Red Team Methodology (RTM)
Red Team Methodology is unlike any other type of security Methodology. A Red Team Methodology is defined by “The rules of engagement”.
A Red Team can replicate all or portions of a specific threat matrix in order to identify the strengths and weaknesses of the client’s overall security posture with respect to that model.
A Red Team is not just confined to cyber security (pen-testing) In addition to the cyber realm, A Red Team tests the overall physical security, personnel (social hacking), perception, disaster preparedness, and other factors that may be applicable.
There is currently no NSA sponsored methodology for conducting Red Team activities, each is customized based on the individual needs of the client.
Simulating the appropriate adversary, the Red Team test every possible security senario until it manages to break in as defined by the scope. Red Team activities are NOT comprehensive.
We’re trying to find a way in, through any path possible.
In most real-world cases, this means that we sit outside the client network and organization, trying to find a way in that has not been locked down.
Phases of the Red Team Methodology
|Pre-Red Team Phase||Site-Red Team Phase||Post-Red Team Phase|
|Create Rules of Engagement||Site In-Brief||Conduct Final Analysis|
|Legal Coordination||Red Team Testing||Consult Additional Expertise|
|Determine Red Team Scope||- Scoped Baseline Activities / Testing||Generate Final Report|
|Develop Red Team Plan||Site Out Brief||Create Security Road Map|
|Identify Systems and Boundaries||Deliver Final Report|
|On-Site Visit Coordination||Follow Up with Customer|
As the team members start out, they look specifically for the easiest potential targets on the client network, those that could provide the easiest path into the network. As they progress, only vulnerabilities along that path are analyzed, leaving potential vulerabilities on other paths untested, unaltered, and intact.
At the end of the process, the client receives a report detailing how the intrusion occurred and what vulnerabilities were taken advantage of, but all other potential vulnerabilities remain hidden away on the network.