Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Screenshots!
| Consolidation The daily transfer of these logs to the engagement repository is recommended. The preference should be to create a backup or rollup script that copies each set of logs to the repository when executed at end-of-day. Screenshots! Details concerning Red Team actions are often met with disbelief. Even when the team has undeniable evidence of access to a highly restrictive application, network, or physical area, target personnel (management as well as employees) sometimes have issues conceding that access was obtained. Images provide the visual proof often required. Screenshots of activities provide validity for the actions that occurred in an assessment. Keep in mind a Red Team engagement isn’t a vulnerability assessment or penetration test. The engagement is designed to tell a story as to how a legitimate threat could impact the function of the target environment. How better to tell that story than to include screenshots of applications, systems, and commands in the storyline? During physical assessments, pictures or video of buildings, offices, desks, server rooms, restricted areas, etc. are generally required for proof of entry. A second recommendation is for the physical team to generate stickers that contain the Red Team logo. Those stickers (or markers) are placed in areas of interest and placed within the frame when pictures or video is captured. Remember: A useful filename includes the date, time, IP, and description in the format of YYYYMMDD_HHMM_IP_Description.jpg|png (for example, 20170308_1518_server_room_access.png ). Tradecraft Term tradecraft is borrowed from the intelligence community. The Merriam-Webster.com dictionary defines tradecraft as "the techniques and procedures of espionage. Tradecraft in Red Teaming has become a more general term. It is the how and why a Red Team acts. Basically, a threat's Tradecraft uses various TTPs to emulate a specific threat. To minimize confusion, Tradecraft, TTPs, and techniques will be used interchangeably. Threat portrayal requirements directly impact a Red Team's choice of TTPs. A Red Team may choose custom, highly advanced tools to support an APT (advanced persistent threat) or use simple, "script kiddie" techniques to emulate an ordinary hacker. This range forces a Red Team to be highly diverse. They must have the ability to emulate highly advanced threats and to limit themselves to a simple threat. Remember, Tradecraft and TTPs are core to a Red Team. Weak Tradecraft equals a weak Red Team. A Red Team must be highly capable in order to successfully emulate a threat with the fidelity needed to accomplish their goals as a threat. |