Red Team Report Writing: Moving Past General Observations

When writing red team engagement reports, it’s relatively easy to explain what the team did, how they did it, and results of the actions conducted. This is why you see most reports emphasizing these areas in great length. However, to really set your reports apart from the rest and provide maximum value, you should try to move past making general observations and invest time to reflect on the results of the operation and contextualize those results to the organization.

For example, let’s say the red team crafted clever phishing emails, and those phishing emails made it past email security controls and filters to successfully land in employee inboxes. The emails were convincing enough that many employees clicked on them and logged into the company’s Okta portal through the red team’s reverse proxy, leading to the capture of Okta session tokens. Red team operators then used the session tokens to gain access to multiple, Okta-protected applications.

All of this may be impressive from a red team perspective, but it would be a bit self-serving if we didn’t spend time to help engagement stakeholders understand why we think emails made it past security controls. Or why the phishing sites were allowed through the corporate web proxy. Or why suspicious Okta activity was not detected.

A good report will explore these areas and provide perspective — even if it’s just from a red team point of view (just be upfront about this in the report).

Further, once the “why” is understood, it allows you, as the report author, to offer your professional opinion on the maturity of different key functions. For example, if Okta-specific detections were non-existent, what does the lack of Okta-specific monitoring and alerting tell you about the overall maturity of the detection and response function at the organization?

• Are there other datapoints that provide insight into detection and response maturity?
• How might that lack of maturity open up the company to risk?
• Is that risk elevated when considering the current threat landscape? Has the company recently moved to Okta?

Talk to stakeholders to collect the answers you need and then speak to all of this in the report. Offer your professional opinion. This is where you provide value and set yourself apart from the rest of the pack.