Advanced Red Platform

Plan and execute red team operations that simulate real-world adversary behavior to test an organization's detection and response capabilities. This skill covers adversary emulation, MITRE ATT&CK mapping, command and control infrastructure, operational security, purple team integration, and engagement reporting.

When to Use This Skill

Choose Advanced Red Platform when you need to:

• Simulate advanced persistent threat (APT) behavior against an organization
• Test security operations center (SOC) detection and incident response capabilities
• Map red team activities to MITRE ATT&CK tactics and techniques
• Plan covert operations with proper operational security (OPSEC)

Consider alternatives when:

• You need vulnerability-focused penetration testing (use Ethical Hacking Smart)
• You need specific exploitation tools (use Metasploit, Burp Suite skills)
• You need defensive security assessment (use security audit frameworks)

Quick Start

Copy
from dataclasses import dataclass, field
from typing import List, Dict, Optional
from datetime import datetime
from enum import Enum

class ATTACKTactic(Enum):
    INITIAL_ACCESS = "TA0001"
    EXECUTION = "TA0002"
    PERSISTENCE = "TA0003"
    PRIVILEGE_ESCALATION = "TA0004"
    DEFENSE_EVASION = "TA0005"
    CREDENTIAL_ACCESS = "TA0006"
    DISCOVERY = "TA0007"
    LATERAL_MOVEMENT = "TA0008"
    COLLECTION = "TA0009"
    EXFILTRATION = "TA0010"
    COMMAND_AND_CONTROL = "TA0011"
    IMPACT = "TA0040"

@dataclass
class ATTACKTechnique:
    technique_id: str
    name: str
    tactic: ATTACKTactic
    tool: str
    status: str = "planned"  # planned, executed, detected, missed
    detection_time: Optional[float] = None  # hours until detected
    notes: str = ""

@dataclass
class RedTeamOperation:
    name: str
    objective: str
    target_org: str
    techniques: List[ATTACKTechnique] = field(default_factory=list)
    start_time: Optional[datetime] = None

    def add_technique(self, technique: ATTACKTechnique):
        self.techniques.append(technique)

    def attack_coverage(self) -> Dict[str, int]:
        """Calculate ATT&CK tactic coverage."""
        coverage = {}
        for t in self.techniques:
            tactic = t.tactic.name
            coverage[tactic] = coverage.get(tactic, 0) + 1
        return coverage

    def detection_report(self) -> str:
        """Generate detection effectiveness report."""
        total = len([t for t in self.techniques if t.status != 'planned'])
        detected = len([t for t in self.techniques if t.status == 'detected'])
        missed = len([t for t in self.techniques if t.status == 'missed'])

        lines = [
            f"RED TEAM DETECTION REPORT — {self.name}",
            f"Target: {self.target_org}",
            f"Techniques executed: {total}",
            f"Detected: {detected} ({detected/max(total,1)*100:.0f}%)",
            f"Missed: {missed} ({missed/max(total,1)*100:.0f}%)",
            "",
        ]

        # Missed techniques (most actionable for defense)
        missed_techs = [t for t in self.techniques if t.status == 'missed']
        if missed_techs:
            lines.append("UNDETECTED TECHNIQUES (Priority fixes):")
            for t in missed_techs:
                lines.append(f"  [{t.technique_id}] {t.name} ({t.tactic.name})")
                lines.append(f"    Tool: {t.tool}")
                if t.notes:
                    lines.append(f"    Notes: {t.notes}")

        return '\n'.join(lines)

# Example operation
op = RedTeamOperation(
    name="Operation Crimson Storm",
    objective="Test SOC detection of APT-style attack chain",
    target_org="Acme Corp",
)
op.add_technique(ATTACKTechnique(
    "T1566.001", "Spearphishing Attachment", ATTACKTactic.INITIAL_ACCESS,
    "Custom macro document", status="detected", detection_time=0.5
))
op.add_technique(ATTACKTechnique(
    "T1059.001", "PowerShell Execution", ATTACKTactic.EXECUTION,
    "Encoded PowerShell downloader", status="missed"
))
op.add_technique(ATTACKTechnique(
    "T1053.005", "Scheduled Task Persistence", ATTACKTactic.PERSISTENCE,
    "schtasks.exe", status="missed",
    notes="Created scheduled task with SYSTEM privileges, not flagged by EDR"
))
print(op.detection_report())

Core Concepts

Red Team vs Penetration Test

Aspect	Penetration Test	Red Team
Goal	Find vulnerabilities	Test detection and response
Scope	Defined targets	Objective-based (flexible)
Duration	1-2 weeks	2-6 weeks (or ongoing)
Stealth	Not required	Critical (simulate real attacker)
Methodology	Comprehensive testing	Targeted attack chains
Reporting	Vulnerability list	Detection gaps and response assessment
SOC awareness	Usually informed	Usually not informed (or limited)

Configuration

Parameter	Description	Default
operation_name	Code name for the engagement	Required
objective	Primary operational objective	Required
threat_profile	Adversary being emulated	"generic APT"
attack_framework	Framework for mapping (MITRE ATT&CK)	"ATT&CK v14"
opsec_level	Stealth requirements (high, medium, low)	"high"
c2_framework	Command and control tool	Engagement-specific
duration_weeks	Planned operation duration	4
purple_team	Whether SOC is actively collaborating	false

Best Practices

1. Map every action to MITRE ATT&CK techniques — Before and during the operation, map all planned and executed techniques to ATT&CK IDs. This creates a standardized framework for communicating findings and directly helps the SOC improve detection rules for specific technique IDs.

2. Maintain strict operational security throughout — Use dedicated infrastructure, encrypted communications, timestomping, and log clearing (on your own systems) to simulate a real adversary. If the red team is immediately detected due to sloppy OPSEC, the engagement fails to test the SOC's ability to detect sophisticated threats.

3. Focus on the objective, not on finding every vulnerability — Red team operations are objective-driven: "Access the CEO's email" or "Exfiltrate customer PII." Follow the most realistic attack path to the objective rather than exhaustively testing every system. This models real adversary behavior.

4. Coordinate deconfliction procedures with the client — Establish a deconfliction protocol so the client can verify whether suspicious activity is the red team or a real attacker. Use a shared secret or communication channel. False negatives (ignoring real attacks thinking they're the red team) are dangerous.

5. Deliver purple team recommendations, not just red team findings — For each undetected technique, recommend specific detection rules, log sources, and alert configurations. Transform red team findings into actionable SOC improvements. This maximizes the defensive value of the engagement.

Common Issues

Red team is detected immediately due to known IOCs — The SOC may have signatures for common C2 frameworks (Cobalt Strike, Metasploit default configs). Use custom tooling, modify network signatures, and rotate infrastructure to avoid signature-based detection. The goal is to test behavioral detection, not signature matching.

Scope boundaries are unclear during objective-based operations — Unlike pentests with explicit IP ranges, red team scopes are objective-based and may require accessing unspecified systems. Define clear boundaries in the ROE: what's absolutely off-limits (production databases, safety systems), escalation procedures, and when to pause.

Purple team exercises lose value when SOC knows exactly what's coming — In purple team mode, share technique categories but not exact timing or implementation details. The SOC should know "we'll test lateral movement this week" but not "we'll use PsExec to move from HR-WS01 to DC01 at 2 PM Tuesday." This preserves realistic detection testing.