Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Log all significant actions (successes and failures)
| General Guidance Maintaining consistent TTPs is essential during Red Team engagements. Getting caught or stimulating an effect at the wrong time in the engagement can compromise an entire mission. Guidance on TTPs "dos and don'ts" for Red Team engagements are included below. These rules must always be applied to the first set of operating procedures. This ruleset is a great starting point for developing high-level TTPs. If circumstances require a deviation, or a rule does not fit an engagement, a consultation with a senior Red Team Operator is required. Anytime a TTP rule is violated, senior staff should be involved in the decision and the reason and circumstances documented. Log all significant actions (successes and failures) Bottom lineup front Log, log, and log some more Take screenshots of all significant actions, including successful and failed attempts. One of the most important aspects of the Red Team engagement is the collection of data (aka. logs). It is extremely common that an inexperienced team completes an engagement with subpar documentation. Many actions are not fully captured, some actions are never captured, and often key failures are ignored. Each action performed provides value to the target as well as the target defenders. Incomplete logs prevent the Red Team from providing a complete and accurate depiction of the actions, obstacles, and defensive strengths and weaknesses of the target (aka. Red Team mission failure). As previously covered, there are several methods to ensure that logs are appropriately captured and stored: ● Automated logging of the terminal All terminal actions are logged, timestamped, and saved to a predefined location ● Tool logs Most commercial tools have some capability to log actions and produce a raw or a final report ● Custom tools logs If you write a custom tool/script, it should output a log of actions and results ● Operator logs By far, these are the most important logs. A log may show the action performed and the result however, only the operator can accurately note the way the action was performed, which led them to the decision, and their interpretation of the result ● Screenshots: Terminal logs are great for the operator and even better as supporting artifacts; however, they may mean nothing to senior-level executives (or even to some IT professionals). Screenshots before, during, and following the execution of an action hold much more weight than a terminal log, tool log, or operator log (often, it may just be a screenshot of the terminal during execution) Download 4.62 Mb. Share with your friends:
|