Back to Details

executing-red-team-engagement-planning

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Executing Red Team Engagement Planning

执行红队参与规划

Overview

概述

Red team engagement planning is the foundational phase that defines scope, objectives, rules of engagement (ROE), threat model selection, and operational timelines before any offensive testing begins. A well-structured engagement plan ensures the red team simulates realistic adversary behavior while maintaining safety guardrails that prevent unintended business disruption.
红队参与规划是所有攻击性测试开始前的基础阶段,用于定义测试范围、目标、参与规则(ROE)、威胁模型选择以及操作时间线。结构完善的参与计划可确保红队在模拟真实对手行为的同时,维持安全防护措施,避免对业务造成意外干扰。

When to Use

适用场景

  • When conducting security assessments that involve executing red team engagement planning
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing
  • 开展涉及红队参与规划的安全评估时
  • 针对相关安全事件遵循事件响应流程时
  • 执行定期安全测试或审计活动时
  • 通过实操测试验证安全控制措施时

Prerequisites

前置条件

  • Familiarity with red teaming concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities
  • 熟悉红队概念与工具
  • 可访问测试或实验室环境以安全执行操作
  • 安装Python 3.8及以上版本并配置好所需依赖
  • 拥有开展测试活动的适当授权

Objectives

目标

  • Define clear engagement scope including in-scope and out-of-scope assets, networks, and personnel
  • Establish Rules of Engagement (ROE) with emergency stop procedures, communication channels, and legal boundaries
  • Select appropriate threat profiles from the MITRE ATT&CK framework aligned to the organization's threat landscape
  • Create a detailed attack plan mapping adversary TTPs to engagement objectives
  • Develop deconfliction procedures with the organization's SOC/blue team
  • Produce a comprehensive engagement brief for stakeholder approval
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
  • 明确参与范围,包括纳入/排除范围的资产、网络和人员
  • 制定参与规则(ROE),包含紧急停止流程、沟通渠道和法律边界
  • 根据组织的威胁态势,从MITRE ATT&CK框架中选择合适的威胁画像
  • 创建详细的攻击计划,将对手的战术、技术和流程(TTPs)与参与目标对应
  • 与组织的SOC/蓝队制定冲突消除流程
  • 生成供利益相关方审批的全面参与简报
法律声明: 本技能仅用于授权的安全测试和教育目的。未经授权对不属于您或未获得书面测试许可的系统进行操作是非法的,可能违反计算机欺诈相关法律。

Core Concepts

核心概念

Engagement Types

参与类型

TypeDescriptionScope
Full ScopeComplete adversary simulation with physical, social, and cyber vectorsEntire organization
Assumed BreachStarts from initial foothold, focuses on post-exploitationInternal network
Objective-BasedTarget specific crown jewels (e.g., domain admin, PII exfiltration)Defined targets
Purple TeamCollaborative with blue team for detection improvementSpecific controls
类型描述范围
全范围涵盖物理、社会工程和网络向量的完整对手模拟整个组织
假设Breach从初始立足点开始,聚焦于入侵后操作内部网络
目标导向针对特定核心资产(如域管理员权限、PII数据泄露)已定义的目标
紫队与蓝队协作以提升检测能力特定控制措施

Rules of Engagement Components

参与规则组成部分

  1. Scope Definition: IP ranges, domains, physical locations, personnel
  2. Restrictions: Systems/networks that must not be touched (e.g., production databases, medical devices)
  3. Communication Plan: Primary and secondary contact channels, escalation procedures
  4. Emergency Procedures: Code word for immediate cessation, incident response coordination
  5. Legal Authorization: Signed authorization letters, get-out-of-jail letters for physical tests
  6. Data Handling: How sensitive data discovered during testing will be handled and destroyed
  7. Timeline: Start/end dates, blackout windows, reporting deadlines
  1. 范围定义:IP范围、域名、物理位置、人员
  2. 限制条件:禁止触碰的系统/网络(如生产数据库、医疗设备)
  3. 沟通计划:主要和次要联系渠道、升级流程
  4. 紧急流程:立即停止操作的暗号、事件响应协调方式
  5. 法律授权:已签署的授权函、物理测试的免责函
  6. 数据处理:测试过程中发现的敏感数据的处理和销毁方式
  7. 时间线:开始/结束日期、禁止测试时段、报告截止日期

Threat Profile Selection

威胁画像选择

Map organizational threats using MITRE ATT&CK Navigator to select relevant adversary profiles:
  • APT29 (Cozy Bear): Government/defense sector targeting via spearphishing, supply chain
  • APT28 (Fancy Bear): Government organizations, credential harvesting, zero-days
  • FIN7: Financial sector, POS malware, social engineering
  • Lazarus Group: Financial institutions, cryptocurrency exchanges, destructive malware
  • Conti/Royal: Ransomware operators, double extortion, RaaS model
使用MITRE ATT&CK Navigator映射组织威胁,选择相关对手画像:
  • APT29(Cozy Bear):针对政府/国防部门,通过鱼叉式钓鱼、供应链攻击
  • APT28(Fancy Bear):针对政府组织,窃取凭证、利用零日漏洞
  • FIN7:针对金融行业,POS机恶意软件、社会工程
  • Lazarus Group:针对金融机构、加密货币交易所,破坏性恶意软件
  • Conti/Royal:勒索软件运营商,双重勒索、RaaS模式

