Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Assumed Breach Model
| Full Engagement Model The Full Engagement Model is a complete, end-to-end emulation of a threat and is the most common model desired by organizations. Think of this as the no-holds-barred engagement (although there are always holds barred. This model attempts to emulate a threat starting on day one and working until a final goal is reached. A Full Engagement Model begins with the threat outside an organization. The threat must perform Open Source Intelligence (OSINT), reconnaissance, and enumeration to determine a path into the network. Once inside a network, the Red Team will continue to execute its plan using its TTPs. This will continue until the Red Team is stopped or completes its goal. Characteristics of the Full Engagement Model: Begins on day 1 of adversarial activity Red Team must perform all phases (Get In, Stay In, and Act to be discussed further in the text) Typically longer than other engagement types, as adequate time is needed to perform all phases Red Team must be able to get in or have a backup "white carding" plan With condensed execution timelines, it is common for time to run out before operational impacts can be executed Contingency plans must be made to ensure that required impacts are executed Assumed Breach Model The Assumed Breach Model assumes a threat has some level of access to a target at the initiation of the engagement. This model is arguably the most beneficial of all the models. The threat is assumed to have some level of access to a target before beginning. This starts a scenario much further into the attack timeline. Assuming someone can breach a network is often argued by less mature organizations who assume Red Teams must prove they can get in before beginning. When is this proof important? It is important ONLY if measuring the ability a threat has to "get in" is important. If this is not a key goal, using the Assumed Breach Model will save time, effort, and money and will free the Red Team to explore higher impact goals. Characteristics of the Assumed Breach Model: Begins after a threat has breached an organization Red Team focuses on the Stay In and Act phases More efficient use of limited resources (time, money, and staff) Requires providing access to the Red Team. This is commonly done by launching a Red Team’s malware, providing access to a specific asset, or providing passwords Operational impacts and goals must still be achieved Download 4.62 Mb. Share with your friends:
|