Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Types of Observations that Should Be Documented Observation to be Documented Description
| Attack Narrative The Attack Narrative section of the report contains the observations made during a Red Team engagement. It is the written version of the attack diagram. These are typically written in chronological order and follows the execution flow of an engagement. Key observations that a Red Team uses to achieve its goals must be documented. This includes all major successful and failed steps taken while working toward a goal. Threat profiles or other indicators that Blue can use during post-analysis should be included. The end of a Red Team engagement can be the beginning of post- forensic analysis or hunt team engagement. Blue teams that take advantage of the IOCs listed in the report after an engagement through post-analysis can use this to find blind spots or to tune security tools to better protect against threats by comparing what was discovered against what was not. Types of Observations that Should Be Documented Observation to be Documented Description Key actions that led from initial access to the final goal Actions that describe how access was gained as various phases of the engagement. Include ● Initial access ● Lateral movement ● Privilege escalation Command and Control Overview of C design and architecture. Include ● Network information (IP addresses, domain name, ports, protocols, etc.) ● Include agent information (binaries, scripts, locations, and Registry changes) ● Include persistence methods Reconnaissance actions Steps taken to perform reconnaissance or situational awareness. Include ● Techniques used that help identify potential indicators Include key pieces of information gathered Interesting observations that assisted the red team during the engagement Operators often take advantage of unique situations to support an engagement. This is often nontechnical in nature. Observations related to people, processes, and technology should be documented. Include ● Logic flaws found in the environment ● Response (or lack of) from defenders Interesting observations that maybe of concern but that are not directly related to the engagement Engagement offer a unique view to a range of systems. Operators often find interesting paths or other observations that mayor may not have been explored. These should be documented. A single observation should Include the following elements (a complete example is available on the companion website) ● Observation title ● A narrative description ● Technical details ○ Source/destination IP addresses ○ Tools or techniques ○ Results (Including impacts) ● Screenshots |