Workflow

工作流程

Phase 1: Pre-Engagement

阶段1:参与前准备

  1. Conduct initial scoping meeting with stakeholders
  2. Identify crown jewels and critical business assets
  3. Review previous security assessments and audit findings
  4. Define success criteria and engagement objectives
  5. Draft Rules of Engagement document
  1. 与利益相关方召开初始范围界定会议
  2. 识别核心资产和关键业务资产
  3. 回顾过往安全评估和审计结果
  4. 定义成功标准和参与目标
  5. 起草参与规则文档

Phase 2: Threat Modeling

阶段2:威胁建模

  1. Identify relevant threat actors using MITRE ATT&CK
  2. Map threat actor TTPs to organizational attack surface
  3. Select primary and secondary attack scenarios
  4. Define adversary emulation plan with specific technique IDs
  5. Establish detection checkpoints for purple team opportunities
  1. 使用MITRE ATT&CK识别相关威胁Actor
  2. 将威胁Actor的TTPs映射到组织的攻击面
  3. 选择主要和次要攻击场景
  4. 制定包含特定技术ID的对手模拟计划
  5. 为紫队协作机会设置检测检查点

Phase 3: Operational Planning

阶段3:操作规划

  1. Set up secure communication channels (encrypted email, Signal, etc.)
  2. Create operational security (OPSEC) guidelines for the red team
  3. Establish infrastructure requirements (C2 servers, redirectors, phishing domains)
  4. Develop phased attack timeline with go/no-go decision points
  5. Create deconfliction matrix with SOC/IR team
  1. 搭建安全沟通渠道(加密邮件、Signal等)
  2. 为红队制定操作安全(OPSEC)准则
  3. 确定基础设施需求(C2服务器、重定向器、钓鱼域名)
  4. 制定分阶段攻击时间线,包含执行/终止决策点
  5. 与SOC/IR团队创建冲突消除矩阵

Phase 4: Documentation and Approval

阶段4:文档编制与审批

  1. Compile engagement plan document
  2. Review with legal counsel
  3. Obtain executive sponsor signature
  4. Brief red team operators on ROE and restrictions
  5. Distribute emergency contact cards
  1. 整理参与计划文档
  2. 与法律顾问审核
  3. 获取执行赞助商的签名
  4. 向红队操作人员简要介绍ROE和限制条件
  5. 分发紧急联系卡片

Tools and Resources

工具与资源

  • MITRE ATT&CK Navigator: Threat actor TTP mapping and visualization
  • VECTR: Red team engagement tracking and metrics platform
  • Cobalt Strike / Nighthawk: C2 framework planning and infrastructure design
  • PlexTrac: Red team reporting and engagement management platform
  • SCYTHE: Adversary emulation platform for attack plan creation
  • MITRE ATT&CK Navigator:威胁Actor TTPs映射与可视化工具
  • VECTR:红队参与跟踪与指标平台
  • Cobalt Strike / Nighthawk:C2框架规划与基础设施设计工具
  • PlexTrac:红队报告与参与管理平台
  • SCYTHE:用于创建攻击计划的对手模拟平台

Validation Criteria

验证标准

  • Signed Rules of Engagement document
  • Defined scope with explicit in/out boundaries
  • Selected threat profile with mapped MITRE ATT&CK techniques
  • Emergency stop procedures tested and verified
  • Communication plan distributed to all stakeholders
  • Legal authorization obtained and filed
  • Red team operators briefed and acknowledged ROE
  • 已签署的参与规则文档
  • 明确定义的范围,包含清晰的纳入/排除边界
  • 已选择威胁画像并映射MITRE ATT&CK技术
  • 紧急停止流程已测试并验证
  • 沟通计划已分发给所有利益相关方
  • 已获取并归档法律授权
  • 红队操作人员已了解ROE并确认

Common Pitfalls

相关技能

  1. Scope Creep: Expanding testing beyond approved boundaries during execution
  2. Inadequate Deconfliction: SOC investigating red team activity as real incidents
  3. Missing Legal Authorization: Testing without proper signed authorization
  4. Unrealistic Threat Models: Simulating threats irrelevant to the organization
  5. Poor Communication: Failing to maintain contact with stakeholders during engagement
  • 执行开源情报收集
  • 使用Atomic Red Team开展对手模拟
  • 执行假设Breach红队演练
  • 利用重定向器搭建红队基础设施

Related Skills

  • performing-open-source-intelligence-gathering
  • conducting-adversary-simulation-with-atomic-red-team
  • performing-assumed-breach-red-team-exercise
  • building-red-team-infrastructure-with-redirectors