Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
| Key Chapter Takeaways A Red Team engagement report is the final and only piece of evidence of a red team engagement. These reports can be quite different than other security reports. Reports should focus on the attack narrative and highlight the key observations made by operators during engagement execution. Applying a risk rating can be difficult as red team observations are often one-sided. Consider applying ratings by directly working with a risk team or individuals from the security operations team. Use these tips to apply a rating in cases where the red team will provide a rating. ● Use an observation section to support the attack narrative ● Use a findings section to track and define technical flaws ● Apply the three-tiered rating technique for observations ● Apply ax rating techniques for technical findings Homework 1. Develop a custom report template. Create a collection of observations to enable consistent wording when reporting on repeated observations in the attack narrative. Create a findings section to track technical findings (similar to a penetration test report. Develop an attack flow diagram template. Develop an attack flow narrative template. Summary Red Teaming is the process of using well-defined Tactics, Techniques, and Procedures (TTPs) to emulate a real-world threat with the goals of training and measuring the effectiveness of the people, processes, and technology used to defend an environment. Emphasis should be placed on the impacts of threat operations vs. the enabling vulnerabilities. Vulnerabilities will be discovered and leveraged however, the weaknesses found area byproduct of a Red Team engagement, not the focus. Red Team results should be much more than just a list of identified flaws. They provide a deeper understanding of how an organization would perform against an actual threat. A Red Team's real value is assisting a target identify administrative, technical, and procedural controls that directly limit a threat's ability to cause negative impacts. Even when vulnerable to the latest "zero-day vulnerability" Consequently, Operational Impacts provide real insight into the ability security operations has to protect, detect, respond, or recover from a variety of threats. Did you notice engagement planning was quite a bit longer than execution, culmination, and reporting? There is a method to that madness. Engagement Planning is crucial to manage potential engagement risks effectively, successfully execute desired goals and objectives, and providing the information required to improve both organizational and defensive capabilities. In short, it is nearly impossible to conduct a professional and successful engagement without fully understanding the goals and scope, understanding the resources required to execute, and creating a solid plan. Likewise, effective planning dramatically increases the speed and accuracy of both engagement culmination and reporting. The importance of engagement planning cannot be stressed enough. Deliverables (Reports) enable the organization to replicate the actions and results of the Red Team. They are the last form of evidence that can be analyzed and used to provide abase for improving security. They must be included as a final delivery for an engagement. Finally, we would like to stress our common mantra. "If there is no log, there was no action. If there is no report, there was no engagement. Red Team operators and leads should take this to heart and encourage each other to document their actions properly. Download 4.62 Mb. Share with your friends:
|