Red Team Operations: Reporting for compliance
The growing compliance landscape
In recent years, the number of standards and regulations that organizations have to demonstrate compliance with has exploded. Previously, organizations have mainly needed to comply with industry-focused regulations (HIPAA, SOX and so on) or ones designed to protect certain types of sensitive information (like PCI-DSS and payment card information).
Recently, governments have been passing data privacy regulations and forcing organizations to take notice. The EU’s General Data Protection Regulation (GDPR) is an example of this. Under GDPR, any organization that is storing personally identifiable information (PII) of European citizens must be operating under a data protection policy functionally equivalent to GDPR, either at the company or national level. The scope of the GDPR and the much wider definition of what is considered protected PII caused a bit of a panic as organizations around the world tried to bring their policies into compliance.
What should you learn next?
The GDPR is far from the only privacy regulation in place. The California Consumer Privacy Act (CCPA) is one of the more famous regulations, but many other U.S. states have been passing individual laws in the absence of a national regulation. As a result, organizations may be required to demonstrate compliance with a large number of different regulations.
Designing the pentest
One commonality between many of these regulations is a requirement for organizations to perform regular testing to ensure that their current protections are adequate for protecting the customer data entrusted to them. While many of the requirements are for a penetration test, a Red Team assessment can provide a more accurate measure of an organization’s ability to adequately protect sensitive data.
As a result, a Red Team may be called upon to perform an assessment that is geared toward demonstrating an organization’s compliance with the regulation or identifying gaps that would need to be corrected before the organization needs to take a compliance audit.
A penetration test for compliance is performed slightly differently from a general Red Team exercise. The Red Team needs to balance the need to address key points with the need to not be restricted to a checklist.
Addressing key points
When performing a Red Team assessment for compliance, the Red Team must be familiar with the regulations that the organization needs to be tested against. The customer should be familiar with any appropriate regulations, and the Red Team and customer should agree on the target(s) of the assessment.
In many cases, performing a Red Team assessment for compliance with a regulation requires a deep knowledge of the applicable regulation. In some cases, regulations are phrased in general terms, but auditors will be looking for specific security controls designed to achieve these goals. For example, “appropriate protection of data at rest” points to the need of encrypting data at rest, monitoring access to sensitive data and properly managing encryption keys.
When testing against a particular regulation, the Red Team should determine the security controls that an organization should have put in place and design tests that can determine if the security controls are successful. This could result in a very focused assessment where the Red Team mainly tries to break relevant security controls.
Beyond the checklist
However, Red Team assessments should not become an exercise where the Red Team runs through a checklist similar to the compliance audit procedures. In many cases, testing for compliance becomes an exercise where the Red Team “checks the box” rather than actually testing for security.
When designing the Red Team engagement and negotiating with the client, it is much better to agree on a Red Team assessment with a mapping to relevant regulations and standards than sticking to testing against a particular regulation. This gives the Red Team more latitude to operate and results in a better product for the customer.
Reporting for compliance
In general, a Red Team report for a compliance-focused Red Team assessment has very few differences from one for a more general report. The main differences between the different reports are the focus on tying discoveries to the need to implement certain security controls for compliance and the pressure on the organization to implement necessary mitigations.
Tie vulnerabilities to compliance
Describing discovered vulnerabilities is a core component of a Red Team report. In general, these are primarily organized by the severity of the issue and maybe location.
With a compliance-focused assessment, the Red Team should tie identified vulnerabilities directly to the requirements described in the relevant regulation or standard. This helps the customer prioritize the actions necessary for achieving compliance and provides them with an overall impression of their current level of compliance with a given regulation.
Provide actionable recommendations
The goal of a compliance-focused Red Team assessment is for the customer to be able to achieve compliance before it is necessary for the organization to undergo a compliance audit. If the customer waited until the last minute to perform the assessment, they may have days or weeks to implement any necessary security controls.
By providing clear recommendations on how the customer can modify their current cybersecurity posture to meet regulations, the Red Team helps the organization to become compliant as quickly as possible.
Include PoC code for testing
Providing the data or code necessary for testing patches is a common practice in Red Team reports. This allows the customer to replicate the vulnerability and helps with the development and testing of possible solutions to the problem.
When testing for compliance, the customer likely has a shorter timeline for fixing issues than with a traditional assessment. The more information that a Red Team can provide regarding how to exploit an identified vulnerability, the easier it will be for the organization to deploy an effective solution to the problem.
Conclusion: Red Team for compliance
Many regulations and standards call for regular penetration testing to ensure compliance, and a Red Team assessment is even better. When performing a Red Team assessment for compliance, it is important to keep the specific requirements of the regulation in mind throughout the assessment and ensure that the assessment doesn’t compromise security for the sake of checking the box.
FREE role-guided training plans
Sources
- Article 32, EU GDPR, PrivazyPlan
- Information Supplement: Penetration Testing Guidance, PCI Security Standards Council
- A red teaming approach to PCI-DSS, Nettitude
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- Red Team Operations: Reporting for compliance
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness