In his book, Professional Red Teaming, Dr. Jacob G. Oakley, introduces and makes a case for the concept of Counter-APT Red Teaming (CAPTR team) or Reverse Red Teaming. This was also the topic of his PhD dissertation.

No. “Reverse Red Teaming” does not mean red team engagements conducted by the blue team nor does it refer to any blue team exercise and it defintely does not mean hacking back the attacker.

The idea behind this concept is that, while traditional red team engagements are conducted from an external perspective i.e. how an attacker can reach to the organization’s critical assets from outside? CAPTR team engagements are conducted from an internal perspective i.e. the attacker already has access to critical assets, how did they reach there?

At the outset, it may appear that both, red teaming and counter-APT red teaming, sound same but there are subtle differences between them. In the book, Dr. Oakley, describes CAPTR teaming as on offensive security assessment model that implements three novel evaluation attributes:

• Worst-case risk analysis to idenfity scope - This means that the scope of CAPTR team engagements is decided assuming the worst i.e. the attacker already has access to critical assets of the organization. To create a meaningful scope, the organization must know what are it’s critical assets and where they are located in their network.

• Critical compromise initialization perspective - This means that CAPTR team engagements begin from critical assets and move outwards to lower risk asssets i.e. assessors are provided access to the critical assets and from there they move to other connected assets to figure out attack paths that could lead an attacker to critical assets. This is unlike a traditional red team engagement where the engagement begins from low risk assets and move inwards to higher risk assets.

• Vulnerability analysis and exploitation using reverse pivot chaining - This means that assessors first analyze vulnerabilities on critical assets and simulate their exploitation to obtain privileged access (note, actual exploitation is not performed due to the importance of these assets). They, then, move on to vulnerability analysis of any connected assets and pivot to them. This continues until they arrive at the last node in the attack path. This is called reverse pivot chaining because assessers pivot from higher risk to lower risk assets unlike traditional red team engagements. Think of it like lateral movement in opposite direction.

As per the author, CAPTR team engagements are supposed to provide following benefits over traditional red team engagements:

• More impactful results - Any observations from a CAPTR team engagement are inherently deemed criticial because they impact critical assets of the organization. Also, it may be able to identify attack paths that were missed during a traditional red team engagement.

• Lower costs - Since the scope only considers critical assets, these engagements require lower man power and resources, therefore, reducing the overall cost of the engagement.

• Faster conclusion - Again, since the scope is highly specific, these engagements tend to culminate faster than traditional red team engagements.

Red Team Notes
- Counter-APT Red Team or Reverse Red Team engagements are conducted from an internal perspective i.e. the attacker already has access to critical assets, how did they reach there?
- CAPTR team engagements have following attributes:
  - Worst-case risk analysis to idenfity scope
  - Critical compromise initialization perspective
  - Vulnerability analysis and exploitation using reverse pivot chaining
- An organization must know what its critical assets are before initiating a CAPTR team engagement.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

In the last few chapters of the book, the author has designed an experiment to evaluate the overall efficiency of CAPTR team engagements vs other offensive security engagements. The result of the experimient was obviously in favor of CAPTR team engagements.

I found the concept of CAPTR team engagements a bit radical, yet innovative. I say radical because this goes against everything that we have been taught from security testing perspective i.e. “never use production assets for testing” and here we are talking about conducting these simulations on critical assets.

In my opinion, organizations will benefit by combining both types of red team engagements. If they know what makes them vulnerable from the outside and the inside, they can proactively address those weaknesses, strengthen their defenses, and reduce the likelihood of successful attacks.

If you want to learn more about this concept, do check out the book Professional Red Teaming or Dr. Oakley’s PhD dissertation.