THM Red Team Engagements

Red Team Engagements Module Notes

Defining Scope and Objectives

The key to a successful engagement is clearly defined client objectives or goals. Client objectives should be discussed between the client and red team to create a mutual understanding between both parties of what is expected and provided. Set objectives are the basis for the rest of the engagement documentation and planning.

Engagements can be categorized between a general internal/network penetration test or a focused adversary emulation. A focused adversary emulation will define a specific APT or group to emulate within an engagement. This will typically be determined based on groups that target the company’s particular industries, i.e., finance institutions and APT38. An internal or network penetration test will follow a similar structure but will often be less focused and use more standard TTPs.

The specifics of the approach will depend on a case-by-case basis of the engagement defined by the client objectives.

The scope of an engagement will vary by organization and what their infrastructure and posture look like. A client’s scope will typically define what you cannot do or target; it can also include what you can do or target. While client objectives can be discussed and determined along with the providing team, a scope should only be set by the client.

An example of what verbiage may look like within a client’s scope.

No exfiltration of data.

Production servers are off-limits.

10.0.3.8/18 is out of scope.

10.0.0.8/20 is in scope.

System downtime is not permitted under any circumstances.

Exfiltration of PII is prohibited.

Example:

Answers:

1- 10.0.4.0/22

2- y

3- n

Rules of Engagement

Rules of Engagement (RoE) are a legally binding outline of the client objectives and scope with further details of engagement expectations between both parties. This is the first “official” document in the engagement planning process and requires proper authorization between the client and the red team. This document often acts as the general contract between the two parties; an external contract or other NDAs (Non-Disclosure Agreement) can also be used.

Answers:

1- 3

2- phishing

3- n

Campaign planning uses the information acquired and planned from the client objectives and RoE and applies it to various plans and documents to identify how and what the red team will do.

The Concept of Operation (CONOPS) is a part of the engagement plan that details a high-level overview of the proceedings of an engagement; we can compare this to an executive summary of a penetration test report. The document will serve as a business/client reference and a reference for the red cell to build off of and extend to further campaign plans.

As with most red team documents. There is not a set standard of a CONOPS document; below is an outline of critical components that should be included in a CONOPS

• Client Name
• Service Provider
• Timeframe
• General Objectives/Phases
• Other Training Objectives (Exfiltration)
• High-Level Tools/Techniques planned to be used
• Threat group to emulate (if any)

Answers:

1- 1 month

2- 3 weeks

3- cobalt strike