Home

Awesome

:fire: :fire_engine: Planning a Red Team exercise

This document helps inform red team planning by contrasting against the very specific red team style described in Red Teams. This method expresses several biases to optimize for blue team value and enthusiasm. It specifically avoids attempts to motivate by red team punishment.

Review the questions below to test if your red team planning has been thoroughly thought out for your blue team's value.

:x: Negative motivations

The following are common reasons to drive a red team exercise. These have damaging qualities to morale or team cohesion. An exercise may be the wrong tool for your goals.

:thumbsup: Stakeholders

Nothing could be more wasteful than an exercise without any sponsorship or follow up from leadership or influencers. Make sure the learnings of an exercise are championed by an enthusiastic group of stakeholders. Make sure this group is informed and can generate momentum.

:date: Time estimations

You can project the amount of time to allocate from this planning phase, to the end of a mitigation phase, or something in between. Time expectations are highly dependent on decisions made for each phase.

:family: People

Identify all the people who may need to know the Red Team's plans and secrets. This is where you'll want to mitigate any "Break Glass" risk, and have contact details ready for a pivot away from an exercise due to any emergencies.

:chart_with_downwards_trend: Strategy

Decide where you are going to accumulate your value from this experience. There are tradeoffs everywhere that may not scratch what you're trying to itch with an exercise.

:wrench: Attack Design

An attack represents the risks you're trying to mitigate, the incident you're trying to handle, or the individuals you're hoping to include on the response. These decisions all have planning burdens that are helpful to identify as early as possible.

:rotating_light: Incident Response

If you can foresee how mature your response process will be, you can manipulate the response for greater benefit. An immature response team can be heavily guided by the Game Master, or a mature response team can be left alone to identify friction points in coordination and communication.

:mag: Red Team Reveal

The Blue Team will have all kinds of questions for the red team. This can be a moment of excitement if done correctly. Keeping this relationship healthy is critical. The red team should be viewed as an invaluable sparring partner. Better yet, a rabbit to chase.

:skull: Post Mortem

A high quality post mortem will inform months of roadmap'd security work, and calibrate everyone on a mission through a shared experience.

:baby: Small Exercises

You can keep an exercise small and with minimal involvement of others. Be creative.

Simply have a team member simulate an incident that you think you could successfully respond to. For instance, you can install a piece of software that has auto-update functionality, and pretend it is malware. Then you'd "hunt" for the "C&C" which would just be its update beacon. For instance, can you prove that it is isolated to this host, and not others?

Or, have a team member make an "unauthorized change", and pull together an incident timeline that documents the event and what follow ups would matter.

Just be sure to document your findings, your lessons, and your follow ups to present to others. Red teams are not valuable if their lessons are isolated, and they don't need to be complicated.