Skip to content

Chapter 41: Red Team Methodology & Engagement Management

Overview

Red teaming is the practice of simulating realistic adversary operations against an organization to test its detection capabilities, incident response readiness, and overall security posture. Unlike penetration testing, which seeks to find as many vulnerabilities as possible within a defined scope, red teaming focuses on achieving specific objectives while remaining undetected — mimicking the tactics, techniques, and procedures (TTPs) of real threat actors. This chapter covers the full engagement lifecycle from scoping through reporting, with emphasis on rules of engagement, deconfliction, legal considerations, and purple team integration.

Learning Objectives

  1. Design a red team engagement from initial scoping through final report delivery using industry frameworks (PTES, OSSTMM, CBEST, TIBER-EU)
  2. Draft rules of engagement (RoE) that protect both the red team and the target organization
  3. Implement deconfliction procedures that prevent red team activity from triggering real incident response
  4. Structure red team reports that translate technical findings into executive risk language
  5. Integrate purple team exercises to maximize defensive value from offensive operations
  6. Navigate the legal and ethical boundaries that govern adversary simulation

Prerequisites: Chapters 1–4 (telemetry, logging, detection), Chapter 16 (penetration testing methodology). Familiarity with network architecture, Active Directory, and common enterprise security controls.

Curiosity Hook

When the Red Team Became a Real Incident

A financial services firm authorized a red team engagement with a four-week window. On day three, the red team achieved domain admin through a misconfigured service account. The blue team's SIEM correlated the lateral movement and triggered a P1 incident. Without proper deconfliction, the SOC escalated to the CISO, who activated the incident response retainer at $400/hour. Four hours later, the IR firm had mobilized three analysts — none of whom knew about the authorized engagement.

Total wasted cost: $14,800 in IR fees, 47 person-hours of SOC investigation, and a board-level notification that had to be retracted. The root cause was not a red team failure — it was the absence of a deconfliction protocol. The engagement had no trusted agent, no deconfliction channel, and no code words. Every red team engagement since then begins with a signed deconfliction plan. The most dangerous vulnerability was not technical — it was procedural.

Red Teaming vs. Penetration Testing

Understanding the distinction between red teaming and penetration testing is critical for scoping, execution, and reporting.

Dimension Penetration Testing Red Teaming
Objective Find vulnerabilities Test detection & response
Scope Defined target list Objective-based (e.g., "access PII database")
Duration 1–3 weeks typical 4–12 weeks typical
Stealth Not prioritized Primary concern
Notification IT/security team aware Limited personnel aware (trusted agents only)
Methodology Systematic coverage Adversary emulation
Deliverable Vulnerability report Attack narrative + detection gap analysis
Standards PTES, OWASP CBEST, TIBER-EU, MITRE ATT&CK
Cost $15K–$80K typical $50K–$500K+ typical

Key Distinction

A penetration test asks: "What vulnerabilities exist?" A red team engagement asks: "Can the organization detect and respond to a realistic attack?" Both are valuable — they answer fundamentally different questions.

Standards and Frameworks

Red team engagements should reference established frameworks to ensure methodological rigor and regulatory compliance.

Framework Owner Focus Best Used For
PTES Community Full penetration test lifecycle, 7 phases General engagements, baseline methodology
OSSTMM 3.0 ISECOM Operational security metrics, attack surface quantification Quantitative risk measurement
CBEST Bank of England Intelligence-led red teaming for financial sector UK-regulated financial institutions
TIBER-EU European Central Bank Threat intelligence-based ethical red teaming EU financial sector entities
MITRE ATT&CK MITRE Adversary TTP cataloging and mapping TTP-based adversary emulation
CREST STAR CREST Simulated targeted attack and response UK/APAC regulated environments
ABS Red Team Guidelines Association of Banks in Singapore Financial sector adversary simulation Singapore-regulated financial firms

CBEST vs. TIBER-EU

  • Developed by the Bank of England in 2014
  • Mandates threat intelligence phase before red team execution
  • Requires CREST-certified providers
  • Three phases: Threat Intelligence, Penetration Testing, Reporting
  • Applies to UK systemically important financial institutions
  • Results shared with regulators (PRA/FCA)
  • Published by ECB in 2018, adopted across EU member states
  • Three phases: Generic Threat Landscape, Threat Intelligence, Red Team Testing
  • National implementations (TIBER-DE, TIBER-NL, TIBER-FI, etc.)
  • Requires separation between threat intelligence provider and red team provider
  • Results shared with national competent authorities
  • Purple team phase mandatory since 2020 update

Engagement Lifecycle

The red team engagement lifecycle follows a structured sequence from initial client contact through remediation validation. Each phase has defined inputs, outputs, and decision gates.

flowchart TD
    A[Phase 1: Scoping &\nPre-Engagement] --> B[Phase 2: Threat\nIntelligence]
    B --> C[Phase 3: Attack\nPlanning]
    C --> D[Phase 4: Execution\n& Operations]
    D --> E[Phase 5: Post-\nExploitation]
    E --> F[Phase 6: Reporting\n& Debrief]
    F --> G[Phase 7: Purple Team\n& Remediation]
    G --> H[Phase 8: Retest\n& Validation]

    style A fill:#1e3a5f,color:#e6edf3
    style B fill:#2a4a6f,color:#e6edf3
    style C fill:#36597f,color:#e6edf3
    style D fill:#8b4513,color:#e6edf3
    style E fill:#8b4513,color:#e6edf3
    style F fill:#1a3a1a,color:#e6edf3
    style G fill:#4a1a6f,color:#e6edf3
    style H fill:#1a3a1a,color:#e6edf3

Phase 1 — Scoping & Pre-Engagement

Engagement Scoping Checklist

The scoping phase defines the boundaries, objectives, and constraints of the engagement. Incomplete scoping is the leading cause of engagement failure and legal exposure.

Critical: Written Authorization

Never begin any red team activity without signed written authorization from a person with legal authority over the target assets. Verbal authorization is insufficient. A "Permission to Test" letter must be signed before any reconnaissance begins — including passive OSINT.

Scoping Document SHALL Include:

  • [ ] Engagement objectives — specific goals (e.g., "access the SWIFT payment system," "exfiltrate synthetic PII from HR database")
  • [ ] Target organization — legal entity name, subsidiaries in scope
  • [ ] Network scope — IP ranges (CIDR), domains, subdomains, cloud accounts
  • [ ] Physical scope — buildings, floors, badge cloning authorization
  • [ ] Social engineering scope — phishing, vishing, physical pretexting authorization
  • [ ] Out-of-scope assets — production databases, third-party systems, critical infrastructure
  • [ ] Testing window — start date, end date, permitted hours, time zone
  • [ ] Threat scenario — which threat actor(s) to emulate
  • [ ] Assumed breach options — whether the team starts with internal access
  • [ ] Emergency contacts — client CISO, trusted agent, NOC, legal counsel
  • [ ] Kill switch — immediate stop procedure (code word, phone number)
  • [ ] Data handling — how captured credentials, PII, and evidence are stored/destroyed
  • [ ] Insurance — professional liability and cyber liability coverage confirmation
Document Purpose Signed By
Master Service Agreement (MSA) Overarching legal relationship, liability, indemnification Both parties' legal counsel
Statement of Work (SOW) Specific engagement scope, deliverables, timeline, cost Project sponsors
Rules of Engagement (RoE) Operational parameters, constraints, escalation procedures CISO + Red Team Lead
Permission to Test Explicit written authorization from asset owner Asset owner (not just client contact)
Non-Disclosure Agreement (NDA) Protection of client data and findings All team members individually
Data Processing Agreement GDPR/privacy compliance for handling personal data DPO or legal counsel

Phase 2 — Rules of Engagement (RoE)

The Rules of Engagement document is the operational contract between the red team and the client. It governs what the team can and cannot do during the engagement.

