Red Team Operations: Providing recommendations
The importance of recommendations
The Red Team’s final report is the most valuable part of the entire exercise for the client. In many cases, a Red Team is secretly hired by an organization’s executives to test the effectiveness of their security team. If the assessment is performed correctly, the final briefing and report are the first and only direct contact between the Red Team and the customer’s internal security team.
The goal of the Red Team’s report is to provide a comprehensive narrative of the Red Team’s actions and experiences while testing the customer’s security. This includes describing what the Red Team tried and what didn’t work, as well as identified vulnerabilities that need to be closed to improve the customer’s security.
Some members of the customer’s organization will have the technical knowledge, time and interest or requirement to read and understand the full report. A description of the vulnerabilities discovered during the assessment may be enough for the organization to understand them and fix them effectively.
Recommendations from the Red Team can help if this isn’t the case. In most cases, the Red Team members are the ones who best understand the identified vulnerabilities and how they can be corrected. Providing a checklist of recommended actions can help less technically adept security teams fix the holes in their defenses.
A recommendations list is also useful to the team when discussing the assessment with management. Being able to point to a list of discovered vulnerabilities allows the security team to demonstrate that they’ve materially benefitted from the Red Team assessment and closed all discovered holes within the organization’s defenses.
Tips for recommendations
The recommendations section of a Red Team report is fairly straightforward. After identifying a vulnerability in a customer’s security, the Red Team recommends methods of correcting it. However, when writing recommendations, there are a few important things to keep in mind.
What needs fixing
The most important part of providing recommendations in a Red Team report is clearly explaining what the customer needs to do in order to fix the issues that were discovered during the assessment. Depending on the type of assessment, these issues can fall into two main categories.
All Red Team assessments will most likely discover security holes or vulnerabilities in the customer’s current cybersecurity posture. When providing recommendations for remediating these vulnerabilities, it is important to discuss the level of risk associated with them in terms of the severity of the vulnerability and the likelihood of it being exploited. By providing this information, the Red Team helps the customer to prioritize potential remediation efforts and fix the most dangerous issues as quickly as possible.
Some Red Team assessments are also targeted at helping an organization achieve or maintain compliance with relevant regulations or standards. As the data security regulation landscape expands, organizations are required to be compliant with more standards. Any compliance gaps identified during a Red Team assessment should be tied to the relevant compliance requirements, include remediation recommendations that would make the organization compliant, and have recommendations to the customer for demonstrating that the recommended actions are sufficient to achieve compliance.
Make it actionable
In general, recommendations for mitigating vulnerabilities discovered during a Red Team assessment are actionable. However, it is important that these recommendations provide sufficient information for even a non-technical person to actually fix the issue.
Some of this need originates from the fact that many organizations do not employ world-class security personnel (otherwise, they probably wouldn’t need the Red Team). However, clear recommendations are also useful when the security team needs to report to executives. In many cases, the C-level is more likely to act on external recommendations (e.g., from the Red Team) than to listen to internal staff. The response from the C-suite to a Red Team report may very likely be “do whatever they say,” so it’s important that recommendations cover the actions necessary to make the customer secure.
When providing recommendations in a Red Team report, it’s easy to say “you have vulnerability X, so apply patch Y.” However, there may be circumstances (policy, budgetary and so on) that make applying Y impossible. Under these circumstances, the customer needs the information necessary to make an informed alternative decision.
When describing vulnerabilities and providing recommendations, the Red Team should provide a narrative describing how the vulnerability was discovered and exploited. This description of the attack chain leading up to exploitation of a vulnerability allows the customer to identify other potential places where the attack could be detected or exploited.
The MITRE ATT&CK framework is a valuable tool when discussing vulnerabilities and their remediation with a customer. The ATT&CK tool describes how attackers perform different stages of the attack life cycle and how each method can be detected and/or remediated. Tying a vulnerability to the ATT&CK framework provides the customer with more information and lends support to specific vulnerability recommendations.
Too often, the focus of a Red Team assessment and report is on technical vulnerabilities and countermeasures. The Red Team discovers a web application vulnerability, exploits it to gain access and describes how to fix the problem in the report.
However, the customer may also be vulnerable to non-technical attacks like social engineering or have policies or procedures that impair their ability to appropriately respond to potential incidents. When providing recommendations in a final report, it is important not to overlook any vulnerability that an organization needs to fix, technical or not.
Conclusion: Setting the right tone
The recommendations section of the Red Team report may be the most difficult to write. At this point, the team is beyond describing all of the interesting ways that they broke into a system and are trying to provide advice for fixing the problem.
One of the most important aspects of the recommendations section of the report is to keep the tone professional. Unless an employee has been engaged in illegal actions, no-one should be named in the report in a negative way. The recommendations should be written in a way that is helpful and spares the feelings of the organization and its employees.
Finally, the Red Team should only be responsible for identifying vulnerabilities and providing recommendations for remediation. Actually fixing vulnerabilities is outside the scope of the Red Team’s assessment or duties. However, the Red Team should make an effort to be reasonably available and responsive to questions regarding the report after the conclusion of the assessment.
- Sample Findings and Recommendations Report, PEN Consultants
- 6 reasons to hire a red team to harden your app sec, TechBeacon
- Extracting yourself from the quagmire of a successful Red Team., NCC Group
- Red Team Use of MITRE ATT&CK, Medium