Using Red Team Tactics to Secure Your Virtual and Physical Perimeter - ITS Tactical

Shop the ITS Store!


Using Red Team Tactics to Secure Your Virtual and Physical Perimeter

By U. Fridman

The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.
— Sun Tzu

Defined loosely, a Red Team is a group of experts engaged in the practice of viewing a problem from an adversary’s perspective. This adversary can be an enemy trying to infiltrate the perimeter, a competitor trying to get the latest marketing documents or a robber trying to break into a house.

The goal of most Red Teams is to enhance decision making, either by finding and pointing to the weak links in a security system or by simply acting as a devil’s advocate.

Red Team

Red Teams are used frequently in the world of computer security. A group of penetration testers will assess the security of an organization, which is often unaware of the existence of the team or their exact assignment. Red teams can test the security of computer systems and networks, as well as the physical security.

The same idea can be applied by you to help identify and protect your network, computer and property.

With a little thinking outside the box you can perform a Red Team assessment on your assets: put yourself in the attacker’s shoes. If you were to penetrate your perimeter, knowing what you know about it (since you put all the defence mechanism in place), how would you do it? If you can find a hole so can an attacker.

Identify Targets with CARVER

One of the methods you can use to start identifying security issues is the CARVER Matrix.

CARVER is an acronym that stands for Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability. It’s a system used to assess targets and decide which one needs to be secured first. Let me write down what each component means in terms of computer security:

The target value. How vital is this to the overall organisation? A target is critical when its compromise or destruction has a highly significant impact in the overall organisation.
How easily can I reach the target? What are the defences? Do I need an insider? Is the target computer accessible via a network?
How long will it take for the organisation to replace, repair, or bypass the destruction or damage caused to the target? Once the compromise is found, how long will it take for the system to recuperate from the breach?
What is the degree of knowledge needed to exploit the target? Can I use known exploits or should I invest in new, possible zero-day exploits?
What’s the impact of the attack on the organisation? Similar to the first point (Criticality) this point should also analyze possible reactions from the organisation.
Can I identify the target as such? How easy is it to recognise that a specific system, network, or device is the target and not a security countermeasure?

Using the Matrix

The CARVER Matrix maps all this into an easy to quantify table or grid, where the high-risk targets are easily spotted. How do we use the CARVER Matrix? Write down the targets in a table. The top of the table will have the components of CARVER. Each target will have its own row, with each component being ranked from one to five. Five is the highest priority or, in our case, the highest value.

SQL Server 3 2 4 2 5 5 21
Mail Server 5 5 2 3 3 5 23
CEO’s workstation 5 1 2 5 5 1 11

This example shows that in our fictitious network the most vulnerable part is the mail server (total score 23). Why? Let’s look at the components.

In this organisation the mail server is vital to daily work. It scores a five.
The mail server is easily accessible from the Internet. There are some defences, but they’re trivial. It earns a five.
The organisation IT personnel know that the mail server might be vulnerable. They make a backup every day so that in the event of something going wrong there will be some downtime, and some messages might be lost, but the backup will be up and running soon. The score then is a two.
The attacker doesn’t have to be an expert or have a high degree of knowledge to attack the mail server. However, some degree of knowledge and proficiency is required (a script kiddy could not do this). It gets a three.
We know that mail is critical, but what will happen when it is compromised? The organisation will be down for some time and that’s bad. However, since a backup is in place no one will panic. The score is three.
It is trivial to recognise a mail server as such, so it gets a five.

Beyond the fact that the mail server’s score is 23, the matrix shows that since it’s a critical part of the organisation (C = 5) and the knowledge required to penetrate this server is medium-to-low (V = 3), this resource should be secured first.

Using CARVER can be a bit cumbersome in the beginning, but, once you start using it, the matrix becomes easier and you will begin to see a system’s weak points almost immediately.


In addition to utilizing the CARVER Matrix, there are other points that you need to take into account when trying to defend your virtual (and physical) perimeter.

Control Your Environment

Controlling the environment is one of the most important aspects in physical security. It should be the same in cyber-security. Be aware of your surroundings, and make the environment work for you. Where is each computer, and where is the information stored in them? What are the connection channels between the machines? How is external data able to flow? Know the DMZs, firewalls and routers, external networks and failure points, points of connection to the Internet, ISPs and backups (internal and off-site).

By knowing your environment intimately and by performing assessment and penetration testing often, you can react to changes in the environment – however subtle they might be – and spot the potential or actual threats quickly. By knowing your environment and placing protection and defensive measures you make it harder for the attackers to operate in your environment.

Change Your Habits

Habits play against you. An attacker can build and plan an attack based on these habits. If you are using a specific personal firewall or version of software, try changing it with the next install. If your IP addresses all follow a certain pattern for servers with Internet connectivity and those kept out of the Internet, or the addresses are assigned in a different way that may alert an attacker to what computers might have sensitive data, change it. Change the patterns. Change the way you connect servers and other network elements.

Remember, no person acts truly at random, and no person has truly infinite resources at their disposal. If you record, track, and group information on your possible adversaries you can develop profiles. With these profiles, you can draw inferences, and with those inferences, you can be more adaptive and effectively secure your perimeter. This is called “intelligence-driven response.” (1)

Editor-in-Chief’s Note: Please join us in welcoming U. Fridman as a contributor on ITS Tactical. He’s currently a senior information security consultant that specializes in detection of information security threats and response to security incidents. His background includes extensive experience in red team activities and management, information warfare, counter cyber-terrorism, industrial espionage, forensics analysis and other security services.

(1) Source: Attacking the Kill Chain

Are you getting more than 14¢ of value per day from ITS?

Thanks to the generosity of our supporting members, we’ve eliminated annoying ads and obtrusive content. We want your experience here at ITS to be beneficial and enjoyable.

At ITS, our goal is to provide different methods, ideas and knowledge that could one day save your life. If you’re interested in supporting our mission and joining our growing community of supporters, click below to learn more.


  • brendan murphy

    Excellent article Mr. Fridman! It’s great to have a way to mentally and practically approach security. Honestly I’ve never really thought of a matrix system to analyze security risks. While I do think about priority and response – this immediately strikes me as a much more effective and accurate way gauge security risks. Thanks!

    • U. Fridman

      Thank you Brendan. The CARVER matrix can be applied to pretty much any decision making, from ranking potential targets all the way to business decisions.

      Here’s a little table that would help you understand the ranking system:

    • brendan murphy

      Awesome- thanks again!
      And thanks to the rest of the CREW for getting such great contributors! Cheers!

  • Great article on the CARVER concept and red teams.

  • Remember you can use the CARVER concept for route surveys to determain your “best” and “worst” routes.

    Great article and welcome to ITS!

  • Very nice artical. Thank you for taking the time out of your day to inform us users on the CARVER matrix.

    But I would like to point out the incorrect math in your target chart.

    *Attention to detail*

  • Eric

    Excellent article and welcome to ITS.

  • StealthNinja

    Well, if you’re a CIA Red Team Commander or a NSA Red Team Commander in Intelligence Analysis or Counter Intelligence Analysis, then you better have some infilltration tools, such as lock picks, heavy duty 50 lb. ers bolt cutters, multi meter, soldering kit, mxz folding pocket saw and some other hard ware with a pair of Mechanix Covert gloves, and a balclava and a CIA DEF CON/ Ninja Strike Force / Cypher Punks gear and a slim jim and an ir cracking micro hacking kit and lots of softwares and some Sig Pro pistols or a B &T MP9 or H &K MP7 with “Silencers” ready to do some “wet work” if you are doing some penetration testing live as a Black Ops Secret Agent in the shadows of The looking glass war!
    Tchao with respect-
    The Stealth Ninja.

  • MrEthiopian

    CARVER – is a great starting point, but just like your example that a mail server is somehow more critical than a SQL server, the usage of CARVER is suggestive and can be inherently incorrect if not used with another matrix of qualifications.

    If I was so inclined and wanted access to data that I could use to make money with, I wold never go after a mail server, its stupid who stores critical data on a mail server? Granted you might find some NPI from blockheads openly conversing with other idiots.

    The SQL in a DMZ will likely have an AD subset that can then be used to gain access to the core. Once in the core I would go after the data on other SQL servers I’m talking PCI, HIPAA, CFR 11 data that includes an abundance guaranteed money making information. I will tell you from a plethora of professional experience, many organizations have no idea how to properly protect themselves, I could go on and on and delve much deeper into this subject and tell you many life story’s about such escapades, but professional ethics and singed contracts keep me from truly opening up.

    Great site btw, incredible amount of useable data, keep up the great work.


Do you have what you need to prevail?

Shop the ITS Store for exclusive merchandise, equipment and hard to find tactical gear.

Do you have what you need to prevail? Tap the button below to see what you’re missing.