RoE Template

Rules of Engagement — Template Structure

Section 1: Engagement Overview

  • Engagement name and reference number
  • Client organization and point of contact
  • Red team organization and team lead
  • Engagement dates and duration
  • Engagement type (full red team / assumed breach / purple team)

Section 2: Objectives

  • Primary objective(s) with success criteria
  • Secondary objectives
  • Flags/proof artifacts required (screenshots, file hashes, data samples)

Section 3: Scope

  • In-scope IP ranges: 198.51.100.0/24, 203.0.113.0/24
  • In-scope domains: acmecorp.example.com, *.acmecorp.example.com
  • In-scope cloud: AWS Account 111122223333, Azure Tenant acme-corp-example
  • Out-of-scope: 198.51.100.250/32 (production payment gateway), third-party SaaS
  • Physical scope: Building A (123 Example Street), floors 1–3 only

Section 4: Authorized Activities

  • Network scanning and enumeration: YES
  • Exploitation of discovered vulnerabilities: YES (non-destructive only)
  • Social engineering — phishing: YES (up to 50 targets, pre-approved templates)
  • Social engineering — vishing: YES (pre-approved scripts only)
  • Physical intrusion: YES (Building A only, no forced entry)
  • Wireless attacks: YES (client SSID only)
  • DoS/DDoS: NO
  • Data exfiltration: YES (synthetic test data only, max 100MB)
  • Destructive actions: NO (no data deletion, encryption, or modification)

Section 5: Deconfliction

  • Trusted agent: Jane Smith, CISO — +1-555-0100
  • Deconfliction code: PHOENIX-7742
  • Check-in schedule: Daily at 09:00 UTC via encrypted channel
  • Emergency stop: Call trusted agent, state code FULL STOP PHOENIX

Section 6: Data Handling

  • All captured data encrypted at rest (AES-256) and in transit (TLS 1.3)
  • Credentials rotated/invalidated within 24 hours of capture
  • All engagement data destroyed within 30 days of report delivery
  • Chain of custody maintained for all evidence

Section 7: Reporting

  • Draft report within 10 business days of engagement end
  • Final report within 5 business days of client review
  • Executive summary, technical narrative, finding details, remediation guidance

Phase 3 — Deconfliction Procedures

Deconfliction ensures that red team activity does not trigger unnecessary incident response actions, cause business disruption, or result in law enforcement involvement.

Deconfliction Model

flowchart TD
    A[Red Team Activity\nDetected by SOC] --> B{Is activity in\ndeconfliction log?}
    B -->|Yes| C[Trusted Agent confirms\nred team operation]
    C --> D[SOC logs & continues\nnormal monitoring]
    B -->|No| E{Contact Trusted\nAgent}
    E -->|Confirmed Red Team| F[Add to deconfliction\nlog, continue]
    E -->|NOT Red Team| G[Escalate as real\nincident — P1]
    E -->|Cannot reach\nTrusted Agent| H[Treat as real incident\nuntil confirmed]

    style A fill:#8b4513,color:#e6edf3
    style G fill:#8b1a1a,color:#e6edf3
    style H fill:#8b1a1a,color:#e6edf3
    style D fill:#1a3a1a,color:#e6edf3
    style F fill:#1a3a1a,color:#e6edf3

Trusted Agent Role

The trusted agent is a senior member of the target organization (typically the CISO or deputy CISO) who is aware of the engagement and serves as the single point of contact for deconfliction.

Trusted Agent Responsibilities:

  • Receive and respond to deconfliction queries within 30 minutes
  • Maintain operational security — do not reveal engagement details to SOC analysts
  • Authorize scope changes or emergency stops
  • Provide daily check-in with red team lead
  • Confirm or deny whether detected activity is red team-originated

Trusted Agent Availability

The trusted agent MUST be reachable 24/7 during the engagement window. A backup trusted agent SHALL be designated. If neither can be reached within 60 minutes of a deconfliction query, the red team SHALL pause all operations until contact is re-established.

Deconfliction Log Template

Timestamp (UTC) Red Team Operator Activity Description Source IP Target IP Deconfliction Code Trusted Agent Notified
2025-03-15 14:23 Operator Alpha SMB enumeration against DC01 10.0.50.100 10.0.10.10 PHOENIX-7742 Yes — 14:25
2025-03-15 16:45 Operator Beta Phishing email batch 1 (25 targets) External relay N/A PHOENIX-7742 Yes — 16:30 (pre-notified)
2025-03-16 02:15 Operator Alpha Kerberoasting against SVC accounts 10.0.50.100 10.0.10.10 PHOENIX-7742 Yes — 02:20

Phase 4 — Threat Intelligence & Attack Planning

Before execution begins, the red team must develop a threat intelligence picture that drives realistic adversary emulation.

Threat Actor Selection

The engagement should emulate a specific threat actor or composite threat profile relevant to the client's industry and geography.

