Red Team Assessment Phases: Reconnaissance

The second phase of a red team assessment is reconnaissance. In this phase, the red team attempts to collect information relevant to the assessment while keeping as low of a profile as possible. In order to successfully perform effective, largely passive reconnaissance, the red team members need to access a variety of data sources and have a means for organizing the collected information to maximize its usability for the assessment.

Scoping the Phase

Every organization and red team assessment is different, and this is reflected in the way that a red team does reconnaissance. Under some circumstances, a red team assignment may even be considered a white-box or gray-box assessment, mirroring the level of preparedness and information an adversary may have. In a white-box red team assessment, the red team is provided all relevant information about the network and can use this information to guide their reconnaissance efforts. In a gray or black-box assessment, the red team may be searching a bit more blindly for relevant information about the organization.

The goals and methodologies of the reconnaissance phase of a red team assessment are shaped by the goals of the assessment. The vast quantity of data available about an organization, its employees, and its business partners mean that it’s often impossible to collect and analyze all available data.

To be effective, a red team performing reconnaissance must determine what questions that they have and look for data that may help to answer these questions. For example, in an assessment that disallows social engineering, it is probably unnecessary to build a complete profile on the CEO and their personal habits. However, knowing that the CEO is a proponent of cloud services may be useful for finding AWS S3 buckets that may be accessible and contain sensitive information.

Achieving Phase Goals

The (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/B3ir3JYrR3c/