Development and operations a practical guide
Deconfliction Process and Documentation
Download 4.62 Mb. View original pdf
|
| Deconfliction Process and Documentation At a minimum, deconfliction documentation should include: ● Dates of the engagement ● POC for the engagement Lead Tech ECG/TA/Whitecell ● Source of activities ● Destination of activities (as appropriate for the engagement type) Segment, Range, Application, Host, IP, Building, Campus, etc. In most scenarios, the destination is not provided Deconfliction performed via TA/Whitecell ● Description of the activity In the event deconfliction is requested, the Red Team Lead should work with the responsible TA/White Cell POC, assess the information, and isolate the information from Red Team activity. This process may include: Halting all activities in the area of the incident Reviewing the ROE for limitations, objectives, and deconfliction instructions Reviewing OPLOGS to determine the activities the team was conducting at the time indicated Confirming or denying Red Team activities for each deconfliction incident Confirming findings with the ECG, White Cell, and TA Ensuring findings are relayed by email as well as by telephone Maintaining records of deconfliction information, actions, assessment, and findings If the deconfliction process indicates the Red Team is the originator: Determine and isolate the specific activities and scripts employed (if required) Determine and isolate the specific logs supporting the time frame of the incident Notify the Engagement Control Group The deconfliction process provides an avenue for an engagement to be gamed and is susceptible to biased information flows. Part of the engagement planning process should include determining the amount of time required to execute the deconfliction process and when to use it properly. Always emphasize there is no scenario where deconfliction will be used by the target environment or defenders to identify Red Team sources or activities. At no time should the target environment or defenders be provided with information outside the deconfliction process, except for safety or legal incidents. Download 4.62 Mb. Share with your friends:
|