Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
| Engagement Reporting Reports are the final product and the only evidence of an engagement. The reporting phase is a critical aspect of a Red Team engagement. Reports should enable the organization to replicate the actions and results of the Red Team and are the last form of evidence that can be analyzed and used to provide abase for improving security. They must be included as a final delivery for an engagement. Some teams (especially internal teams) often do not produce formal reports. Some only provide a list of findings and label as a report. While this is acceptable (assuming some detailed deliverable is produced, it is strongly encouraged to develop a formal reporting process using a standard template. This process ensures consistency and completeness in delivering a final product following an engagement. Rules Regarding Data Collection and Reporting 1. If an action is not logged, it did not happen. If there is no report, there was no engagement Reports not only document the activity that occurred during a specific engagement but also provide an excellent reference that can be used as a reliable roadmap to plan and design other or future engagements. Many engagements share similar approaches and goals. As the number of reports grows, they can be analyzed together to understand common patterns and risks shared by various environments. These can be used to understand how threats succeed or fail when facing varying levels of defense. Attack Flow Diagrams Everyone has heard that an image is worth a thousand words. The same applies when generating reports. This is especially true in those containing complex threads and activities. Red Teaming is about understanding a threat's impact of actions against a target. Although this is documented in logs and eventually written as observations, a visual diagram is extremely valuable and one of the most effective ways to describe and highlight key activities and observations. The diagram above is a sanitized example of areal Red Team engagement leveraging a simple assumed breach model. This engagement was used to train anew red team using a small, simplified engagement. The engagement goals included the following: ● Train and expose anew red team to the red team processes ● Measure the ability a threat has to move laterally ● Measure the defender’s ability to detect C traffic and binaries Measure the ability to perform and subsequently detect critical data exfiltration This Red Team engagement was designed as C training fora new Red Team and to educate a Blue Team on threat techniques. The Red Team designed and staged Command and Control with specific IOCs and threat objectives using a threat profile to document the threat design. The diagram highlights the actions, successes, and failures of the Red Team and was created using the commercial mind mapping software XMind (http://www.xmind.net/) but could have easily been created in a number of other diagraming tools. A properly designed diagram can be used solely to present a Red Team engagement. The power of an image is truly immense. Diagrams are not required but are highly encouraged. Consider This The authors of this book often only use diagrams to drive executive or technical briefings verses using along text driven document or PowerPoint presentation. Graphical presentations area great way to convey the complex actions of a Red Team engagement. |