Development and operations a practical guide
Observations vs. Findings
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Example Observation
| Observations vs. Findings The Red Team engagement report can be quite different than reports generated in penetration tests or vulnerability assessments. Engagement goals and associated impacts are the foundational data points that directly feed a Red Team report. As previously discussed, Red Team engagements are highly scenario-focused. This leads to a story-driven report that contains the Red Team's story (or flow) and their ability to execute or meet their goals. Penetration testing or vulnerability assessment reports focus on findings. For example, a penetration test may discover a weak password policy that leaves an organization susceptible to a brute force attack, or missing patches allowed the exploitation of end-user workstations. These findings are typically mapped to some security control or policy. Perhaps these findings would lead to the recommendations of modifying the password policy to require longer passwords, implementing two- factor authentication, and ensuring that the patching policy is being followed. These are important findings to discover, but these fall more in the line of security housekeeping and attack surface reduction. Red Team engagements have much different goals than other security tests. The methods to describe goals in a Red Team report are better represented as observations rather than discrete findings. For example, an out-of-date system may have flaws that allow an operator to compromise a workstation. This provides command and control and is used to perform situational awareness on the target's organization's assets. An operator continues to explore and move through the target's network and eventually steals proprietary data as a planned goal. The technical flaw is important and should be documented but is only one of a series of steps. This series of steps can be used to detail the observation a threat has regarding freedom of movement. Example Observation The red team was able to move freely through the target’s network with little to no resistance. The initial compromised host provided the initial steppingstone but was soon abandoned once freedom of movement was established. The red team did not observe any preventive or detective controls that would indicate the organization was aware of the threat activity. This freedom of movement was key in providing the ability to exfiltrate sensitive data from the target. The Red Team is driven by goals intended to stimulate or measure not only technical flaws but security operations as a whole. This includes people, processes, and technology. A Red Team report uses a story-based format where observations rather than of findings are listed. |