Red Team best practices

Take time to plan

One of the most important things to do when performing a Red Team assessment is taking the time to plan out operations in advance. While the details of a particular engagement will depend on the customer’s environment, it’s important to think of potential plans of attack that the Red Team can try in advance. By planning out initial phases and assigning roles, the Red Team ensures that the customer receives a comprehensive test during the engagement. This planning should be performed at least partially in concert with the members of the customer’s organization that are aware of the assessment. Discussing potential attack vectors with the customer can allow them to explicitly approve or reject particular types of attacks (such as social engineering or testing physical security).

Get it in writing

At the end of the planning stage of the assessment, it is important that the Red Team has a mutually signed document outlining the rules of engagement for the assessment. The Red Team should have discussed potential attack vectors with the customer and gotten the green light for any tactics that they plan to use. A lack of mutual understanding of the rules of engagement can lead to misunderstandings like the arrest of two members of the Coalfire Red Team when performing a security assessment at an Iowa courthouse. The pair was arrested for attempted burglary. In this case, the Red Team and client had different understandings about when and how the team would be attempting to gain unauthorized physical access to the building. Part of getting everything in writing is getting a “get out of jail free” card from someone within the customer’s organization who has the authority to issue one. This document should explain the situation and provide contact information for the person who signed it. In the case of the Coalfire assessment, the team had such a document, but the arresting officer decided that the state authority did not have the authority to authorize testing of a building that “belonged to Iowa taxpayers”.

Mix things up

An attacker can perform the same attack in a variety of different ways, using different tools and techniques to perform each stage of the operation. To keep a test realistic, the Red Team should do the same, mixing up each assessment rather than running through a checklist with the same tools and techniques every time. A useful tool for designing a Red Team assessment is the MITRE ATT&CK matrix. This tool breaks up the different stages of a cybersecurity incident and describes different methods by which a hacker could accomplish each stage. The ATT&CK matrix can be used in the planning stages of the assessment to ensure a good mix of attack vectors and also to support on-the-ground planning. If a certain technique doesn’t work for a particular goal, the Red Team should make a note and try another method of accomplishing it.

Choose tools carefully

When performing a Red Team assessment, most different tests can be performed in a variety of different ways with a variety of different tools. Choices between tools and techniques can be made based upon a variety of different factors, including familiarity and efficiency. However, a few important considerations exist for Red Team tool choices. One is the impact on the customer’s network and systems. In some cases, an unstable system could be brought down or otherwise impacted by certain tools or tests. Whenever possible, the Red Team should use methods that limit this possibility. Limiting the impact on target systems is also good for ensuring that the Red Team’s actions on the target system are stealthy. Many Red Team assessments are performed without the knowledge of the customer’s security team, so remaining invisible is useful for maintaining the realism of the assessment. Also, as Backtrack/Kali Linux puts it, “The quieter you become, the more you are able to hear.”

Record everything

When performing a Red Team assessment, it is vital that the Red Team keeps as detailed of a record as possible throughout the exercise. This benefits both the customer and the members of the Red Team. The customer benefits from a complete record since it helps them to understand the narrative of the assessment. The ability to describe the chain of events from the beginning of the assessment to exploitation of a vulnerability allows them to design and implement appropriate remediation. In addition, a timeline can help them to retroactively discover potential identifiers of compromise that could help with identifying the attack in the future. A complete record of the assessment also helps the Red Team if anything goes wrong. If a client system has a problem or a real attack happens to occur during the assessment, a record of the actions taken by the Red Team can help prove that it was not their fault or caused by activities explicitly permitted by the rules of engagement.

Provide measurable value

The result of a Red Team assessment typically includes a list of discovered vulnerabilities and recommendations for correcting them. However, anything that the Red Team can do to provide measurable value to the customer helps them to feel that they got their money’s worth and improves the probability of repeat business. While it is useful to provide information about discovered vulnerabilities and their associated risks and severity, it’s also a good idea for the Red Team to provide information on what doesn’t work. By demonstrating that the team tested and rejected potential high-severity or high-probability attacks, they make the customer feel like they received a comprehensive assessment and good value for their money.

Conclusion: Performing an assessment

Every Red Team assessment is unique and can require very different tools and tactics from the Red Team. However, following a few best practices can help ensure that the Red Team is ready to deal with whatever may happen in the course of the engagement and provide maximum value to the customer.  

Sources

What’s Your Defense Strategy? Best Practices for Red Teams, Blue Teams, Purple Teams, Core Security Pen test gone awry? Coalfire staffers arrested for burglary, SC Magazine Red Team Use of MITRE ATT&CK, Medium