Similar to the previous donation drive, I am running a fundraiser for the Marine Raider Foundation. The last donation drive was for the original Adversarial Mindset Skull morale patches which are no longer offered individually.

New for this year includes:

• A special edition and unique MARSOC morale patch design (with two variations) specifically for this event.

• Multiple donation tiers with limited run Stealth and Topo Skull Rune morale patches as add-ons for the higher donation tiers.

You can view the donation tiers here.

About the Marine Raider Foundation

The Marine Raider Foundation is a 501(c)(3) non-profit organization established in 2012 to provide benevolent support to active duty and medically retired Marine Raiders and their families, World War II Marine Raiders, and the families of raiders who have lost their lives in service to our nation. The foundation aims to meet needs unmet by the government with an emphasis on building personal and family resiliency and supporting the full reintegration of wounded, ill, injured and transitioning raiders, their families and MARSOC’s gold star families.

ᛞ ᚾ

This was originally drafted as a thought exercise for an article on RECOIL OFFGRID but wasn’t used.

Red teaming can mean a lot of things to a lot of people. In the truest sense and how we will define it here for the purpose of this article; it’s adopting the adversarial mindset, or more plainly, thinking like the bad guy or how a situation can go wrong. Understanding and viewing how things can go wrong and why is extremely important in everyday life. With random acts of violence and terror occurring seemingly everyday, it’s important to understand how to think critically and apply it to your life. For red teams, this is paramount, for applied critical thinking is a make it or break it skill set.

Below are a few ‘lessons learned’ or consideration points when building out and operating a red team. There are a plethora of posts and material covering this topic out there, so I tried to be brief on the matter and only highlight what I would consider a few key points.

Lessons Learned

Don’t overthink it and don’t fight your gut- sometimes you just need to go with your initial instinct. If you start to think something might be amiss or just plain wrong for the environment you’re in, chances are it is. There are times where you need to embrace that feeling of uncertainty and either get the hell out of the area or ensure you approach the situation in front of you with multiple strategies. If you are too reactive to what’s around you, you will be one step behind. Good proactive actions will always win the day over bad reactions or freezing in place. If you’re conducting a red team operation, drill and practice the plan over and over. Approach the problem set from multiple angles to better understand what could go wrong and what success actually looks like.

You don’t know everything - accept it. A good red team is exactly that, a team that’s comprised of others that have their own specialties and abilities to contribute. To build a good team you need to think about what skills and experience you’ll need to get the job done. Also, in that same vein, you cannot settle for less. A team may be successful on one hand for a particular situation but if the playing field were to change, you should consider these modifiers and adjust team composition as necessary. Given enough time good team members can adapt, however, if you have timelines that can’t be moved it’s better to swap in teammates that can’t multiply your chances of success; or call the operation off. The worst case scenario would be to proceed with an inadequate team where you don’t achieve mission success or someone gets hurt or worse.

Encourage disagreement and alternative planning - until planning has been completed and you’re in an operational state, encourage feedback and dissenting opinions during the plan design phase. This is where it matters most. If you have a red team leader (RTL) dictating every step of the plan and ignoring voices of teammates, then you have a bad RTL. This doesn’t happen too often, however, just like the above point where you don’t know everything, the same is true for the RTL. This is why it’s a good idea to shift RTLs based on the engagement. If the predominant activity will involve physical entry, then the RTL should be someone with a solid understanding of this area, not a computer expert, or someone that has no experience in that area.

A good red team is a thinking and adapting red team. It might be obvious to most, but if you’re not adapting to what I like to call the atmospherics around you, things can go very wrong, very fast. When creating your operational plan, it’s important to have a backup plan (which you should also dry run as well). We like to follow the PACE principal of planning. Having a primary, alternative, contingency and emergency plan based on the original OPORD is key. Just because your primary plan goes to shit, doesn’t mean you can’t still be successful - but you have to plan for it to ensure success. Know when you’ve reached the point of no return or failure. Often I’ve seen red teams continue to hammer away even though their chance of success is nil. You have to be honest with yourself and your teammates when you’ve reached that point. Continuing to execute can bring further harm to your operation, team or the target itself. Lastly understand what the point of no return is within each stage of your plan. This is vital in case you need to shift or adapt your tactics or go to plan b. Otherwise it may be too late and you’ll find yourself staring at failure.