  • APT38 (Lazarus subgroup) — SWIFT payment system targeting
  • FIN7 — Point-of-sale and payment card data theft
  • Carbanak — Banking infrastructure compromise
  • Techniques: spear-phishing, credential harvesting, lateral movement via service accounts, data staging
  • FIN12 — Ransomware deployment, healthcare targeting
  • APT41 — Dual espionage and financial crime
  • Techniques: VPN exploitation, RDP brute force, Group Policy modification, data encryption
  • Sandworm — ICS/SCADA targeting, destructive operations
  • XENOTIME — Safety system targeting
  • Techniques: supply chain compromise, OT network pivoting, protocol manipulation
  • APT29 (Cozy Bear) — Supply chain compromise, cloud infrastructure
  • Scattered Spider — Identity provider targeting, SIM swapping
  • Techniques: OAuth abuse, SSO exploitation, cloud API abuse, social engineering

ATT&CK Technique Mapping

All red team operations should be mapped to MITRE ATT&CK techniques. This enables structured reporting and direct comparison with the organization's detection coverage.

ATT&CK Tactic Technique ID Technique Name Red Team Application Detection Priority
Reconnaissance T1595 Active Scanning Network and port scanning of target ranges Medium
Resource Development T1583 Acquire Infrastructure Set up C2 servers, redirectors, phishing infrastructure Low (external)
Initial Access T1566.001 Spear-Phishing Attachment Deliver payload via crafted email with weaponized document High
Initial Access T1078 Valid Accounts Use harvested credentials for initial access Critical
Execution T1059.001 PowerShell Execute post-exploitation tooling via PowerShell High
Persistence T1053.005 Scheduled Task Establish persistence via scheduled tasks High
Privilege Escalation T1068 Exploitation for Privilege Escalation Escalate from standard user to local admin Critical
Defense Evasion T1027 Obfuscated Files Use encoded/obfuscated payloads to evade AV High
Credential Access T1558.003 Kerberoasting Extract service account TGS tickets for offline cracking Critical
Lateral Movement T1021.002 SMB/Windows Admin Shares Move laterally via admin shares (C$, ADMIN$) High
Collection T1005 Data from Local System Collect target data from compromised systems Medium
Exfiltration T1041 Exfiltration Over C2 Channel Exfiltrate collected data through C2 infrastructure High

Phase 5 — Execution & Operations

Operational Security (OPSEC)

Red team OPSEC ensures that the team's infrastructure, tools, and activities are not trivially detected, providing a realistic test of the organization's detection capabilities.

Red Team OPSEC Principles

  1. Separate infrastructure per engagement — never reuse C2 domains or IPs across clients
  2. Malleable C2 profiles — configure beacons to blend with normal HTTPS traffic
  3. Timestomping awareness — understand that file timestamps are forensic evidence (but document rather than tamper in ethical engagements)
  4. Living off the land — prefer built-in OS tools (PowerShell, WMI, certutil) to reduce artifact footprint
  5. Credential hygiene — rotate extracted credentials in your notes, minimize dwell time with plaintext creds

Command and Control (C2) Architecture

A professional red team C2 infrastructure uses multiple layers to avoid attribution and resist takedown.

flowchart LR
    A[Target Network\n10.0.0.0/16] -->|HTTPS Beacon\nPort 443| B[Redirector 1\n203.0.113.50]
    A -->|DNS Beacon\nPort 53| C[Redirector 2\n203.0.113.51]
    B -->|Reverse Proxy| D[Team Server\n198.51.100.10]
    C -->|DNS Forwarding| D
    D -->|Authenticated| E[Operator\nWorkstations]

    style A fill:#8b1a1a,color:#e6edf3
    style D fill:#1e3a5f,color:#e6edf3
    style E fill:#1a3a1a,color:#e6edf3

Infrastructure Components:

Component Purpose Example Configuration
Team Server Central C2 server, operator interface 198.51.100.10 — hardened Linux, SSH key-only, firewall restricted to redirectors
Redirector Proxy layer between target and team server 203.0.113.50 — Apache mod_rewrite rules, domain fronting capable
Phishing Server Host phishing pages and payloads 203.0.113.52 — GoPhish or similar, separate from C2
Payload Staging Host initial payloads for download 203.0.113.53 — short-lived, rotated frequently
Exfil Server Receive exfiltrated data 198.51.100.11 — encrypted storage, access-logged

Blue Team Detection Correlation — Execution Phase

Every red team technique should be paired with expected detection opportunities. This table enables purple team validation.

