Red Team Assessment Phases: Establishing Foothold and Maintaining Presence

In the previous phase, the goal was to gain initial access to the target network. The focus of this phase is to expand this access to the level necessary for achieving the objectives of the assessment. Common goals of this phase include ensuring access to the target network, establishing covert communications channels and expanding and deepening the red team’s foothold on the network.

Scoping the Phase

The goal of this phase is to move from initial compromise of a network to a position where it is possible to achieve operational objectives. At this point, careful data gathering and analysis should be performed to determine what types and levels of access are necessary for the success of the assessment. If, for example, domain administrator access to the network is not necessary for the assessment, pursuing it is a waste of time for the red team and may increase their probability of detection. The red team should carefully consider each goal of this phase and determine whether or not they are necessary before attempting them during an assessment.

Achieving Phase Goals

The goal of this phase is to move from initial access to a network (with potentially limited privileges and scope) to the level of access and control necessary to achieve the objectives of the assessment. Steps in doing so include ensuring continued access to the target network, establishing communication channels and establishing a beachhead on the network.

Ensuring Access

The first goal for this phase is ensuring that the red team’s access to the target network will be assured throughout the engagement. If the red team loses access at some point in the assessment, they’ll have to start over with gaining access to the network, which may be more complicated if the security team is aware of the attack.

The (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/eMlLwUzSmGM/