ᛞ ᚾ

Being able to understand your adversary in all facets is imperative to achieving your mission.  For the purpose of this post, adversary can be interchangeable with ‘target’.

The most important thing you can do when you are assessing your situation is to just stop and observe the atmospherics around you. By atmospherics, I mean the literal environment, the people, the actions and reactions of how they interplay together and the observable reactions of those. You can apply this concept to digital environments as well as physical; the concept is full spectrum.

The more you slip into observation mode, the less you are interacting with the environment around you. Think of the environment as a pond, the more you move, the more ripples you create. By creating ripples you are causing reactions and subsequent actions and thus again reactions. You don’t want to be creating this movement as you will be self-identifying yourself to the adversary based on your actions, reactions, and those of entities and the environment around you. When you are assessing your adversary, know that this could influence the field of play negatively.

Being able to understand how your adversary interacts with the environment and how it and other entities react to that interaction is vital. Try to approach the problem set with a systems-style framework like I’ve mentioned previously. Everything is a system of systems. There must be a reason why something is the way it is; behind a system there is a human or humans that have created the processes for which it operates. Processes are created to do an action; whether its to solve a problem(s) or create new one(s) - they have a set high-level goal.

Additionally, when attempting to understand your adversary, you may want to understand their reactionary timing and strategies they employ to when reacting to a potential threat action from an outside force. By testing these boundaries, you can start to enumerate the layers of their own awareness and defensive posture.

Two examples:

1. From a physical standpoint, if you observe an entity approaching a a secure door when they shouldn’t be and notice a physical guard presence thwart entry to the secure space and time how long it took, the numbers of the responding force and how they responded - before, during, and after target interdiction - this will be beneficial to know. Do they radio the all clear, do they remain in the area in case there are additional threats, or do they depart after the event is over?

2. From a digital perspective, if you are performing active reconnaissance on the perimeter of your target, are they banning IP addresses (I hope you’re using burner IP’s for this type of activity); does the firewall seem overly permissive (it could be a trap), are ports filtered? What type of server banners are returned if you do a simple curl / GET request?

Remember the ABC’s - Always Be Collecting.

Once you’ve obtained enough information to start profiling your adversary you should start organizing the data you collected into structured statements and assumptions about the entity.

A few example questions to ask yourself:

• What does the data say about your adversary?

  • What does it say about the environment, and how your adversary interacts with it? With yourself?

• What does it not say? (What’s missing?)

  • Do you need to collect more information?

• What assumptions can you make based on the data?

  • What assumptions are safe?

  • What assumptions are not safe; and how can you collect or what can you collect to increase the probabilities of the assumption being correct?

If you can attribute your adversary; knowing historical tools, tactics, and procedures used by them you can start to enter the analytical process of understanding the motivation that drives them to operate against you and the mindset they carry with them to further their purposes.  Similar to studying counterterrorism; terrorists operate under the concept of acting based on a grievance. If you can understand what that grievance is, why it was formed and why they are operating in the way they are, this will help yo understand the possibilities around either ending that grievance for the group or how to counteract the messaging around it.

Another Example:

Understanding why the farmer puts his vegetables for sale in the late morning, you’ll know that he harvests in the early morning. Knowing this, you can make a safe assumption that if the farmer works their own land, that they most likely go to sleep earlier than naught. This identifies loose hours of operation. If the farmer is your adversary and your goal is to steal farm equipment out of his barn, you may want to target the barn opposite of the field they are working or targeting rest hours to perform this acquisition; or even, target the farmers equipment while they are selling their goods at their vegetable stand in the late morning and not at their farm. A simplistic example, but it’s generally an easy one to relate to the concepts above.

