Methodology
Adversary Simulation Exercise & Red Team Engagement Guidelines
Last updated
Adversary Simulation Exercise & Red Team Engagement Guidelines
Last updated
Red Teaming Engagements (RTEs) are goal-driven (objective-based) and open-scoped. The intent of the exercise is not to identify and report vulnerabilities a network may have. The goals represent what real-world adversaries may want to obtain or understand by compromising the victim's network.
Exercise scenarios should be designed to target Live Critical Functions of the organisation and in a manner that is aligned with the motives of expected adversaries. Assessments in staged or otherwise non-live environments may influence the outcome of the exercise, and would not be representative of organizational cyber resilience against real world threats.
Exercise Duration will be determined by the complexity of the attack scenarios, and the scale of the organisation being examined. Exercises may also be open-ended, meaning that there is no defined timing but only closed upon achieving the goals.
Establish a White Team responsible for refereeing the engagement between Red Team and Blue Team, while maintaining Exercise Secrecy. All information related to the exercise should only be circulated and discussed within the White Team for the duration of the exercise. Keeping the scope, nature and timing of the exercise secret would therefore provide a more accurate assessment of the capability of the Defenders to prevent, detect or respond to real-world or simulated cyber-attacks. To protect the secrecy of the exercise, the White Team should use code names to refer to the exercise utilizing terms that do not reveal the existence or nature of the exercise.
This includes the escalation process and key persons for the escalation of any emergency issues encountered or caused during the exercise.
These protocols must define how data exposed or acquired during the exercise should be handled (e.g. usage, data protection and retention) prior to the exercise commencement. Generally, the Red Team should only present to the White Team a subset of data sufficient to validate achieved goals. This subset can be produced from smaller samples of acquired data that has been redacted to remove sensitivity. Ideally, all data verification should be performed by the business owner of that data set, and whose scope of role includes having access to this data. There should also be an agreed protocol to adequately protect the data which the Attackers may have access to.
Since RTEs are usually conducted against live production to assess real-world cyber resilience, this could involve high-risk activities, and once carried out on a production environment, could lead to uncontained impact resulting in damages greater than the benefit of the adversary simulation itself.
If the assessment indicates that risks arising from testing in the real-world environment are deemed excessively high and could result in operational failure, certain elements of testing could be performed in staged environments to minimize impact. This approach however does not allow for an accurate reflection of the organization’s security state and should only be used in circumstances of very high uncertainty of operational risk.
If such a simulated approach is chosen, high-risk activities can be conducted through coordinated actions on both the production and a replicated environment, i.e., obtaining access on the production and then, using the same level of access on the replicated environment.
This process involves threat intelligence gathering to determine the probable Advanced Threat Persistent (ATP) who will target the identified functions/assets and the TTPs that they will use.
These are the most probable steps that real world attackers would use to compromise the identified Critical Functions. Additionally, attack scenarios should also include criteria of what constitutes a successful compromise of the critical function. Some example of attack scenarios to simulate:
Social engineering a HR employee to hand out credentials for the Payroll System.
Trick a privileged user to deploy backdoor on the Database Server.
Gain access to the Cloud Infrastructure or a certain File Server.
Bypass endpoint security controls, such as Anti-Virus (AV), Intrusion Detection System (IDS) & Endpoint Detection & Response (EDR).
Impair and disable the functionalities of defensive measures employed.
Evade detection by the SOC's security tools and processes.
Bypass of Secure Enterprise Access (Least Privilege - 2000, Tiered Administration - 2012, Enterprise Access Model - 2020)
Exfiltrate data using DNS protocol.
Applicative Accounts
Tier 0 Assets
Enterprise Admins
Domain Admins
Schema Admins
BUILTIN\Administrators
Account Operators
Backup Operators
Print Operators
Server Operators
Domain Controllers
Read-Only Domain Controllers
Group Policy Creator Owners
Cryptographic Operators
Distributed COM Users
Evidence Keeping is important as it is required to provide evidence that specific exercise goals have been achieved and to reproduce the methods used to achieve the goal. This can be done in several ways such as terminal logging, host-based logging, network logging, or packet capture.
To reduce risks during the attack execution phase, the Test-Halt Engagement Model can be applied. This practically means that a particular attack path should be pursued, paused, diverted, or if the entire exercise should be paused or terminated, depending on desired outcomes and potential adverse reactions.
In the event where publicly exposed vulnerabilities or evidence of prior compromise are discovered, the Red Team should immediately escalate such findings to the White Team for investigation and deliberation on the future course of the exercise, even if this requires halting or pausing of the exercise.
The primary objectives of clean-up activities and tactical vulnerability containment are to remediate immediate issues found during the exercise, as well as eradicate any left-over attack tools and artifacts to revert the environment back to a secured state.
A Joint Post-Attack Exercise can be organized to enable a step-by-step replay of the attack, either as a table-top or lab exercise for the Blue Team’s learning benefit, or in the actual live environment, to demonstrate failed controls in real-time. In addition, the replay could include some hypothetical attack simulation for the benefit of the Defenders. The Attackers would then explain other steps they could have taken following another path and the steps they would have taken if the Attackers had more time or resources.