RED×BLUE

Threat Playbook

Adversary vectors paired with the defensive controls that close them. Read top-to-bottom — engagements are sorted by severity. Baseline controls below apply across the surface.

Severe

Moderate

Low

Baseline

Severe · Act Now

2 engagements

SEVERER-02↔B-02Portal account-takeover / fraudulent agency provisioningModerate confidence

Red · Adversary VectorR-02

Portal account-takeover / fraudulent agency provisioning

The ICE pattern (ev_037) confirms the portal supports cross-org federation. An adversary path of stolen-credential reuse, MFA-bypass on a partner agency, or pretext-driven provisioning is very likely operationally available because LE agencies vary widely in identity hygiene and Flock onboarding cannot uniformly verify each one. Confidence is moderate because portal authentication controls (MFA enforcement, IP allowlisting, anomaly detection) were not directly observable in recon evidence — the vector EXISTS conceptually; its exploitability depends on controls not surfaced.

Blue · Defensive ControlB-02

LE-portal MFA + per-agency IP allowlist + anomaly-detection

Enforce phishing-resistant MFA (FIDO2 / WebAuthn) on the law-enforcement portal; require per-agency IP allowlist or PIV-card binding where the partner agency supports it; instrument anomaly detection for unusual query volume, off-hours patterns, and cross-jurisdiction queries inconsistent with the requesting agency's mission. Pairs with R-02.

SEVERER-03↔B-03Bulk exfil of nationwide ALPR data post-credential compromiseModerate confidence

Red · Adversary VectorR-03

Bulk exfil of nationwide ALPR data post-credential compromise

AES256 at rest does not protect data accessed via legitimate credentials. Likely the most consequential surface in the threat model: a single compromised LE-portal credential, once authorized to a broad query scope, exfiltrates location-history at population scale. Confidence is moderate because API-level controls (rate-limit, audit, anomaly-detection) were not directly observable. Pairs with R-02; B-03 closes the data-access portion of the chain.

Blue · Defensive ControlB-03

API rate-limit + audit chain + tamper-evident log of every ALPR query

Bulk-exfil mitigation: per-credential and per-agency rate-limits on the query API; append-only audit chain logging every query with requesting agency, badge ID where possible, query parameters, and result counts; retention of the audit chain on a separate trust boundary so a portal-credential compromise cannot also erase the trail. Pairs with R-03 and supports R-02's detection layer.

Moderate · Plan Mitigation

4 engagements

MODERATER-01↔B-01Brand-spoof phishing enabled by p=quarantine + broad SPF chainHigh

RedR-01

Brand-spoof phishing enabled by `p=quarantine` + broad SPF chain

DMARC at p=quarantine instructs receivers to junk (not reject) unaligned mail — meaning spoofed messages still reach mailboxes and can be retrieved from spam folders by a curious recipient. The SPF chain includes spf.mandrillapp.com, _spf.reply.io, _spf.sendergen.com, mktomail.com, amazonses.com, spfsquash.flocksafety.com, and _spf.google.com — any compromise or misconfig anywhere in that chain widens the impersonation surface. Customer LE-agency staff are very likely high-value spear-phishing targets given Flock's law-enforcement portal access.

BlueB-01

Tighten DMARC to `p=reject`; align all third-party senders before the cutover

Move flocksafety.com DMARC from p=quarantine to p=reject after staged tightening (p=none → quarantine → reject) confirmed against the aggregate reports already going to mailauth-rua@flocksafety.com and dmarc_agg@vali.email. Pre-cutover: audit every SPF include and enforce DKIM signing on each. Closes the surface of R-01 and reduces the effectiveness of R-04 / R-07.

MODERATER-04↔B-04CEO impersonation via lookalike domain + display-name spoofHigh

RedR-04

CEO impersonation via lookalike domain + display-name spoof

Langley's profile is the natural pretext for high-urgency social engineering against Flock's internal staff and external counterparties. Very likely a vector given current DMARC posture; confidence is high because the requirements are minimal (lookalike domain + plausible message template). Pairs with B-04.

BlueB-04

Executive-impersonation defense — out-of-band confirmation + display-name banner + lookalike-domain monitoring

Mail-gateway rule: high-urgency requests purporting to come from CEO Langley or other executives trigger a banner and require out-of-band confirmation. Defensive registration of lookalike flocksafety variants (flock-safety, flocksafty, flokcsafety, etc.) + monitoring service for newly-registered look-alikes. Reduces R-04 effectiveness.

MODERATER-05↔B-05Missing HTTP security headers — MITM / session-hijack surfaceModerate

RedR-05

Missing HTTP security headers — MITM / session-hijack surface

The MDN F grade is not a single bug — it is structural absence of layered defensive HTTP headers. Likely exploitable in network-positioned attacker scenarios (compromised partner Wi-Fi, malicious CDN edge, MITM-on-path adversary). Confidence is moderate because exact failing-test identity was not extracted; remediation maps directly to standard secure-header recommendations.

BlueB-05

Remediate the four MDN Observatory failing tests + lock CSP / HSTS / Referrer-Policy / X-Content-Type-Options

The MDN Observatory grade can be moved from F to A- with deterministic header configuration. Pairs with R-05; remediation also signals technical maturity to LE-customer security reviewers comparing Flock to Axon (ent_016).

MODERATER-07↔B-07Indirect spoof via SPF-included third-party sendersModerate

RedR-07

Indirect spoof via SPF-included third-party senders

Each SPF include is a trust delegation. Likely material for sophisticated adversaries who can compromise a low-tier SaaS sender that flocksafety.com authorizes. Confidence is moderate because the supply-chain compromise requires capability against the upstream, not Flock directly. Pairs with B-07 (auditing and pruning includes) and B-04 (impersonation training).

BlueB-07

SPF-include audit + prune unused senders + enforce DKIM on every retained sender

Walk the SPF chain — _spf.google.com, _spf.sendergen.com, _spf.reply.io, spf.mandrillapp.com, mktomail.com, spfsquash.flocksafety.com, amazonses.com, plus the static ip4:192.254.121.248. Each include is a trust delegation; remove every sender no longer in active use, enforce DKIM signing on each that remains, and migrate from ~all to -all after confirming alignment. Closes R-07.

Low · Monitor

1 engagement

LOWR-06↔B-06Litigation/FOIA channel as adversary recon pathModerate

RedR-06

Litigation/FOIA channel as adversary recon path

Civil discovery and FOIA are not vulnerabilities in the cybersecurity sense, but they are evidence-grade channels through which detailed operational information leaks into the public record. Likely that Flock's competitor Axon (ent_016), advocacy orgs, and hostile state actors mine these channels for competitive and operational intelligence. Confidence is moderate; the mitigation is operational (sealed-proceedings strategy, outside-counsel OPSEC) rather than technical.

BlueB-06

Litigation OPSEC — outside-counsel privilege review of every Flock-named filing + sealed-proceedings strategy where allowed

Treat Smith / Drakos / future Reid-pattern dockets as adversary recon paths. Outside-counsel privilege review of every Flock-named filing pre-submission; aggressively pursue sealed-proceedings, redactions, and protective orders where the rules allow; coordinate FOIA-response posture across municipal customers so contract terms aren't asymmetrically released. Pairs with R-06.

Baseline · Surface-Wide

1 control

B-08Baseline

Continuous bug-bounty maturation (already live on HackerOne) + scope expansion

The active HackerOne program (DNS TXT confirms; ent_002) is already an asset. Maintenance work: expand scope to include the LE-portal API surface and any partner-facing federation endpoints; tier rewards to bring more capable researchers; publish a clear safe-harbor / vulnerability-disclosure policy. Baseline control orthogonal to the specific R-vectors above.