Red Team Methodology

Red Team Methodology (RTM)

Red Team Methodology is unlike any other type of security Methodology. A Red Team Methodology is defined by “The rules of engagement”.
A Red Team can replicate all or portions of a specific threat matrix in order to identify the strengths and weaknesses of the client’s overall security posture with respect to that model.
A Red Team is not just confined to cyber security (pen-testing) In addition to the cyber realm, A Red Team tests the overall physical security, personnel (social hacking), perception, disaster preparedness, and other factors that may be applicable.

There is currently no NSA sponsored methodology for conducting Red Team activities, each is customized based on the individual needs of the client.
Simulating the appropriate adversary, the Red Team test every possible security senario until it manages to break in as defined by the scope. Red Team activities are NOT comprehensive.
We’re trying to find a way in, through any path possible.
In most real-world cases, this means that we sit outside the client network and organization, trying to find a way in that has not been locked down.

Phases of the Red Team Methodology

Pre-Red Team PhaseSite-Red Team PhasePost-Red Team Phase
Create Rules of EngagementSite In-BriefConduct Final Analysis
Legal CoordinationRed Team TestingConsult Additional Expertise
Determine Red Team Scope- Scoped Baseline Activities / TestingGenerate Final Report
Develop Red Team PlanSite Out BriefCreate Security Road Map
Identify Systems and BoundariesDeliver Final Report
On-Site Visit CoordinationFollow Up with Customer

RTM Activity

As the team members start out, they look specifically for the easiest potential targets on the client network, those that could provide the easiest path into the network. As they progress, only vulnerabilities along that path are analyzed, leaving potential vulerabilities on other paths untested, unaltered, and intact.
At the end of the process, the client receives a report detailing how the intrusion occurred and what vulnerabilities were taken advantage of, but all other potential vulnerabilities remain hidden away on the network.