Phases Of A Red Team Assessment - Revisited

Back in 2014, a question from a reader asked about the different phases of a Red Team assessment / engagement. Then we listed 8 phases.
These phases were, of course, based on our own experience, and a generic list. Each engagement is different, however having a list to begin the process and have a good visual map of what is needed, is a good thing.
During the last couple of years, we narrowed the phases down to 5:

  • OPORD
  • Recon
  • Target ID
  • Live run
  • Report

Phase 1: OPORD

The Operations Order (OPORD). An OPORD describes the project, the situation the team faces, the target, and what supporting activities the team will have to achieve their objective.
In this phase, the team gets exposed to the upcoming project or operation. The initial information about the target and the scope of the assessment are dumped and the team members begin to prepare the tools and techniques based on the information they have. The team begins to study the target and formulate the initial plan.

Phase 2: Recon

This phase is the most important one. If you do it right it will most likely end in the success of the project. If done right, a good team can ID the targets quickly, modify the plan accordingly, adapt the tools and finish the project.
During this phase the team observes the target and learns about it. Physical and digital surveillance are performed, as well an open source intelligence gathering. The physical, digital and social footprints of the target are mapped and analyzed. At the end of this phase there is a clear view of the possible vectors of attack. Usually, during this phase, all activities are passive, however in some cases - and the target is open to attack - a more active scan/surveillance is performed.

Phase 3: Target ID

During the Recon Phase, the team identified the possibles options for an attack. In this phase each option is further analyized and a plan of attack is crafted. On the digital side, a deeper scan is performed and exploits are identified. On the physical side, more information about security measures and controls are sought out. Social engineering calls are made and phishing mails are sent. Dry runs, if any, are performed during this phase too. In many cases, custom tools are written to exploit a specific vulnerability or to provide support for penetration and data exfiltration. This is a more active phase.

Phase 4: Live Run

Phase 4 is the Go! phase. Armed with all the knowledge and tools, the team executes the assessment for real. Whether a digital intrusion or a physical infil, the team tries to go inside. Once in, the team begins the lateral movement and smaller Phase 2 and 3 happen again. Important targets are indentified within the primary target and these are exploited as well. Backdoors, and further persistance are set and data exfil channels are open.
Once the team in inside, the team tries to exfiltrate data and also exploit targets of oportunity. Once all this is done, the point of contact that set the assessment is notified.

Phase 5: Report

The assessment is over. This phase is used to clean anything left behind and analyze all that was done. Findings are reported to the point of contact, and a debrief meeting is set.
The final report writing begins. This is the sucky part. Report writing happens after the endless cries from the point of contact.