Red Team Operations: Presenting your findings
The importance of the Red Team presentation
At the end of the Red Team assessment, there are usually two main deliverables. The Red Team report provides a report providing a comprehensive description of the assessment, identified vulnerabilities and recommendations for remediating them. The Red Team will also have a final out-briefing which is designed to cover most of the same information.
Beyond providing the customer with the opportunity to ask questions and catering to auditory learners, the presentation is important because it addresses a different audience than the report. Most executives will not read the full Red Team report or have the background to understand it. While a good Red Team report includes an executive summary, there is no guarantee that the summary will be read, and it lacks much of the detail of the report.
Providing a good presentation to the executives is important, as they’re probably the ones who actually hired the Red Team. To improve realism, many assessments are blind. A good presentation can help the executives feel that they’ve gotten their money’s worth and improve the probability of repeat business.
Designing the slide deck
The Red Team presentation is designed to make the details of a Red Team assessment understandable to a non-technical audience. Important parts of this are building a narrative in the presentation and playing to the audience.
Build a narrative
Humans tend to do better when information is conveyed in the form of a story. The nature of a Red Team assessment lends itself well to this, since the audience benefits from understanding how the Red Team moved from no knowledge of the target to identification and exploitation of a discovered vulnerability. The presentation should start high-level, move into detailed findings and close out by providing actionable guidance.
Before diving into the details of the assessment, it’s useful to give the audience a high-level overview to set the stage. The audience may be going into the presentation with no knowledge of the outcome of the engagement and is probably hoping that the Red Team found no vulnerabilities. The presentation should start out with a high-level description of the number and types of vulnerabilities discovered, setting the stage for a more in-depth description of the findings.
The meat of the presentation is describing the vulnerabilities that the Red Team discovered in the course of the assessment. The customer hired the team to understand what is wrong with their current cybersecurity posture, and this section of the presentation answers those questions.
When presenting the Red Team’s findings, it is important to provide context in the form of attack chains. By describing how the Red Team moved through the assessment from zero-knowledge to vulnerability discovery, the customer understands the process and where their existing security controls, policies and procedures are not effectively protecting the organization against attack.
Close with actionable guidance
Finally, the Red Team should discuss how the organization can fix the problems identified during the assessment. Specific remediation steps can be explored during the discussion of the associated vulnerabilities; however, it is a good idea to provide a summary of recommendations at the end of the presentation. This both provides a call to action to the customer to fix the identified issues and focuses the question-and-answer section of the presentation on how the organization can grow and improve their security.
Know the audience
While the content of the presentation is important, it’s also important to present the information in a way that resonates with the audience. Since multiple stakeholders exist within the client organization (executives, technical staff and so on), it may be best to have a couple of presentations designed to be targeted to specific groups.
When presenting to executives, the presentation should not be overly technical. The main slides should explain vulnerabilities, attack chains and remediation steps at a high level without diving too deeply into technical details. However, it is a good idea to have backup slides containing these details if the audience wants to dive deeper into a particular topic.
When presenting, especially to executives, it’s also useful to provide both recommendations for action and descriptions of the risks of non-action. This helps the audience to make informed decisions regarding the cost and benefits of implementing fixes for the identified issues.
Setting the tone
When presenting to the customer, it’s important that the presentation is professional and sets the right tone. Most likely, the organization hired the Red Team with the expectation that they would find little or nothing that needed fixing. In reality, the Red Team is probably going to disappoint them.
It’s a good idea to include the good news with the bad when making your presentation. The Red Team has an obligation to inform the customer of any vulnerabilities discovered during the assessment. However, the news can be softened by pointing out where the organization is doing well as well. In the presentation, giving kudos is the only time where it is appropriate to name names. If a certain employee or employee action was responsible for the Red Team’s success, they should remain anonymous.
The final presentation should also be performed in a professional manner. The audience is the customer and doesn’t want to hear about how easily the Red Team broke through their defenses. The presentation should be respectful and professional, with no bragging or name-calling.
Conclusion: The final briefing
Providing one or more out-briefings is a good way for the Red Team and the customer to have a real conversation about the assessment and its results. When preparing and giving the presentation, it is important that the Red Team provides the right information in the right way and leaves ample time for questions and discussion when they are done.