Red Team operations: Best practices
Introduction
The goal of a Red Team assessment is for the Red Team to find as many vulnerabilities as possible within the customer’s current security setup. In general, this is accomplished by a lot of lateral thinking, trying different types of attacks and considering how certain defenses can be bypassed. However, some best practices exist for ensuring that the Red Team and customer both have a good assessment experience.
What should you learn next?
Red Team best practices
Take time to plan
One of the most important things to do when performing a Red Team assessment is taking the time to plan out operations in advance. While the details of a particular engagement will depend on the customer’s environment, it’s important to think of potential plans of attack that the Red Team can try in advance. By planning out initial phases and assigning roles, the Red Team ensures that the customer receives a comprehensive test during the engagement.
This planning should be performed at least partially in concert with the members of the customer’s organization that are aware of the assessment. Discussing potential attack vectors with the customer can allow them to explicitly approve or reject particular types of attacks (such as social engineering or testing physical security).
Get it in writing
At the end of the planning stage of the assessment, it is important that the Red Team has a mutually signed document outlining the rules of engagement for the assessment. The Red Team should have discussed potential attack vectors with the customer and gotten the green light for any tactics that they plan to use.
A lack of mutual understanding of the rules of engagement can lead to misunderstandings like the arrest of two members of the Coalfire Red Team when performing a security assessment at an Iowa courthouse. The pair was arrested for attempted burglary. In this case, the Red Team and client had different understandings about when and how the team would be attempting to gain unauthorized physical access to the building.
Part of getting everything in writing is getting a “get out of jail free” card from someone within the customer’s organization who has the authority to issue one. This document should explain the situation and provide contact information for the person who signed it. In the case of the Coalfire assessment, the team had such a document, but the arresting officer decided that the state authority did not have the authority to authorize testing of a building that “belonged to Iowa taxpayers”.
Mix things up
An attacker can perform the same attack in a variety of different ways, using different tools and techniques to perform each stage of the operation. To keep a test realistic, the Red Team should do the same, mixing up each assessment rather than running through a checklist with the same tools and techniques every time.
A useful tool for designing a Red Team assessment is the MITRE ATT&CK matrix. This tool breaks up the different stages of a cybersecurity incident and describes different methods by which a hacker could accomplish each stage.
The ATT&CK matrix can be used in the planning stages of the assessment to ensure a good mix of attack vectors and also to support on-the-ground planning. If a certain technique doesn’t work for a particular goal, the Red Team should make a note and try another method of accomplishing it.
Choose tools carefully
When performing a Red Team assessment, most different tests can be performed in a variety of different ways with a variety of different tools. Choices between tools and techniques can be made based upon a variety of different factors, including familiarity and efficiency.
However, a few important considerations exist for Red Team tool choices. One is the impact on the customer’s network and systems. In some cases, an unstable system could be brought down or otherwise impacted by certain tools or tests. Whenever possible, the Red Team should use methods that limit this possibility.
Limiting the impact on target systems is also good for ensuring that the Red Team’s actions on the target system are stealthy. Many Red Team assessments are performed without the knowledge of the customer’s security team, so remaining invisible is useful for maintaining the realism of the assessment. Also, as Backtrack/Kali Linux puts it, "The quieter you become, the more you are able to hear."
Record everything
When performing a Red Team assessment, it is vital that the Red Team keeps as detailed of a record as possible throughout the exercise. This benefits both the customer and the members of the Red Team.
The customer benefits from a complete record since it helps them to understand the narrative of the assessment. The ability to describe the chain of events from the beginning of the assessment to exploitation of a vulnerability allows them to design and implement appropriate remediation. In addition, a timeline can help them to retroactively discover potential identifiers of compromise that could help with identifying the attack in the future.
A complete record of the assessment also helps the Red Team if anything goes wrong. If a client system has a problem or a real attack happens to occur during the assessment, a record of the actions taken by the Red Team can help prove that it was not their fault or caused by activities explicitly permitted by the rules of engagement.
Provide measurable value
The result of a Red Team assessment typically includes a list of discovered vulnerabilities and recommendations for correcting them. However, anything that the Red Team can do to provide measurable value to the customer helps them to feel that they got their money’s worth and improves the probability of repeat business.
While it is useful to provide information about discovered vulnerabilities and their associated risks and severity, it’s also a good idea for the Red Team to provide information on what doesn’t work. By demonstrating that the team tested and rejected potential high-severity or high-probability attacks, they make the customer feel like they received a comprehensive assessment and good value for their money.
Conclusion: Performing an assessment
Every Red Team assessment is unique and can require very different tools and tactics from the Red Team. However, following a few best practices can help ensure that the Red Team is ready to deal with whatever may happen in the course of the engagement and provide maximum value to the customer.
What should you learn next?
Sources
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- Red Team operations: Best practices
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness