Red Team Operations: Presenting your findings
The importance of the Red Team presentation
At the end of the Red Team assessment, there are usually two main deliverables. The Red Team report provides a report providing a comprehensive description of the assessment, identified vulnerabilities and recommendations for remediating them. The Red Team will also have a final out-briefing which is designed to cover most of the same information.
Beyond providing the customer with the opportunity to ask questions and catering to auditory learners, the presentation is important because it addresses a different audience than the report. Most executives will not read the full Red Team report or have the background to understand it. While a good Red Team report includes an executive summary, there is no guarantee that the summary will be read, and it lacks much of the detail of the report.
What should you learn next?
Providing a good presentation to the executives is important, as they’re probably the ones who actually hired the Red Team. To improve realism, many assessments are blind. A good presentation can help the executives feel that they’ve gotten their money’s worth and improve the probability of repeat business.
Designing the slide deck
The Red Team presentation is designed to make the details of a Red Team assessment understandable to a non-technical audience. Important parts of this are building a narrative in the presentation and playing to the audience.
Build a narrative
Humans tend to do better when information is conveyed in the form of a story. The nature of a Red Team assessment lends itself well to this, since the audience benefits from understanding how the Red Team moved from no knowledge of the target to identification and exploitation of a discovered vulnerability. The presentation should start high-level, move into detailed findings and close out by providing actionable guidance.
Start high-level
Before diving into the details of the assessment, it’s useful to give the audience a high-level overview to set the stage. The audience may be going into the presentation with no knowledge of the outcome of the engagement and is probably hoping that the Red Team found no vulnerabilities. The presentation should start out with a high-level description of the number and types of vulnerabilities discovered, setting the stage for a more in-depth description of the findings.
Discuss findings
The meat of the presentation is describing the vulnerabilities that the Red Team discovered in the course of the assessment. The customer hired the team to understand what is wrong with their current cybersecurity posture, and this section of the presentation answers those questions.
When presenting the Red Team’s findings, it is important to provide context in the form of attack chains. By describing how the Red Team moved through the assessment from zero-knowledge to vulnerability discovery, the customer understands the process and where their existing security controls, policies and procedures are not effectively protecting the organization against attack.
Close with actionable guidance
Finally, the Red Team should discuss how the organization can fix the problems identified during the assessment. Specific remediation steps can be explored during the discussion of the associated vulnerabilities; however, it is a good idea to provide a summary of recommendations at the end of the presentation. This both provides a call to action to the customer to fix the identified issues and focuses the question-and-answer section of the presentation on how the organization can grow and improve their security.
Know the audience
While the content of the presentation is important, it’s also important to present the information in a way that resonates with the audience. Since multiple stakeholders exist within the client organization (executives, technical staff and so on), it may be best to have a couple of presentations designed to be targeted to specific groups.
When presenting to executives, the presentation should not be overly technical. The main slides should explain vulnerabilities, attack chains and remediation steps at a high level without diving too deeply into technical details. However, it is a good idea to have backup slides containing these details if the audience wants to dive deeper into a particular topic.
When presenting, especially to executives, it’s also useful to provide both recommendations for action and descriptions of the risks of non-action. This helps the audience to make informed decisions regarding the cost and benefits of implementing fixes for the identified issues.
Setting the tone
When presenting to the customer, it’s important that the presentation is professional and sets the right tone. Most likely, the organization hired the Red Team with the expectation that they would find little or nothing that needed fixing. In reality, the Red Team is probably going to disappoint them.
It’s a good idea to include the good news with the bad when making your presentation. The Red Team has an obligation to inform the customer of any vulnerabilities discovered during the assessment. However, the news can be softened by pointing out where the organization is doing well as well. In the presentation, giving kudos is the only time where it is appropriate to name names. If a certain employee or employee action was responsible for the Red Team’s success, they should remain anonymous.
The final presentation should also be performed in a professional manner. The audience is the customer and doesn’t want to hear about how easily the Red Team broke through their defenses. The presentation should be respectful and professional, with no bragging or name-calling.
Conclusion: The final briefing
Providing one or more out-briefings is a good way for the Red Team and the customer to have a real conversation about the assessment and its results. When preparing and giving the presentation, it is important that the Red Team provides the right information in the right way and leaves ample time for questions and discussion when they are done.
FREE role-guided training plans
Sources
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- Red Team Operations: Presenting your findings
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness