Several readers have asked me about the key points or main things to focus on when planning a Red Team assessment. While there is no single answer for this, it varies based on the project, on the target or the team, I will try to list the things I think are important to take into account in the initial planning.
Bear with me here, I'm trying to create a brain dump. I'd love to do a cat /dev/brain
but I can't.
The initial step should be to understand the scope of the project and the team needed. The scope is very important because it will also indicate the technology needed to achieve success, remember rule 18: Target dictates the weapon and the weapon dictates the movement. Once you know the scope, you can build the right team (if you have rotating members) or task each member on your team with a specific mission. So, having a clear objective, an identifiable target is key for the initial step in planning the assesment.
At this point the Team Leader should also begin to prepare the plan of action, or how - from a high-level perspective - he thinks the operation should be handled, the time frames, etc.
It is important to understand that in the majority cases, organizations are not prepared to handle a Red Team assessment. Either as whole, or at a product/planning level. They might request a Red Team assessment, sure, but they will fight it - especially if you find vulnerabilities and exploit them. That's basic human nature.
The best for a product manager, security engineer, upper management or any one in charge on these organizations would be to plan Red Team assessments from the get go. It would make the assessment easier and the Red Team would have a bigger chance of actually helping the organization.
So, factor this into your planning: the customer is most likely hostile. However, also remember that some customers will provide full support and you should let them know how thankful you are for this.
Now, planning, especially in the very beginning of the project, needs to be done by everyone in the team. Every member should have a chance to input their thouhgts. Every member should be able to poke holes into the Leader's plan. That's the way good planning happens. A Leader is a Leader only if the people he/she leads allow him/her to lead. Remember that.
Anyway, Red Teaming is a dynamic thing and it needs an open, learning, curious culture. A good team, both the Leader and the members, need to be able to accept the criticism of their peers.
So, planning should be done by all members of the team.
Once you have the plan underway, you can task some of the team members, or everyone, with selecting the right tools for the project. Like I mentioned before, rule 18. This is an important rule to remember during the planning. It will not only provide you with a list of the tools you will use, but it will also give you a preview of what you need and don't have. It's a good way to create new tools. Rule 18 will also let you know how you will need to move those tools: is an iPad enough, or I need ot bring a laptop? Do I need a bigger duffle bag because I now need to carry ropes? Tools and how you move with them is the next step. Each project needs might call for different tools. Sometimes those tools are standard, sometimes you need to create them. It is important during the planning to account for the tools needed. It should be an integral part of the planning. Think about it this way: a part of the plan might fail because you don't have the proper tool for this and you failed to see it during the planning.
So, objective, team planing and tools. Those are, in my opnion, the steps for a good planning.
Now, learn this early on: poorly performed Red Teaming is a waste. Plan for success or don't plan at all. Be all in, do it well or don't do it at all.
Happy planning!