Executive Outbrief Checklist

Occurs immediately after engagement execution
●
Include organizational management (decision makers)
●
Include key information security and technical staff
●
Focus on the chronological summary of observations (story of the event)
●
Highlight critical observations
●
Inform the audience that this brief is merely a summary. The final report will contain all event details
Optional
●
Include additional information security or technical staff
●
Include critical system experts
●
Include legal staff
Technical Outbrief
A technical outbrief (or tech-on-tech briefing) is extremely valuable to the organization, to the
Defensive/Blue Team, and to the Red Team itself. These technical exchanges do not always occur but are too valuable to ignore and should be a required step for every engagement.
The tech-on-tech is a bidirectional technical exchange of information between the Red Team, the
Blue Team, and the organization. During this exchange, both the Red and the defensive elements provide a highly detailed, step-by-step technical review of the actions and results (including all associated details) of the engagement. This is where training and education meet and is one of the most valuable opportunities for all parties to learn. More often than not, the defenders discover that they had very little insight into Red Team actions on the network. The tech-on-tech allows both sides to participate in a detailed walkthrough conjoined with a question and answer session.
The occurrence of the tech-on-tech is often more useful to those who will implement mitigations or changes driven by red team activity than the final report. While the process is quite simple, the value is unsurpassed. A few tech-on-tech actions/roles have been identified below to give you abetter understanding of what should take place.
Tech-on-Tech Briefing Checklist and Agenda Planning
The Red Team:
●
Explains Red TTPs and intended IOCs.

Explains their initial thought process for meeting the engagement objectives.
●
Steps through Red actions and associated activity/commands. (This occurs simultaneously with the defender walkthrough.)
●
Describes why those actions were executed. (What lead to each specific action?)
●
Provides the results of each action and how that action enabled the next.
●
Provides recommendations or techniques that would limit each threat action.
The defensive team:
●
Has the opportunity to ask the how and why.
●
Explains the process for securing and defending the environment.
●
Identifies any alerts, triggers, or anomalies within the environment during the engagement.
●
Steps through the Blue actions in response to Red Team activity.
(This occurs simultaneously with the Red Team walkthrough.)
●
Identifies how Red Team activity could have been detected,
prevented, or leveraged (Red Team input is usually key during this discussion period).
●
Provides feedback on the Red Team actions and recommendations.
●
Uses tech-on-tech information to perform a post-engagement analysis prior to the receipt of the official report.

Download 4.62 Mb.

Share with your friends: