Situational Awareness
1 Global Definition
Situational Awareness in Red Teaming refers to the ability to collect, process, and interpret information about the target organization’s environment in order to make informed operational decisions. It is the foundation for planning, adapting, and executing offensive security operations effectively while minimizing the risk of exposure.
1.1 Key Concepts
- Operational Context: Understanding the organization’s business processes, security posture, and risk profile.
- Reconnaissance: Gathering intelligence from OSINT sources, technical scans, and human interactions.
- Threat Modeling: Identifying potential attack paths, critical assets, and weak points in defenses.
- Environment Mapping: Building a mental or digital map of the target’s systems, people, processes, and security layers.
- Decision Support: Using gathered intelligence to guide exploitation, persistence, and escalation strategies.
1.2 Attack Vectors / Techniques
- OSINT Gathering: Collecting data from social media, company websites, job postings, leaked databases, or domain registries.
- Network Reconnaissance: Mapping IP ranges, DNS records, and exposed services to identify entry points.
- Situational Mapping: Tracking security policies, patching cycles, and incident response behaviors to adapt strategies.
- Human Factor Analysis: Identifying employees, roles, and potential targets for social engineering.
- Operational Security (OPSEC) Monitoring: Adjusting actions based on detection likelihood and blue team responses.
1.3 Tools Commonly Used
- Maltego: For visual link analysis and OSINT data correlation.
- Recon-ng: A modular reconnaissance framework for automated data collection.
- SpiderFoot: Automated OSINT collection covering DNS, WHOIS, dark web, and social media sources.
- Nmap: For host discovery and service enumeration during network reconnaissance.
- Censys / Shodan: Search engines that expose internet-connected systems, useful for mapping the external attack surface.
- TheHarvester: For gathering emails, subdomains, and employee names.
1.4 Defense & Blue Team Awareness
- Conduct regular OSINT audits to identify exposed sensitive information.
- Limit publicly available technical and employee details (e.g., job postings revealing internal tech stack).
- Deploy deception technologies (honeypots, fake accounts) to confuse adversaries.
- Implement robust monitoring for reconnaissance behaviors (e.g., mass scanning, DNS lookups).
- Train employees against social engineering attempts by red teams or real attackers.
1.5 Why It Matters
Without situational awareness, Red Team operations are blind and risk early detection or failure. By building a complete picture of the target environment, attackers can move strategically and efficiently. For defenders, understanding how adversaries build situational awareness helps to anticipate attacks and close intelligence leaks before they can be exploited.