What's in an Engagement and Report?

Reporting?

Sure, you write the report, you list the findings and their solutions, you wrap it up with a good executive summary, pictures of the engagement and a closing statement. But, is that it? Is your job done?

No.

There are a few things you still need to communicate. This is the key of a good Red Teaming engagement. No, it's not "I breached everything, bypassed all and got your data". It's not "your security sucks and we are so cool, look how we pwn you!".

No.

The 5th phase of a Red Team engagement is the report. But, there are few more things you need to do. These are the key pieces that will not only bring your customer, or you team, to the next level, but also keep them engaged and thinking the way you want them, effectively making them think like the adversary going forward.

There are, in my opinion, two things needed during and after the report:

  • A clear explanation of why they need to implement the security solutions you are recommending
  • A clear view of what their industry, and more importantly, their competitors and peers are doing to be more secure

Simple, right?

You would be surprised how often red teamers forget these.
Let's see those two points.

Why

The more your customer, or the people you are red teaming understand why you are suggesting they do something, the what you are solving, and how this directly correlates to real world attackers, the more they will work with you, and buy your strategy and solutions. It is important they understand how attackers work, how they change and they need to change with them. Explain how you, the red teamer, need to adapt as well in order to effectively mimic and emulate the attackers that would come after this organization. Explain very simply and without technical buzzwords the gaps found in the assessments. Explain why we, the red teamers, do what we do.

It's a simple step, yet it is so hard to do. The benefits of this are enormous.

What

What are the competitors and peers doing with their security. Why. What are the standards out there today that they are not meeting. What security controls, and possibly the strategy, the competition saw fit to put in place to solve what problem, what attacker.
This is very important. Explain this very clearly. Explain what you did to understand the industry, gaining several points for really speaking their language. Explain the process an attacker would use to do the same, to understand the vulnerabilities and gaps in organizations within this industry, and how they would leap from there to the targeted reconnoissance of your customer. The more they understand the security needs of their industry, the more they will understand the need to Red Teaming. This is key to working the right way with an external Red Team.

Give them all the transparency you can. Work with them, make them understand the what.

Done

The more you do this, the more you will begin to see a change on mindset in people that tend to be overly defensive when you break into their stuff. The moment they begin to understand what you do, how you do it and why, the more they will be inclined to work with you in the future.

I speak from experience.

When in doubt, red team it.