Advertisement
joemccray

Building a red team

Jul 19th, 2019
1,799
1
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.39 KB | None | 1 0
  1. #######################
  2. # Building A Red Team #
  3. #######################
  4. --------------------------------------------------------------------------------
  5. A good Red Team Overview document:
  6. https://www.contextis.com/media/downloads/Context_Red_Teaming_Guide.pdf
  7.  
  8.  
  9. Red Team Program Goals:
  10. Here are some references that you can use to derive your Red Team program goals from. These will serve as the foundation for building your Red Team charter.
  11.  
  12. https://www.synopsys.com/content/dam/synopsys/sig-assets/case-studies/red-teaming-financial-services.pdf
  13. page 4
  14.  
  15. https://abs.org.sg/docs/library/abs-red-team-adversarial-attack-simulation-exercises-guidelines-v1-06766a69f299c69658b7dff00006ed795.pdf
  16. page 11 - 13
  17.  
  18.  
  19. Red Team Technical Goals:
  20. If you are just looking for some really generic goals that you can use to measure the performance of technical people I think you should consider:
  21.  
  22. Task 1: Integrate Blue Team/Threat Intel data
  23.  
  24. Task 1a: Work with Blue Team and Threat Intel (Internal and/or External) to understand the threats facing the organization, and its assets.
  25. Task 1b: Then craft attack campaigns that emulate these threats/threat actors.
  26. Reference:
  27. https://www.slideshare.net/HaydnJohnson/how-to-plan-purple-team-exercises
  28. Task 1c: Theorize how Blue Team/SOC should be able to detect these types of threats.
  29. Task 1d: Work with Blue Team/SOC representatives so they can understand the campaign objectives
  30.  
  31. Interval: Quarterly:
  32. Evaluation Criteria: How well does the RT work with the other teams to create realistic campaigns
  33.  
  34.  
  35. Task 2: Attempt to avoid detection during campaigns
  36.  
  37. Task 2a: Work with Blue Team/SOC to determine how the Red Team was detected if at all (External gateway security appliance, proxy solution, network security appliance, AV, endpoint security solution, etc).
  38. Task 2b: Determine how well the RT was able to determine what tool/process should have detected them
  39. Task 2c: Determine how well the Blue Team/SOC was able to tune their processes to detect the RT campaign
  40. Task 2d: Work with Blue Team/SOC representatives so they can understand the campaign objectives
  41.  
  42. Interval: Quarterly:
  43. Evaluation Criteria: How well does the RT successfully accomplish the campaign objectives
  44. How well does the RT assist the Blue Team/SOC with improving detection/IR processes, and tuning of security products
  45.  
  46.  
  47. Task 3: Build internal knowledge base
  48.  
  49. Task 3a: Build an internal knowledge base that contains system build/configuration info for the entire Red Team Infrastructure
  50. Reference:
  51. https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki
  52. https://holdmybeersecurity.com/2018/04/30/tales-of-a-red-teamer-ub-2018/
  53. https://ired.team/offensive-security/red-team-infrastructure
  54.  
  55. Task 3b: Build an internal attack process wiki that has all of the command-line syntax, and references used for each campaign
  56. Reference:
  57. https://github.com/yeyintminthuhtut/Awesome-Red-Teaming
  58. https://github.com/infosecn1nja/Red-Teaming-Toolkit
  59.  
  60. Task 3c: Build an internal R&D process
  61. Bug Bounty Methodology References:
  62. https://github.com/jhaddix/tbhm
  63. https://nullcon.net/website/archives/pdf/goa-2018/jason-tbhm2.pdf
  64. https://pentester.land/conference-notes/2018/08/02/levelup-2018-the-bug-hunters-methodology-v3.html
  65.  
  66. Mobile App References:
  67. https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet
  68. https://mitre-attack.github.io/attack-navigator/mobile/
  69.  
  70. Exploit Development References:
  71. https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Exploit_Dev.md
  72.  
  73. Interval: Quarterly:
  74. Evaluation Criteria: How thorough is the documentation, how well can this documentation be used for on-boarding new RT members
  75. How well does the RT assist the Blue Team/SOC with improving detection/IR processes, and tuning of security products against attacks
  76.  
  77. ------------------------------------------------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement