

The adversarial mindset is the foundation of effective red teaming, combining strategic thinking with tactical creativity. We’ve condensed this approach into four key principles that show up in each Red Team exercise. Let’s break them down: 

 

Understand an attacker’s motivations

Red teaming exercises begin with establishing clear objectives and success criteria, which are shaped by the specific attacker profile an organization wants to simulate. Understanding this profile is critical, as it reveals the attacker’s motivations and helps predict the likely shape and methods of an attack. Attacker motivations could be ideological, geopolitical, financial, or even cultural. 

For example, if you’re a large financial services organization, you might be worried about financially motivated attackers. Therefore, Red Teamers might prioritize attacking payment processing systems or stealing customer financial data. However, suppose you have determined that your potential attackers seek notoriety. In this case, Red Teamers might target public-facing assets that will generate the most publicity when compromised (e.g., your website). 

 

Consider non-technology entities

In the real world, attackers are willing to use any means to achieve their goals, even if these involve deceiving people or compromising an organization’s physical space. This is reflected in the statistics—90% of the cybersecurity attacks that occurred in Q1 2024 involved some kind of social engineering. 

Red teaming considers this by adding people and processes to an exercise’s scope and leveraging trust, fear, and curiosity to manipulate employees into foregoing security protocols. For example, red teamers might use social engineering tactics like phishing emails, pretexting calls (aka vishing), and baiting to exploit employees into revealing confidential information. Organizations need to consider and secure non-technology factors to safeguard their critical assets. 

 

Embrace holistic problem-solving

Threat actors are the ultimate problem-solvers, combining creative and unconventional strategies to achieve their goals. During the initial threat modeling and reconnaissance phase, attackers use various tools to gather information on their targets, from public tools like GitHub and LinkedIn to specialized tools like sites on the dark web and Shodan (a search engine for internet-connected devices and services). 

This comprehensive research helps them identify potential avenues for attack and determine how to maximize impact through single exploits or complex attack chains. Unlike traditional security methods that examine vulnerabilities in isolation, attackers view a target holistically, resulting in a more complete picture of its vulnerabilities.

 

Adopt a relentless mindset

Attackers are relentless in pursuing their goals; they wait secretly and patiently for months to find the right opportunity to strike. Red team assessments are designed with this principle in mind, often ranging from several weeks to months to complete properly. This extended time frame allows Red Teamers to methodically refine and iterate their tactics to maximize potential damage, accurately simulating real attackers’ behaviors. Additionally, it enables Red Teams to respond to Blue Team countermeasures, just as actual attackers would adjust their strategies when faced with resistance. This also mirrors the real-world attacker mindset: an unwavering determination to do whatever it takes to achieve the relevant goals.

 

The adversarial approach in action

Let’s put these principles into action through a hypothetical case study where a “Red Team” is hired to simulate an attack against a SaaS platform. Here’s how the exercise might unfold: 

  • Identify an attacker’s motivation—To establish clear objectives, the Red Team begins by creating a specific attacker profile. Based on the threat landscape and the organization’s history, they simulate a notoriety-seeking attacker. Therefore, their primary goal is to access the most damaging information in the target organization’s servers.
  • Consider nontechnical assets—Given this objective, the Red Team’s task is to gain access to a crown jewel server. They research individuals at the organization on LinkedIn along with tools used by the organization’s engineering teams. Using these tools, they then craft convincing phishing emails that mimic legitimate emails that engineers might get from these tools. These targeted messages help them acquire an engineer’s credentials.
  • Embrace holistic problem-solving—When faced with MFA, the Red Team deploys proxy servers designed to capture session tokens. They replay these tokens to bypass authentication controls and access target resources. Using the authenticated session, the Red Team gains access to the internal network via a Citrix environment, which enables them to perform discovery and identify attack paths via cloud servers. Through this investigation, the Red Team discovers some SSH keys and pivots to using them to compromise the target server. Once inside, they try to find and chain vulnerabilities to increase privileges, allowing them to move laterally through the environment. 
  • Adopt a relentless mindset—After successfully compromising this server, the Red Team discovers they must breach a different server, locked down to a specific user and jump box. Instead of giving up, they devise a new plan: compromising the credentials of the more senior engineer, looking for misconfigurations in access controls, or compromising another system connected to the server. Ultimately, the Red Team uses all learned information to craft new attacks until they reach the required objective. 

Once the exercise is complete, the organization will better understand how a threat actor might compromise their systems, who they would target, and what parts of the system need work (e.g., detection, prevention, response, and recovery). Using these insights, the organization can patch up their weaknesses and strengthen their security posture.

 

How an adversarial mindset fits into a security strategy

An organization’s security strategy should never be static—it must evolve dynamically based on the organization’s risk tolerance to an evolving threat environment. For organizations comfortable with higher risk, traditional security measures like pen testing might be sufficient. However, for organizations with a low risk appetite, an adversarial mindset can significantly beef up their security strategies. This mindset lets them view their organizations through an attacker’s lens, understanding their motivations and capabilities. With this insight, they can protect critical assets by thwarting attacks before they occur. 

Organizations can gradually incorporate this adversarial approach. For example, if you’re just getting started, consider examining known vulnerabilities through an adversarial lens. Ask yourself, “What are the motivations of an attacker that might exploit this vulnerability?” or “How can an attacker utilize this vulnerability alongside others to achieve their goals?” More mature organizations often hire third-party specialists to perform regular red teaming exercises. These assessments reveal an organization’s various attack scenarios and highlight specific areas needing improvement—whether in prevention, detection, response, or recovery.

In a world of evolving threats, the adversarial mindset isn’t just a security tool—it’s a competitive advantage. By thinking like attackers, organizations can anticipate their tactics and build more effective defenses. As Sun Tzu wisely noted in The Art of War, “Know the enemy and know yourself in a hundred battles, and you will never be in peril.”

Tags: