Now, let’s look in more detail at what it takes to plan and execute an effective Red Team exercise in three phases – setup, execution, and after action.

Before the project starts is the most critical element of a Red Team exercise. During the planning phase, the Red Team and CSP should be in active discussions to design realistic attack scenarios paired with actionable target objectives based on the target landscape and operational posture of the CSP security program. Remember, we’re looking at the organization’s overall landscape and how that intersects with the CSO, not just the CSO itself.

Planning attack scenarios should not be arbitrary. Scenarios should be informed by an understanding of what the relevant and likely avenues for access an attacker is likely to traverse in a real compromise scenario. When available, up-to-date threat intelligence and threat research should be used to help shape the most useful scenarios for the target organization. Similarly, the objectives associated with these attack scenarios should also reflect the internal control boundaries present within the target environment. Objectives should be reasonably specific so that actionable information can be gathered on log telemetry, proactive detection, and response posture in the event of a live compromise. 

Here’s an example of an internal compromise scenario and objective:

An understanding of attacker methods and those used against a particular type of organizational target are an element to consider here. Wherever we can ground attack scenarios in observed attacker behavior versus theoretical avenues of attack, we should do it. Fortreum highly recommends this is included as part of scoping and objective setting. 

Ceded access, while often overlooked, is also an important approach here. It will likely be necessary to intentionally place the Red Team into specific access contexts to effectively exercise key objectives to accurately assess the CSP’s preventive, detection, and response capabilities. 

The lifting here is almost entirely on the Red Team. Their responsibility is to tailor tooling and methods to simulate attacker behavior, suitable to the specified objectives, to the degree necessary to both identify technical gaps and observe the detection and response posture of security operations. This means realistic command and control, remaining conscious of likely detection points during reconnaissance and actions on objectives, and selectively triggering events to initiate a security response. 

The target organization should not modify their standing security posture (unless necessary to enable certain objectives) and respond to events in a realistic manner. This is called an “exercise” for reason, it’s a live opportunity to play out (at least part of) a realistic breach scenario to see what is or isn’t working. Having both perspectives on the activities performed during the exercise will only improve the result.

When the exercise is over, the work isn’t done. The Red Team and CSP Security Team should collaboratively review the results – what objectives were met, methods used and their effectiveness within the environment, telemetry and alert data capturing Red Team activity, etc. Then, collaboratively discuss how these elements describe the posture of the security program. From that discussion the Red Team should provide both tactical and strategic recommendations targeting specific control enhancements and overall program improvement for the CSP.

As far as what to expect in an actual report, expect it to describe the methodology and activities slated to be performed, outline a schedule of testing activities, organizational resources performing the test, escalation and deconfliction procedures, and appropriate authorizations from the CSP. The report should summarize the test results, outline the exercised attack path(s), annotate any findings, and provide associated recommendations for remediation. 

Don’t expect an exhaustive list of vulnerabilities, remember this isn’t a penetration test.