Red Team Technique ATT&CK ID Expected Log Source Detection Logic (Conceptual) Expected Alert
Spear-phishing delivery T1566.001 Email gateway, EDR Attachment with macro, unusual sender domain "Suspicious attachment from external sender"
PowerShell execution T1059.001 Windows Event Log 4104 ScriptBlock logging detects encoded commands "Obfuscated PowerShell execution detected"
Kerberoasting T1558.003 Windows Security 4769 RC4 ticket requests for service accounts "Kerberos TGS request with RC4 encryption"
Lateral movement via SMB T1021.002 Windows Security 4624/4625 Type 3 logon from unexpected source "Lateral movement — SMB logon from non-admin workstation"
Scheduled task persistence T1053.005 Windows Security 4698 New scheduled task created on server "Scheduled task created outside change window"
Data staging T1074.001 EDR, file integrity Large archive created in temp directory "Unusual archive creation in staging directory"
C2 beacon traffic T1071.001 Proxy/firewall logs, NDR Regular interval HTTPS to uncategorized domain "Beaconing pattern detected to uncategorized domain"

Phase 6 — Reporting

The red team report is the primary deliverable. It must communicate risk to executives, provide technical detail for remediation teams, and serve as evidence for compliance and audit functions.

Report Structure

Red Team Report — Recommended Structure

1. Executive Summary (1–2 pages)

  • Engagement overview and objectives
  • Key findings summary (3–5 critical items)
  • Overall risk assessment (Critical / High / Medium / Low)
  • Strategic recommendations (3–5 items, business language)

2. Engagement Details (1–2 pages)

  • Scope and methodology
  • Dates and duration
  • Team composition
  • Standards referenced (CBEST, TIBER-EU, MITRE ATT&CK)

3. Attack Narrative (5–15 pages)

  • Chronological story of the engagement
  • Phase-by-phase description with timestamps
  • Decision points: why the team chose specific paths
  • Screenshots and evidence (sanitized)

4. Findings (variable length)

  • Each finding: Title, Severity, ATT&CK Mapping, Description, Evidence, Impact, Remediation
  • Severity rating: CVSS where applicable, risk-based otherwise
  • Grouped by attack phase or by business impact

5. Detection Gap Analysis (3–5 pages)

  • What the blue team detected vs. what they missed
  • Mean time to detect (MTTD) for each detected technique
  • Recommendations for detection improvement
  • Mapping to MITRE D3FEND or detection maturity model

6. ATT&CK Navigator Heatmap (1 page)

  • Visual overlay showing techniques used, detected, and missed
  • Color coding: Green (detected & responded), Yellow (detected, no response), Red (not detected)

7. Remediation Roadmap (2–3 pages)

  • Prioritized remediation plan (30/60/90 day)
  • Quick wins vs. strategic improvements
  • Resource estimates for each recommendation

8. Appendices

  • Full indicator list (IPs, domains, hashes, file paths)
  • Raw evidence (sanitized)
  • Tool list and versions used

Severity Rating Criteria

Severity Criteria Example
Critical Direct path to engagement objective, no detection Domain admin achieved via Kerberoasting, SOC did not alert
High Significant access achieved, limited detection Lateral movement to 15 hosts via pass-the-hash, detected after 4 hours
Medium Partial access or information disclosure, detected Internal network scanning completed, SOC alerted within 30 minutes
Low Minor information gathered, no access achieved Employee names and email format confirmed via OSINT
Informational Observation, no direct risk NTLM enabled on internal web applications (defense in depth concern)

Phase 7 — Purple Team Integration

Purple teaming combines red team offensive expertise with blue team defensive capabilities in a collaborative exercise. The goal is to maximize the defensive value of every red team technique.

