8

Red team checklist

This set of checklists is intended to be a start to help plan and build a red team. Each design may have additional requirements. Use this as a starting point and modify as you see fit.

Red Team Development Checklist

  • ☐ Determine required knowledge and skills
    • ☐ Identify and implement alternate methods for bridging knowledge gaps
  • ☐ Develop roles and responsibilities guide
  • ☐ Develop red team methodology
  • ☐ Develop TTP guidance for engagements
    • ☐ Includes Bag of tricks
  • ☐ Develop data collection guide and tools
  • ☐ Develop operational process plan
  • ☐ Develop communication plan template
  • ☐ Develop ROE template
  • ☐ Develop technical briefing template
  • ☐ Develop report template

Planning - Red Team Engagement Checklist

  • ☐ Engagement Planning
    • ☐ ROE
      • ☐ Event Communication plan
      • ☐ Distribute Deconfliction Process
      • ☐ Entry point/method
      • ☐ Scope
      • ☐ Goals/Objectives (should address at least one of the following)
        • ☐ Protect
        • ☐ Detect
        • ☐ Respond
        • ☐ Restore
      • ☐ Target Restrictions
      • ☐ Target Infrastructure / Asset verification / Approvals
    • ☐ Scenario Development
    • ☐ Operational Impact planning
  • ☐ Develop threat profiles
    • ☐ Network and Host Activity
    • ☐ IOC Generation (incl subsequent Analysis) and Management
  • ☐ Plan threat infrastructure
    • ☐ Tier 1
      • ☐ IPs
      • ☐ Systems
      • ☐ Redirectors
      • ☐ PPS
    • ☐ Tier 2
      • ☐ IPs
      • ☐ Systems
      • ☐ Redirectors
      • ☐ PPS
    • ☐ Tier 3
    • ☐ IPs
    • ☐ Systems
    • ☐ Redirectors
    • ☐ PPS
    • ☐ Deploy tools to infrastructure
  • ☐ Data collection repository

Execution - Red Team Engagement Checklist

  • ☐ Daily completion and roll-up confirmation
    • ☐ Capture logs
    • ☐ Capture screenshots
    • ☐ Capture system changes
  • ☐ Daily (or twice daily) mandatory internal RT SITREP
  • ☐ Update real-time attack diagram

Culmination - Red Team Engagement Checklist

  • ☐ Engagement Closeout
    • ☐ Roll up data
    • ☐ Roll back system changes
    • ☐ Validate data has been collected
    • ☐ Outline critical attack diagram
    • ☐ Technical Review (tech-on-tech)
    • ☐ Executive Brief
  • ☐ Reporting
    • ☐ Draft attack narrative
    • ☐ Draft observation and findings
    • ☐ Finalize attack diagram
    • ☐ Finalize report