Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Sanitization and Cleanup
| Engagement Culmination Following the execution phase, each engagement includes a series of activities required fora successful closeout, cleanup, and final reporting. This section walks through the steps needed to closeout an engagement successfully. Sanitization and Cleanup All evidence of an engagement must be sanitized before Red Team departure. Any evidence describing the nature of the attacks, vulnerabilities, results, or other information must be entirely removed and destroyed. This cleanup includes tools and artifacts as well as reversing any modifications to security controls that could leave an environment less secure when an engagement ends. In addition to system modifications, Red Teams may have the opportunity to modify or bypass security controls. If target system security controls were disabled or modified, they must be restored as soon as possible. These should be tracked with all other changes. ROE is Law The sanitization process must be documented in the ROE prior to engagement execution. This is the best way to ensure the cleanup process is documented and, if followed, executed appropriately. It is desired to have all exploits, toolkits, and persistence mechanisms have self-destruct code baked in as both time-based, to prevent execution outside the engagement window, and target-based to prevent exploitation outside the target environment. For items that do not have builtin self-destruct code, the Red Team should remove each individually and document the removal. When cleanup is not possible (communications lost, system taken offline, permission, etc, the Red Team will alert the TA with the system name, IP address, directories, filenames, modification date, modifications made, tools left behind, or files modified. A change tracking log should be part of every engagement's required toolset (Note if using the logging recommendations made earlier in the text, this tracking is captured in the log. Systems modifications should always be expected and planned as part of an engagement. These modifications are not only permanent changes such as dropped files or Windows registry modifications but also in memory processes. The following quick checklist will help an engagement lead remove all changes. Download 4.62 Mb. Share with your friends:
|