Development and operations a practical guide
Where to Include Findings and Recommendations
Download 4.62 Mb. View original pdf
|
| Where to Include Findings and Recommendations Although a report is focused on the attack diagram and narrative, flaws will be identified and should be reported in a findings section of the report. Findings should be a list of critical issues that helped the Red Team with their success in achieving goals. These should include traditional findings, such as lack of patching, weak passwords, or other common flaws. Recommendations of mitigations are typically generic at this phase. In order to enhance recommendations and provide mitigation advice that directly focuses on the target organization, there must be a collaboration with the Red Team and the target organization to determine the root cause of the security failures. Unfortunately, this does not always occur. Many Red Teams provide a list of recommendations, and these are taken as ground truth. Red teams should encourage a proper risk assessment to be performed regarding the recommended mitigations. Red teams only provide one side of the risk equation. Organizations that use a report to conduct their own root cause analysis are often better off and implement more robust improvement to their security operations. Focus Point Although Findings and recommendations are not the focus of a Red Team engagement or always requested, they should always be included in an appendix. After observations are analyzed and understood, the Red Team has an understanding of how the defense fared against the attack, but this understanding is often one-sided. I can be difficult to provide exact recommendation or remediations. It can be beneficial to provide a relationship instead of a direct recommendation. A relationship that gives an overall picture of an engagement will help describe how improvements will increase security. The details in this example are not important. The mapping of observation to recommendation in relationship to the pyramid of pain is the focus. The left of the image shows the red team's observations mapped to the defense's ability to impact the threat actions. This is currently at Easy. The right of the image describes the issue and provides a recommendation. If the target organization implements the recommendation, the Red Team estimates the defensive posture and impact to the threat . In this case, to challenging or annoying. Reporting does not explicitly need to display this diagram, but the concept should be understood in the report context. Note, as with the attack diagram, images assist understanding. Including visuals, along with text, dramatically increases the chances of ingestion and application. |