ᛞ ᚾ

From my university days studying intelligence, counterterrorism and criminal law, to my nascent career in the defense/security industry, through the decades long journey of becoming a veteran in the industry and watching it ‘grow up’ from being a specialized niche to being the hottest field to be in - I’ve watched the trends come and go. With pop culture elevating the industry around the concept of hacking, tradecraft and spy-craft, to professional services and consulting firms jumping on the bandwagon to sell the latest buzz words; one of the biggest failures has been our industry falling into the trap of promoting ‘the cloud’, ‘ethical hacking’, and the limiting and mis-labeling of ‘red teaming.’

Uri and I have spoken about this tirelessly on the Red Team Podcast so I won’t dive into that here. We also talk about the mindset, why it’s important and how one utilizes it. Over the past year of recording, it’s clear that we are getting the message out; however, there are many out there that still constrain how they define red teaming or don’t really understand the mindset. I say this while fully acknowledging there’s no right way to interpret red teaming as it takes many forms; however, our goal has been to expand on the concept as we feel by the current labels and definitions provided for it, we as an industry have been constraining, diluting and misrepresenting it.

This led me to researching how to promulgate these concepts in different ways that are extremely meaningful to me, both in my personal and professional life. Where I come from is important to me for many reasons: cultural identity, pride, and history being the primary drivers. While researching my genealogy and familial history, I came across the Norse and Celtic heritage that is now represented in my personal take/branding of the Adversarial Mindset.

Working with an amazing illustrator, Sosh (@soshillustrations), I was able to find a partner that shares my passion for bringing concepts and theory to life through art. I came up with the idea of having a viking skull with ᛞ Dagaz and ᚾ Naudiz runes but had never been able to bring it to life until now.

Dagaz represents one's breakthrough or awakening through awareness. It symbolizes clarity, the power of change directed by your own will, growth and release, the balance point, and the place where opposites meet. Two ᚲ Kenaz runes (observation, clarity and improvement) join with two ᛁ Isa (focus, self-control) runes to form hyper-consciousness, Dagaz.

By recognizing and understanding self-limitations and having awareness of your surroundings...the atmospherics; embracing the concept of Dagaz, one is able to adapt and overcome the opposite of what is intended or the assumed; the conceptual adversary.

Naudiz represents innovation, self-reliance, and the power to overcome distress, confusion and conflict. The opposite of Naudiz, Merkstave, signifies the constraint of freedom, distress, deprivation, and need. Aim for NAudiz and don't be limited by the application of Merkstave by others, yourself, or the environment.

Through Naudiz and Dagaz, one is able to adapt the Adversarial Mindset to approach existence with an open mind that promotes questioning, and challenging assumptions, even your own.

The Skull and Runes design represents these concepts and serves as a reminder to seek and understand with an open mind, approaching everything through questioning while considering the worst outcomes so you cannot just plan but be ready for the worst-case scenario.

ᛞ ᚾ

When attempting to think like the adversary, employing a systems thinking framework to the effort is advantageous.  A framework is designed to guide the brain in a systematic manner, whilst still providing the creative freedom to leverage quantitative and qualitative thinking. 

I will stress that while there are more common knowledge frameworks out there (like the Starburst method I mentioned in ‘Episode 038 Intel Analysis’ of the Red Team Podcast), especially those that come from the intelligence analysis space; the key to an effective framework is adopting one that facilitates thinking instead of hindering it. Don’t adopt a framework just because you heard someone mention it or because you’ve read it somewhere. The most important deciding factor on what framework you’re going to apply stems from yourself.

Questions to ask yourself when structuring your thoughts:

• How do you naturally think?

  • Do you focus on the details first or the larger thematic elements of a problem?

  • Do you usually see how elements are connected to each other or do you usually require digging in first?

  • Are you better in your head? Writing things down? Using a whiteboard or post-it notes?

• How much effort are you willing to put in?

  • With any thought exercise, you are spending cycles. These cycles can mean precious days, hours or minutes being spent; either beneficially or wastefully. You need to know when good is good enough or when you’re just wasting time with your current line of thinking.

• What outcome do you want?

  • What should the end result of the exercise be? Are there specific outputs?

  • What does success mean?

These are just some of the things you need to ask yourself and think about as you start to approach problem solving using a more systematic approach. Bottom-line: use what works for YOU.