Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
| Threat Planning A major factor of the engagement is the threat type and characteristics the Red Team must portray. This is achieved through threat planning. The end state of threat planning is an ability to represent the threat as closely as possible and to advise the target of implications to the target environment. Effective planning through the construction of TTPs, profiles, and scenarios significantly improves the Red Team's ability to ensure the engagement identifies potential threat vectors and assists defensive operations with identifying gaps in processes, procedures, toolsets, and training. The level and depth of threat planning are driven by goals and are different on every engagement. At a minimum, threat planning should include the use of threat TTPs specifically required to achieve a goal and optionally the characteristics of specific threat actors or threat groups. Consider the following when planning how a threat will be used during an engagement. ● Threat landscape What are the target’s characteristics? What specific TTPs will be required to operate in that environment? ● Threat to the target environment What are the current threats to an environment identified through OSINT? What are the current threat concerns of the customer, current issue, or previous events? ● Real-world examples of threats What current or prior threats are of concern? ● Threat in scenario or engagement conditions How will the engagement scenario impact the threat landscape? ● Level of threat capability the team will attempt to emulate Is the threat capability or level (simple to advanced) important in the engagement scenario? A factor Red Team leaders must consider is the realism of the threat. While some organizations may intentionally decide not to unleash the full capabilities of the threat (e.g., due to the level of target audience aptitude or environmental constraints, most Red Teams select attack types and strategies to simulate realistic threats. Exploitation for exploitation's sake or a show of Red Team strength is not appropriate and will not provide meaningful results. Defining threat-based attacks will provide a viable mechanism for training the target audience and strengthening the target environment. The Red Team Lead should carefully weigh the different options in the context of the engagement. This list will then form the basis of the emerging engagement strategy. Threat intelligence provides information for analysis, the creation of a threat profile, and characterization of the threat. A significant factor in the construction of this characterization is the consideration of the threat's perspective, which can be from inside the target, outside the target, or having limited access to the target. This profile and characterization information is used to create threat scenarios. Threat intelligence also feeds the replication of a threat's intent, capabilities, and TTPs. These can be used to classify and characterize a threat. Intent The intent is the "why" in threat operations. The threat's intent may vary greatly depending upon the target, the sensitivity and value of the target's information, and the desired impacts on both the target and the threat. A threat’s intent is based on the specifics of an engagement. A threat may simply want to gather target information. This information is typically something classified as confidential, proprietary, or intellectual property, and if lost, would be detrimental to an organization. For example, stolen data could be provided to competitors to build and release in time with or ahead of the target. The intent maybe to insert faulty or malicious code into the target's current software project. This code could cause failure or security vulnerabilities at software release. Manipulation scenarios are an excellent choice to support a supply chain attack scenario. The threat may want to impact the target’s sales and possibly cause a business failure by releasing target information to the public. Intent that directly impacts an organization should be considered during planning over intent that simply identifies technical flaws. Download 4.62 Mb. Share with your friends:
|