Red Team Operations: Providing recommendations
The importance of recommendations
The Red Team’s final report is the most valuable part of the entire exercise for the client. In many cases, a Red Team is secretly hired by an organization’s executives to test the effectiveness of their security team. If the assessment is performed correctly, the final briefing and report are the first and only direct contact between the Red Team and the customer’s internal security team.
The goal of the Red Team’s report is to provide a comprehensive narrative of the Red Team’s actions and experiences while testing the customer’s security. This includes describing what the Red Team tried and what didn’t work, as well as identified vulnerabilities that need to be closed to improve the customer’s security.
What should you learn next?
Some members of the customer’s organization will have the technical knowledge, time and interest or requirement to read and understand the full report. A description of the vulnerabilities discovered during the assessment may be enough for the organization to understand them and fix them effectively.
Recommendations from the Red Team can help if this isn't the case. In most cases, the Red Team members are the ones who best understand the identified vulnerabilities and how they can be corrected. Providing a checklist of recommended actions can help less technically adept security teams fix the holes in their defenses.
A recommendations list is also useful to the team when discussing the assessment with management. Being able to point to a list of discovered vulnerabilities allows the security team to demonstrate that they’ve materially benefitted from the Red Team assessment and closed all discovered holes within the organization’s defenses.
Tips for recommendations
The recommendations section of a Red Team report is fairly straightforward. After identifying a vulnerability in a customer’s security, the Red Team recommends methods of correcting it. However, when writing recommendations, there are a few important things to keep in mind.
What needs fixing
The most important part of providing recommendations in a Red Team report is clearly explaining what the customer needs to do in order to fix the issues that were discovered during the assessment. Depending on the type of assessment, these issues can fall into two main categories.
All Red Team assessments will most likely discover security holes or vulnerabilities in the customer’s current cybersecurity posture. When providing recommendations for remediating these vulnerabilities, it is important to discuss the level of risk associated with them in terms of the severity of the vulnerability and the likelihood of it being exploited. By providing this information, the Red Team helps the customer to prioritize potential remediation efforts and fix the most dangerous issues as quickly as possible.
Some Red Team assessments are also targeted at helping an organization achieve or maintain compliance with relevant regulations or standards. As the data security regulation landscape expands, organizations are required to be compliant with more standards. Any compliance gaps identified during a Red Team assessment should be tied to the relevant compliance requirements, include remediation recommendations that would make the organization compliant, and have recommendations to the customer for demonstrating that the recommended actions are sufficient to achieve compliance.
Make it actionable
In general, recommendations for mitigating vulnerabilities discovered during a Red Team assessment are actionable. However, it is important that these recommendations provide sufficient information for even a non-technical person to actually fix the issue.
Some of this need originates from the fact that many organizations do not employ world-class security personnel (otherwise, they probably wouldn’t need the Red Team). However, clear recommendations are also useful when the security team needs to report to executives. In many cases, the C-level is more likely to act on external recommendations (e.g., from the Red Team) than to listen to internal staff. The response from the C-suite to a Red Team report may very likely be “do whatever they say,” so it’s important that recommendations cover the actions necessary to make the customer secure.
Provide context
When providing recommendations in a Red Team report, it’s easy to say “you have vulnerability X, so apply patch Y.” However, there may be circumstances (policy, budgetary and so on) that make applying Y impossible. Under these circumstances, the customer needs the information necessary to make an informed alternative decision.
When describing vulnerabilities and providing recommendations, the Red Team should provide a narrative describing how the vulnerability was discovered and exploited. This description of the attack chain leading up to exploitation of a vulnerability allows the customer to identify other potential places where the attack could be detected or exploited.
The MITRE ATT&CK framework is a valuable tool when discussing vulnerabilities and their remediation with a customer. The ATT&CK tool describes how attackers perform different stages of the attack life cycle and how each method can be detected and/or remediated. Tying a vulnerability to the ATT&CK framework provides the customer with more information and lends support to specific vulnerability recommendations.
Beyond technical
Too often, the focus of a Red Team assessment and report is on technical vulnerabilities and countermeasures. The Red Team discovers a web application vulnerability, exploits it to gain access and describes how to fix the problem in the report.
However, the customer may also be vulnerable to non-technical attacks like social engineering or have policies or procedures that impair their ability to appropriately respond to potential incidents. When providing recommendations in a final report, it is important not to overlook any vulnerability that an organization needs to fix, technical or not.
Conclusion: Setting the right tone
The recommendations section of the Red Team report may be the most difficult to write. At this point, the team is beyond describing all of the interesting ways that they broke into a system and are trying to provide advice for fixing the problem.
One of the most important aspects of the recommendations section of the report is to keep the tone professional. Unless an employee has been engaged in illegal actions, no-one should be named in the report in a negative way. The recommendations should be written in a way that is helpful and spares the feelings of the organization and its employees.
Finally, the Red Team should only be responsible for identifying vulnerabilities and providing recommendations for remediation. Actually fixing vulnerabilities is outside the scope of the Red Team’s assessment or duties. However, the Red Team should make an effort to be reasonably available and responsive to questions regarding the report after the conclusion of the assessment.
Become a Certified Ethical Hacker, guaranteed!
Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.
Sources
- Sample Findings and Recommendations Report, PEN Consultants
- 6 reasons to hire a red team to harden your app sec, TechBeacon
- Extracting yourself from the quagmire of a successful Red Team., NCC Group
- Red Team Use of MITRE ATT&CK, Medium
In this Series
- Red Team Operations: Providing recommendations
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness