Red Team Operations: Report structure and content
What to report
The first stage in building a Red Team report is knowing what to put in the report. Three of the most important things to discuss in the report are identified vulnerabilities, actions taken and any identified compliance gaps.
FREE role-guided training plans
Identified vulnerabilities
Vulnerabilities identified during the Red Team engagement are the most important details to report. Hopefully, the reason that the client hired the Red Team was to learn about the potential vulnerabilities in their network and how to exploit them, and not just to check a box for compliance.
When reporting vulnerabilities, it is important to provide as much detail as possible to the client. Information that should be collected for reporting includes:
- The details of the vulnerability
- The severity of the vulnerability
- How the vulnerability was discovered
- How the vulnerability can be exploited
This information provides the customer with the information that they need to replicate the issue and also to properly prioritize remediation actions.
Actions taken
During a Red Team assessment, it is critical to record all actions taken during the engagement. This includes both digital actions (scanning, exploitation and so on) and attempts to identify and exploit physical vulnerabilities.
The log of actions taken during the assessment should be used to build a timeline of the events performed during the engagement. This timeline is useful to both the client and the Red Team.
The customer benefits from a timeline of actions taken because it is helpful in understanding the narrative of the exercise (i.e., how the Red Team went from no access to identifying and exploiting vulnerabilities) and to help explain any events that may have occurred on the network. Knowledge of the attack timeline can allow the organization’s security team to look back and identify alerts or other events that could have indicated that the organization was under attack.
An attack timeline and comprehensive records can also help to protect the Red Team if something goes wrong. If one of the customer’s systems goes down or something else happens, it is important that the Red Team be able to prove that it wasn’t their fault or caused by “allowable” actions under the terms of the engagement. It is entirely possible that the customer’s network could be undergoing a real attack during an assessment, and they need to be able to differentiate the real attack from the exercise.
Compliance gaps
Many Red Team assessments are performed with the goal of demonstrating compliance with security regulations or standards. While the Red Team assessment shouldn’t be limited to working through a checklist of compliance requirements, it’s valuable to the customer if any vulnerabilities that would render them noncompliant with applicable regulations are clearly indicated.
Report structure
The report is the most visible and lasting connection between the Red Team and the client organization. Since most Red Team assessments are performed without the knowledge of the organization’s security team, the written report and outbrief are the main contact between the Red Team and internal security team. As a result, it’s important that the report contains all of the information that the security team needs to know regarding the assessment.
Executive summary
In many cases, Red Teams are hired by executives to test their organization’s security, and the executives will certainly be footing the bill for the assessment. However, these parties are probably not going to read the entire Red Team report. The executive summary should provide a high-level description of the results of the assessment and provide the executives with some takeaways that they can use in future reports to their stakeholders.
An executive summary should be succinct and contain the following information:
- A high-level narrative of the assessment
- Types and severities of vulnerabilities found
- Recommendations for fixing any identified problems
Most executives are not technical and don’t want to hear all of the gory details of the engagement. The executive summary should be relatively short and answer one question: “What can I do about it?”
Report body
The goal of the report body is to provide the customer with a full understanding of the Red Team operations. At a minimum, this section should describe the assessment methodology and goals, the attack narrative and findings, and recommendations and mitigations. The contents of this section should provide adequate detail to the customer, enabling them to understand the narrative and discovered vulnerabilities without drowning in detail.
Methodology and goals
Describing the assessment methodology and goals is useful for demonstrating that the Red Team performed the assessment that the client desired. The goals of the exercise should have been negotiated before the assessment starts, and the Red Team and client should agree on what are considered acceptable types of attacks. For example, social engineering is sometimes out of the scope of the assessment. Reiterating this information in the beginning of the report ensures that the reader understands the why and the how of the assessment.
Attack narrative and findings
The attack narrative and findings describe the process by which the Red Team identified each vulnerability discovered in the target network. This section is often divided based on the vulnerability discovered.
Providing a narrative that describes how each vulnerability was discovered is useful to the customer for a couple of reasons. First, it helps with understanding how the Red Team found the vulnerability, which is useful for retroactively identifying potential indicators of compromise and for understanding the methodology used.
An attack narrative is also useful when the customer is working to fix the vulnerabilities discovered. In some cases, it may be impossible to perform the “best” mitigation for a potential vulnerability, and the customer may need to disrupt the attack somewhere upstream.
Recommendations and mitigations
Finally, the Red Team should provide recommendations for potential mitigations for each of the discovered vulnerabilities. The nature of these recommendations will vary according to the discovered vulnerability (e.g., ranging from applying a patch to deploying PKI).
While the Red Team should provide recommendations for mitigations, actually performing the fixes is outside the scope of the Red Teams duties. The Red Team should provide the customer with the necessary detail and/or sample code to test any discovered vulnerabilities.
Appendices and attachments
The appendices and attachments section of the Red Team report are where the Red Team should include all of the details of the assessment. This likely will include the following:
- Log files: If the Red Team covered their tracks, they should provide the security team with unadulterated log files
- List of tools runs: The Red Team should tell the customer all actions taken on their network (with timestamps)
- Tool outputs: The results of running different tests, whether or not vulnerabilities were discovered
- Exploit code: Proof of concept code for testing patches for discovered vulnerabilities
- Signed documentation: Copies of any signed agreements between the Red Team and the customer
Conclusion: Writing the report
Reporting isn’t the most entertaining component of a Red Team assessment. However, it is the most valuable stage for the customer. Putting in the effort to create a useful and valuable report is often what makes the difference between being a one-time hire and being invited back for multiple assessments.
FREE role-guided training plans
Sources
- 4 Things Every Penetration Test Report Should Have, Rhino Security Labs
- Sample Penetration Testing Report, Offensive Security
- Guide to Red Team Operations, Hacking Articles
- Deliverables, RedTeam Security
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- Red Team Operations: Report structure and content
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness