The lifecycle of a red team engagement
Learn about different phases involved in the lifecycle of a red team engagement.
A typical red team engagement includes following seven phases:
Pre-Planning - This phase begins when the organization acknowledges the need to conduct a red team engagement. The next step in this phase is to figure out whether the engagement will be coducted by the internal team or a red team service provider. After that, key stakeholders for the engagement are identified. These are the people who will be made aware about the engagement and will take on roles such as white cell, trusted agent, red team lead, red team operators etc.
Planning - This phase begins when all pre-requisites for the engagement are in place and the stakeholders are ready to get into further discussions pertaining to cost and funding, scoping, roles and responsibilities, timelines and frequency. Rules of engagement are also drafted and finalzied in this phase. Depending upon the scope, following will also be decided:
Execution - This is when the red team gets into trenches and begins their operations as per the chosen methodology. During this phase, the red team setup their C2 infrastructure, selects tools as per the threat profile, makes sure their playbooks and standard operating procedures are updated and available with relevant personal, establishes communication with respective stakeholders and conducts operations until the objective is achieved or the time runs out. It is also important that the red team lead establishes procedures for maintaining and verifying operator logs, and put appropriate controls in place to ensure protection of data collected during the engagement.
Culmination - This phase beings once the timeline for execution has expired or the objective has been achieved. Key activities in this phase include, clean-up of the target environment to avoid future impact from unwanted execution of tools or C2 agents, verification of operator logs for consistency and completion, and pre-report briefings to the executive team and the technical team.
Reporting - During this phase, the enagement report is created and distributed to stakeholders involved in the engagement. It also involves an in-person or a virtual brief to stakeholders on key observations during the engagement. The stakeholders may then discuss findings with relevant teams and figure out the next course of action.
Remediation - During this phase, the organization takes note of observations from the engagement and implement controls to remediate them. It is important to note that the organization may choose only a subset of remediation controls recommended by the red team for implementation. This decision will be made based on the cost vs value trade-off.
Validation - In the final phase, the organization tasks the red team, which conducted the engagement, or an external team to validate the implementation of remidating controls.
Red Team Notes
A typical red team engagement includes following seven phases:
- Pre-planning
- Planning
- Execution
- Culmination
- Reporting
- Remediation
- Validation
Follow my journey of 100 Days of Red Team on WhatsApp or Discord.
To learn more about phases of a red team engagement, I recommend that you check out the following books: