SBN

Red Team operations: Best practices

Introduction

The goal of a Red Team assessment is for the Red Team to find as many vulnerabilities as possible within the customer’s current security setup. In general, this is accomplished by a lot of lateral thinking, trying different types of attacks and considering how certain defenses can be bypassed. However, some best practices exist for ensuring that the Red Team and customer both have a good assessment experience.

Red Team best practices

Take time to plan

One of the most important things to do when performing a Red Team assessment is taking the time to plan out operations in advance. While the details of a particular engagement will depend on the customer’s environment, it’s important to think of potential plans of attack that the Red Team can try in advance. By planning out initial phases and assigning roles, the Red Team ensures that the customer receives a comprehensive test during the engagement.

This planning should be performed at least partially in concert with the members of the customer’s organization that are aware of the assessment. Discussing potential attack vectors with the customer can allow them to explicitly approve or reject particular types of attacks (such as social engineering or testing physical security).

Get it in writing

At the end of the planning stage of the assessment, it is important that the Red Team has a mutually signed document outlining the rules of engagement for the assessment. The Red Team should have discussed potential attack vectors with the customer and gotten the green light for any tactics that they plan to use.

A lack of mutual understanding of the rules of engagement can lead to misunderstandings like the arrest of two members of the Coalfire Red Team when performing a security assessment at an Iowa courthouse. The pair was arrested (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/z2wJ7L0nfrY/