Red Team Engagements
Steps and procedures of a red team engagement.
Defining Scope and Objectives
The key to a successful engagement is clearly defining client objectives and goals. Both parties (client and red team) should agree on what is expected and provided. Without clear objectives and expectations you are preparing for an unstructured and unplanned campaign.
Engagements can be categorised as a general internal/network pentest or a focused adversary emulation. A focused adversary emulation defines a specific APT (Advanced Persistent Threat) or group to emulate with an engagement. A general internal/network pentest will be less focused and use standard TTPs (tactics, techniques and procedures).
The next key is to ensure a well-defined scope. A client's scope will typically define what you cannot do or cannot target, it can also include what you can do or target. Scope should only ever be set byt the client, though in some cases red team may discuss a particular grievance if it affects an engagement. An example of verbiage in a client's scope is:
No exfiltration of data.
Prod servers are off limits.
10.0.0.1/18 is out of scope.
System downtime is not permitted under any circumstance.
Rules of Engagement (ROE)
RoE are a legally binding outline of a client's objectives and scope, with further details of engagement expectations between both parties. This is the first "official" document in the engagement planning process and requires proper authorisation between both parties. This often acts as the general contract between the two, although an external contract or other NDAs can also be used.
The RoE structure is determined by the client and red team and can vary in length/sections. A brief outline of standard RoE sections is as follows:
Executive Summary: summary of all contents and authorisation in the document.
Purpose: defines why the RoE document is used.
References: references used throughout the RoE (HIPAA, ISO, etc.)
Scope: statement of agreement to restrictions and guidelines.
Definitions: definitions of technical terms used throughout.
RoE & Support Agreement: obligations of both parties and expectations of engagement conduct.
Provisions: define exceptions and additional info from RoE.
Requirements, Restrictions & Authority: define expectations of the red team cell.
Ground Rules: define limitations of red team actions.
Resolution of Issues/Points of Contact: all essential personnel involved.
Authorisation: statement of authorisation for the engagement.
Approval: signature from both parties approving all subsections.
Appendix: any further information needed.
Campaign Planning
Each red team will have their own methodology and documentation for campaign planning. An example plan will be outlined here. This consists of four different plans varying in depth and coverage adapted from military operations documents. These are:
Engagement Plan: overarching description of technical requirements of red team. Contains: CONOPS, Resource and Personnel Requirements, Timelines.
Operations Plan: extension of Engagement plan, goes into more specifics. Contains: operators, known information, responsibilities.
Mission Plan: exact commands to run and execution time of engagement. Contains: commands to run, time objectives, responsible operator.
Remediation Plan: how the engagement proceeds after campaign completes. Contains: reports, remediation consultations.
Engagement Documentation
This is an extension of campaign planning where ideas and thoughts of campaign planning are officially documented. A technical overview of the contents of each campaign plan discussed previously will be provided here.
Engagement Plan
CONOPS (Concept of Operations)
Non-technical written overview of how red team meets client objectives.
Resource Plan
Include timelines and info required for success, any resource requirements: personnel, hardware etc.
Operations Plan
Personnel
Info on employee requirements.
Stopping Conditions
How & why should the red team stop during the engagement.
RoE (optional)
-
Technical Requirements
Knowledge the red team need to be successful.
Mission Plan
Command Playbooks (Optional)
Exact commands and tools to run, include when, why, how. Commonly seen in large teams with many operators.
Execution Times
Times to begin stages of engagement. Can include times to execute tools and commands.
Responsibilities/roles
Who does what, when.
Remediation Plan (Optional)
Report
Summary of details and report of findings.
Remediation/Consultation
How will the client remediate findings? Can be included in report or discussed in a meeting.
Concept of Operations (CONOPS)
CONOPS is the part of an engagement plan which details a high-level overview of an engagement. This is like an executive summary of a penetration test. The document is a business/client reference and a reference for the red cell to build off of.
CONOPS should be written from a semi-technical summary perspective but should not omit details like common tooling, target group etc. There is no standard set for CONOPS documents, an outline of what should be included is:
Client Name
Service Provider
Time frame
General Objectives/Phases
Other Training Objectives (Exfiltration)
High-Level Tools/Techniques planned to be used
Threat group to emulate (if needed)
Resource Plan
The second document of the engagement plan which details a brief overview of dates, knowledge required, and resource requirements. This extends the CONOPS. Unlike the CONOPs, this should not be a summary, it should be a bulleted list of subsections. An outline of what these could be is:
Header
Personnel Writing
Dates
Customer
Engagement Dates
Reconnaissance Dates
Initial Compromise Dates
Post-Exploitation and Persistence Dates
Misc. Dates
Knowledge Required (Optional)
Reconnaissance
Initial Compromise
Post-Exploitation
Resource Requirements
Personnel
Hardware
Cloud
Misc
Operations Plan
The Operations Plan is a flexible document(s) which provides specific details on the engagement and actions occurring. This expands on the current CONOPS and should include a majority of specific engagement info, the RoE can be placed here depending on the structure/depth of the RoE.
This should follow a similar writing scheme to the resource plan, as always, there is no set standard for this, an example of what it could look like is:
Header
Personnel Writing
Dates
Customer
Halting/Stopping Conditions (May be in RoE depending on depth)
Required/assigned personnel
Specific TTPs and attacks planned
Communications plan
RoE (optional)
The most important addition to this is the communications plan, this should determine how the red cell communicate with the other cells e.g. via email or Slack etc.
Mission Plan
This is a cell-specific document which details actions to be completed by operators. The format of the document is dependent on the team as it is an internal document. Presentation can vary, it can be as simple as an email to all operators. The minimum detail this should include is:
Objectives
Operators
Exploits/Attacks
Target (Users/Machines/Objectives)
Execution Plan Variations
Last updated