November 24 2020
A successful cybersecurity assessment starts well before any report is delivered, even before testers are allowed anywhere near a company’s network, application or device.
Success all starts at the planning stage.
This is especially true of a red team engagement, and with the high level of investment, both in terms of time and money, it’s essential that the planning stage is conducted in a rigorous and robust manner. Ensuring that the desired outcomes are achieved and that business objectives are met.
But, how do you go about planning for a successful red team test? We explore just some of the ways you can get the most from red teaming.
Gather as much internal information as you can
It’s important to gather as much information as possible before you start any red team assessment and you’ll need to do the best you can with the time that you have. But what information should you collect and how should this be presented? We would suggest the following information split over two key pre-test documents.
1. The scoping document
A scoping document is the overall business document and is designed to give a high-level overview of the test, why it’s being conducted and what is to be delivered. It gives people who may sit outside of the testing process, especially board level decision makers, enough information to assess the value to the business and to understand the rationale for undertaking such a test.
So, what information should this document include:
- The overall rationale for conducting the test
- Information on who will be performing the test? – Is it being conducted by an internal team, or is an external vendor going to be conducting the red team assessment
- What is the value-add? – How is this test going to benefit the business as a whole?
- Data handling – what data will the test access and is approval needed for this?
- What are we targeting specifically?
- The rules of the engagement – what is within the scope and what’s out of scope?
- Are there any specific goals or flags in the test?
- Test prerequisites – do we need to create users or get sign off from any third-party suppliers?
- Deliverable – what will we get at the end, how is this going to be delivered?
- Who will have security clearance to read the final report? Will separate reports need to be produced for different security levels?
- Test costs and timelines
2. Survey document
A survey document provides a more detailed, technical view of the test to be undertaken. This document is designed solely for those involved in the test process.
This can include:
- Points of contact – outline the details of internal contacts and external contacts. At least two is a good start, but for a red team you might want to include four or five contacts, ensuring there is clear communication if any issues arise from either side.
- URL/IP info on all systems involved
- Description of target – who uses it, what information does it hold, what is its exact function?
- The rules of engagement – this needs to be more specific than the one used in the scoping document and can include information such as:
- Can the red team move laterally through the system?
- Should vendors attempt to defeat defensive measures if they come up against them?
- Can red teams attempt to take the target offline?
- What is the environment to be tested – Is it a live system, is it public facing? Who tested it before & when? Is the test being conducted remotely or on-site?
- Where is the target being hosted and by whom?
- Who wrote and developed it?
- Users – How many are there? What user roles are in place? How many pages are being tested?
- Final details – are there any user/setup guides, do we have an existing network diagram?
- Protocols – are there any AV, SSL, programming languages to be aware of?
It’s best to validate as much of this information as possible before sending it out to a third-party vendor.
Working closely with your testing provider
Once you have the internal information in place and have achieved internal buy-in, now is the time to get your external testing provider involved in the pre-test process.
An external vendor should work closely with you to understand your overall business objectives and to validate and interrogate the information you have gathered. Outlining the best possible test routes to ensure you are getting the right outcomes for your business.
Here at Secarma, we see pre-test planning as the vital first stage of any red team process and our dedicated team will work closely with you to ensure every aspect of the engagement has been correctly set out before we engage in any testing.