The 5 phases of a Red Team assessment:
1: OPORD | 2: Recon | 3: Target ID | 4: Live run | 5: Report
Phase 1: OPORD
The Operations Order (OPORD), a "directive issued by the leader to his subordinate leaders in order to effect the coordinated execution of a specific operation.". The military five-paragraph format is used to organize the briefing, to ensure completeness, and to help subordinate leaders understand and follow the order.
In our case, an OPORD describes the project, the situation the team faces, the target, and what supporting objectives the team will have to achieve in order to be successful. It sounds complicated, but it's not. Essentially is a set of initial meetings where the team gets exposed to the project and supporting documentation or information is distributed around each member. Each team member begins to prepare the tools and techniques based on the information they have. The team begins to study the target and formulate the initial plan.
The way it works best is to have at least 2 initial meetings:
- A meeting for the presentation of the project and initial brainstorming
- A meeting 2 days later after each team member had had the chance to incubate ideas and have a rough plan.
Depending on the timelines set for the project, those 2 meetings (3 if possible) will bring a lot of good ideas and questions that need answer.
Generally, the format/agenda for each meeting is standard and has shown over time to lead the team and their thinking in the right direction. This, of course, is not set in stone. You have to adapt to each project, but the following format is a good start
First meeting
Talk about:
- Situation: what is the target, where is located, who are the key players, who requested the project, why, information about their security capabilities.
- Mission: what is the project, what is the objective that needs to be achieved, who are we trying to mimic, when, where and how.
- Execution: This is the initial "plan", what it's to be expected by the team leader or the person that requested the engagement. It should include any rules of engagement (ROE).
- Admin & Logistics: What tools are needed, what we currently have and what needs to be written (software/exploits/scanning) or bought (breaching gear, recon gear, etc).
- Command and Control: who leads the project, comms, deployment of assets and standard operating procedures for everything.
Second meeting
Talk about:
- information already available on the target: perform a surface pass on OSINT just to have some data to begin.
- Ask questions that will allow for better planning and move RECON (the next phase) in the right direction. Ask: what is the history of the target, competitors (if relevant), top executives or commanders, main products or capabilities, simple atmospherics, social media and digital overall footprint (from the surface scan), initial apparent or known vulnerabilities.
This second meeting should conclude with a good idea for what needs to be done, the roles of each team member and a good estimate of the timelines. After this meeting, the team plans the recon. A third meeting will be called to, a sort of in-between-phases meeting, where the recon will be plan and set to go.
The OPORD phase should be short and very intense. Things need to be set carefully, but relatevely fast. RECON, the following phase, will take long and going into it unprepared will not work. Use Phase 1, OPORD, to set the team's mindset and energy in the right direction. Allow them to ask questions, have the senior guy in the team take over the leader for a while. Also, if there is a member of the team that has more knowlege about the particular industry, or mission, product or procedure, bring him/her up and listen. Leverage the team strengh.
Small teams work best. Practice this during this phase.
In the next post, we will see what's needed to plan RECON, why it is so important, and how to perform it.