Purple Team Exercise Structure

flowchart TD
    A[Select ATT&CK\nTechnique] --> B[Red Team\nDemonstrates Technique]
    B --> C[Blue Team Observes\nTelemetry & Alerts]
    C --> D{Detection\nSuccessful?}
    D -->|Yes| E[Document Detection\nLogic & Tune]
    D -->|No| F[Develop New\nDetection Rule]
    F --> G[Red Team Replays\nTechnique]
    G --> C
    E --> H[Move to Next\nTechnique]

    style A fill:#1e3a5f,color:#e6edf3
    style D fill:#8b4513,color:#e6edf3
    style E fill:#1a3a1a,color:#e6edf3
    style F fill:#8b1a1a,color:#e6edf3
    style H fill:#1a3a1a,color:#e6edf3

Purple Team Iteration Log

# ATT&CK Technique Red Team Action Blue Team Detection? Gap Identified New Detection Rule Created Validated?
1 T1566.001 — Phishing Attachment Sent macro-enabled doc to 5 users YES — email gateway quarantined 4/5 1 email bypassed due to file type exception Updated email policy to block .docm from external YES
2 T1059.001 — PowerShell Executed encoded PowerShell downloader YES — AMSI + ScriptBlock logging triggered Alert fatigue: 200+ PowerShell alerts/day Tuned rule to focus on -enc flag + network connection YES
3 T1558.003 — Kerberoasting Requested TGS tickets for 12 service accounts NO — no detection rule existed No monitoring of Event ID 4769 with RC4 Created KQL rule for RC4 TGS requests to service accounts YES
4 T1021.002 — SMB Lateral Movement Accessed ADMIN$ on 5 servers from workstation PARTIAL — detected on 2/5 servers Inconsistent Windows event forwarding Deployed WEF to all servers, created lateral movement detection YES

Detection Maturity Assessment

  • No detection capability for the technique
  • No relevant telemetry collected
  • Example: No DNS query logging, cannot detect DNS tunneling
  • Telemetry exists but no automated detection
  • Manual hunting required to identify technique
  • Example: PowerShell ScriptBlock logging enabled but no alerting rules
  • Automated detection rule exists and fires
  • May have high false positive rate
  • Example: Alert on any PowerShell -EncodedCommand usage (noisy)
  • Detection rule tuned with low false positive rate
  • Contextual enrichment (user, asset, time-of-day)
  • Example: Alert on encoded PowerShell from non-admin users during off-hours only
  • Detection validated through purple team exercise
  • Response playbook exists and has been practiced
  • Example: Kerberoasting detection validated, SOC has practiced response including account isolation

Red team engagements operate in a legally complex space. Unauthorized activities can violate criminal statutes regardless of the tester's intent.

Jurisdiction Primary Statute Key Provisions
United States Computer Fraud and Abuse Act (18 U.S.C. § 1030) Unauthorized access to protected computers; penalties up to 20 years
United Kingdom Computer Misuse Act 1990 Unauthorized access, modification; penalties up to 10 years
European Union Directive 2013/40/EU (Attacks Against Information Systems) Member states implement criminal penalties for unauthorized access
Germany StGB § 202a–c (Ausspähen/Abfangen von Daten) Unauthorized data access, interception; penalties up to 3 years
Australia Criminal Code Act 1995, Part 10.7 Unauthorized access, modification, impairment; penalties up to 10 years

Critical Legal Requirements

  1. Written authorization must be obtained from the legal owner of every target asset
  2. Authorization from a client does not extend to third-party systems (cloud providers, SaaS vendors, ISPs)
  3. Cloud testing requires separate authorization from the cloud provider (AWS, Azure, GCP all have penetration testing policies)
  4. Social engineering must comply with privacy laws (GDPR, CCPA) — employee data collected during phishing must be handled accordingly
  5. Cross-border testing may implicate multiple jurisdictions — engage legal counsel before testing systems in foreign countries

Ethical Boundaries

Ethical Principle Guideline
Do no harm Never deliberately disrupt business operations, corrupt data, or cause system outages
Minimize exposure Captured credentials and PII must be encrypted, access-controlled, and destroyed after engagement
Proportionality Use the minimum intrusion necessary to demonstrate the risk
Transparency Report all findings honestly, including techniques that were detected
Professionalism Never mock or shame individuals who fell for social engineering

