If you are new to the world of red teaming, in the realm of cybersecurity, you must have come across some of these myths or misconceptions. In this post, let’s debunk the most common ones. If you think I have missed out on a myth, please feel free to add it in comments.

1. Red team engagements are all about attacking Active Directory - This misconception stems from the fact that many red team certifications out there, are primarily focused on Active Directory. This is for a good reason. Active Directory and Azure Active Directory, together, hold over 45% of Identity and Access Management market share. However, red team engagements are usually more complex than that (unless focused solely on Active Directory services). For example, in a full engagement model, the red team will have to figure out a way to get initial foothold in the network. This may involve social engineering (phishing, spear phishing etc.), web application attacks (OWASP Top 10), attacking cloud infrastructure etc. Similarly, upon landing inside an organisation’s network they may come across Linux servers, micro-services, database servers, custom developed applications etc. Each of these requires a different skillset that goes beyond attacking Active Directory.

2. Red team engagements require a novel exploit or a zero-day vulnerability - While it is good to have but most red team engagements don’t require a novel exploit or a zero-day vulnerability. Remember, a red team engagement is objective driven. It is not a penetration test. As long as an n-day exploit or a misconfiguration serves the objective, finding zero-day vulnerabilities or creating novel exploits will not be required.

3. The objective of a red team engagement is to hack, hack and then hack some more - A red team engagement is not a destructive exercise. While red team operators do need to think and act like an attacker but they are not attackers. In fact, red team operators need to work in a controlled manner so as not to impact any business operations. The primary purpose behind any red team engagement is to improve the organisation’s defences. Think of it as a training exercise for blue team rather than a proving ground for your hacking skills.

4. An unsuccessful red team engagement means lack of skilled operators - Red team engagements are not guaranteed to succeed even if you have best of red team operators. It mostly means that the defenders know what they are doing and are doing a good job of it. It may also mean that resources allocated for the engagement (time, tools, budget, manpower etc.) were not sufficient. Before putting the onus on operators, please have a discussion with the red team to understand why the engagement was unsuccessful. Another important thing to keep in mind is to align on the definition of a successful vs unsuccessful engagement. For example, if a red team is able to achieve their objective they may call it a successful engagement but the security leadership may think otherwise. This alignment must be done during initial discussions, most likely during the scoping phase.

5. A successful red team engagement means lack of skilled defenders - Basically, everything that I wrote in point 4 just from defender’s perspective. Aligning on definition of successful vs unsuccessful is must. I read this article on the emotional toll of red teaming and decided to explicitly call out this myth as well.

Red Team Notes
- Red team engagements are not only about attacking Active Directory. They are usually more complex than that.
- Red team engagements usually do not require novel exploits or zero-day vulnerabilities.
- A red team engagement is an exercise to train the blue team. It is not a proving ground for your hacking skills.
- Look deeper to understand why the red team engagement was unsuccessful or successful. It may be because everything is working as it should.
- Align on the definition of successful and unsuccessful red team engagement before the engagement begins.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.