Question from a reader

BW asked:

Would you list all the phases of a red team assessment?


This is a great question. While there is no single and simple answer, each assessment has its own tempo and phases, I'm going to try to summarize the phases that usually take place during an assessment or operation.

Phase 1: Initial exposure

This is the phase where the team gets exposed to the upcoming project or operation. The warning order. In this phase the initial information about the target and the scope of the assessment are dumped into the team by the team leader. The team members prepare the tools and techniques based on the information they have, however the project is not a go yet.

Phase 2: New project

Phase 2 is where the actual assessment begins. The project is a go and more information is available. This might be a complete black box project (no knowledge about the target other than who the target is) or a white box (everything is disclosed by the target, including network informaiton, security methodology, etc). The team begins to study the target.

Phase 3: Recon

This phase is, in my opinion, one of the most important phases. If you do it right it will most likely end in the success of the project. If done right, a good team can move to Phase 5 directly and finish the project. During this phase the team observes the target and learns about it. Physical surveillance and digital scanning are performed. The target's digital and/or physical footprints are mapped and analysed. At the end of this phase there is a clear view of the possible vectors of attack. These vectors can be exploited on the spot.

Phase 4: Target identification

During the recon the team identified the possibles options for an attack. In this phase each option is further analyised and a plan of attack is crafted. A deeper scan is performed and exploits are identified. On the physical side, more information about camera manufacturers, badges information, etc, are sought out. Social engineering calls are made and phishing mails are sent. Dry runs, if any, are performed during this phase too. In many cases, custom tools are written during Phase 4 to exploit a specific vulnerability or to provide support for penetration and data exfiltration.

Phase 5: Live run

Phase 5 is the execute, execute, execute! phase. Armed with all the knowledge and tools, the team executes the assessment for real. Whether a digital intrusion or a physical infil, the team tries to go inside. Once inside the team begins the lateral movement and a small Phase 3 happens again. Important targets are indentified within the primary target and these are exploited as well. Backdoors are set and data exfil channels are open.

Pahse 6: Post breach

Once the team in inside, and if the project guidelines call for it, the team tries to exfiltrate data, get passwords, read mails, set the calling cards, search for the objectives set by the guidelines and also exploit targets of oportunity. Once all this is done, the point of contact that set the assessment is notified.

Phase 7: Clean up

The assessment per-se is over. This phase is used to clean backdoors, user accounts that might have been created, temporary files, etc. During this phase the initial report is drafted and the initial findings are reported to the point of contact.

Phase 8: Report

This is the sucky part. Report writing after the endless cries from the point of contact during Phase 7.