ATT&CK Technique Mapping — Full Engagement Lifecycle

Phase ATT&CK Tactic Technique ID Technique Name Blue Team Detection
Reconnaissance TA0043 T1595.001 Scanning IP Blocks Firewall logs: external scan patterns
Reconnaissance TA0043 T1592 Gather Victim Host Info DNS query logs: zone transfer attempts
Resource Development TA0042 T1583.001 Acquire Domains Threat intel feeds: new domain registration monitoring
Resource Development TA0042 T1587.001 Develop Malware Sandbox analysis: unknown binary detonation
Initial Access TA0001 T1566.001 Spear-Phishing Attachment Email gateway: attachment analysis, sandboxing
Initial Access TA0001 T1078 Valid Accounts Azure AD / Entra ID: impossible travel, anomalous logon
Execution TA0002 T1059.001 PowerShell Event 4104: ScriptBlock logging, AMSI
Persistence TA0003 T1053.005 Scheduled Task/Job Event 4698: new task creation on servers
Privilege Escalation TA0004 T1068 Exploitation for Priv Esc EDR: process injection, token manipulation alerts
Defense Evasion TA0005 T1027 Obfuscated Files or Info EDR: entropy analysis, YARA rules
Credential Access TA0006 T1558.003 Kerberoasting Event 4769: RC4 TGS requests
Discovery TA0007 T1087.002 Domain Account Discovery LDAP query volume monitoring
Lateral Movement TA0008 T1021.002 SMB/Admin Shares Event 4624 Type 3: unexpected source
Collection TA0009 T1005 Data from Local System DLP: sensitive file access patterns
Exfiltration TA0010 T1041 Exfil Over C2 NDR: large outbound transfers to uncategorized domains
Impact TA0040 T1486 Data Encrypted for Impact EDR: mass file encryption behavior

Exam Prep & Certifications

Relevant Certifications

The topics in this chapter align with the following certifications:

  • OSCP — Domains: Penetration Testing Methodology, Exploitation, Reporting
  • OSEP — Domains: Advanced Evasion, Active Directory Attacks, Custom Tooling
  • GIAC GXPN — Domains: Advanced Penetration Testing, Exploit Research
  • GIAC GPEN — Domains: Penetration Testing, Methodology, Scoping

View full Certifications Roadmap →

Review Questions

Review Questions

  1. What is the primary difference between a penetration test and a red team engagement? Explain how the objectives, scope, and deliverables differ between the two assessment types.

  2. Why is a deconfliction plan essential for red team engagements? Describe a scenario where the absence of deconfliction leads to negative business outcomes.

  3. What are the responsibilities of a trusted agent during a red team engagement? List at least five responsibilities and explain why the trusted agent should not be a SOC analyst.

  4. Compare CBEST and TIBER-EU frameworks. Identify at least three similarities and three differences between these intelligence-led red teaming standards.

  5. Design a Rules of Engagement document for a hypothetical engagement. Your client is a mid-size hospital. What social engineering constraints would you include? What systems would you place out of scope?

  6. Explain how purple team exercises maximize the value of red team operations. Describe the iterative process of technique demonstration, detection validation, and rule tuning.

  7. What legal risks does a red team face when testing cloud-hosted assets? Explain why client authorization alone may be insufficient and what additional steps are required.

  8. How should a red team report communicate risk to executive stakeholders? Describe the structure of an effective executive summary and how it differs from technical findings.

Key Takeaways

Key Takeaways

  1. Red teaming tests detection and response, not just vulnerabilities — the engagement should be designed to evaluate whether the organization can detect and respond to realistic adversary operations.

  2. Written authorization is non-negotiable — every engagement must have signed legal authorization from asset owners before any activity begins, including passive reconnaissance.

  3. Deconfliction prevents costly false escalations — a trusted agent, deconfliction codes, and clear communication channels protect both the red team and the client organization.

  4. Rules of Engagement define the operational boundaries — the RoE document governs authorized activities, data handling, emergency procedures, and ethical constraints.

  5. Purple team integration maximizes defensive value — every red team technique should be paired with detection logic validation, turning offensive findings into defensive improvements.

  6. Industry frameworks provide structure and credibility — CBEST, TIBER-EU, and MITRE ATT&CK provide standardized methodologies that satisfy regulatory requirements.

  7. The report is the product — a well-structured report with executive summary, attack narrative, detection gap analysis, and remediation roadmap is the primary deliverable.

  8. Ethics and professionalism are foundational — red teams must operate with integrity, minimizing harm, protecting captured data, and respecting the individuals who participate in social engineering exercises.