Penetration testing

Red Team Assessment Phases: Reporting

Howard Poston
December 18, 2018 by
Howard Poston

Reporting is the final and potentially most important phase of a red team assessment. The goal of a red team assessment is to provide the client with a comprehensive view of their security and the ability to act to correct any identified issues. Any part of the assessment that the client can’t understand and act upon based on the report might as well not have happened, so it benefits everyone if the team puts in the time and effort to develop a clear and comprehensive report of the assessment.

Scoping the Phase

The goal of the reporting phase of a red team assessment is to convey the crucial information discovered during the course of the assessment to the customer. In this phase, the red team needs to be able to distill all of the data collected throughout the course of the exercise into the essential information that the customer needs to have and convey it in a way which is valuable to non-technical executives and the technical security team both.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Achieving Phase Goals

The reporting phase of an assessment should end with the client being presented with a report that covers any and all information that they need to know regarding the assessment. To reach this point, the red team needs to identify what information is essential or not, organize it into a consumable format for the customer and write the report in a way that brings value to the client and encourages a healthy working relationship.

Identifying Important Information

The first step in the reporting stage of a red team assessment is identifying what does and does not need to be included in the report. This varies from assessment to assessment based on the needs and wishes of the client, but a few pieces of information are always good to include in text of the report.

The first of these is any vulnerabilities identified in the course of the assessment. The reason that the client is paying the red team is to identify vulnerabilities that they need to address in their network’s defenses. The red team should have comprehensive notes on how each vulnerability was detected and how it can be exploited so that the client can verify the vulnerability and test potential remediations.

The second is a complete record of the red team’s operations on the system. With many members of the team, several operations may be running in parallel, but taking the time to organize the results and put together a timeline of the attack is helpful both to the team in crafting their report and to the client in understanding the attack as a whole and performing a retrospective look at their systems, logs and reports to identify any indicators of the attack that they may have potentially missed while the assessment was going on.

Organizing the Report

The contents and details of the report structure may vary from assessment to assessment. However, most reports will include an executive summary and a detailed description of the assessment, plus appendices and attachments. Knowing what to put where helps a red team not waste their clients’ time and demonstrates the professionalism of the services provided.  Offensive Security provides a good sample report showing how this information should be laid out.

Executive Summary

Not everyone is going to have the time, interest or background to read and comprehend a complete report from an assessment. Since ultimately management is the one footing the bill for an assessment, the red team should include a summary of the assessment and its findings that justify the assessment and can easily be fit into an executive’s busy schedule.

This section should generally outline what the assessment covered, any identified vulnerabilities and a ranking of the significance of various findings. Since the main consumers of this section of the report will probably not have a technical background, the section should contain enough analysis that a reader can get a feel for the current state of their network, understand the major findings and their significance, and not be overwhelmed by technical detail or length of the section.

Detailed Descriptions

The main body of the assessment report should be a detailed description of the actions taken by the red team, their results and the impacts of the findings on the security of the client’s physical and network security. In this part of the report, the goal is to provide a comprehensive view of the actions taken during the assessment, so the author can assume that the audience has a technical background if not specifically a cybersecurity background.

This section should contain sufficient detail to support the narrative without drowning the reader in trivia. For example, the main report can contain a mid-level description of an attack and the significant results, with full detail being provided in attachments and appendices. When reporting the results of the assessment, red teams need to walk a fine line between providing insufficient information and reducing the reader to skimming the report for key points.

Attachments and Appendices

The attachments and appendices section of the report are where the red team should place any information that is important for the client but not essential for understanding the assessment narrative and the findings of the assessment.

One thing that is extremely useful to the client is example code for exploiting any vulnerabilities detected by the red team. While it’s not the job of the red team to implement solutions to an organization’s security issues, someone will eventually have to do so. Having sample code that exploits the holes that they need to patch both enables the security team to understand the vulnerability and provides them with a means for testing the effectiveness of potential remediations.

Another thing worth including as an attachment to a report is a complete log of the red team’s operations on the target network. Hopefully, nothing will go wrong during the assessment, but if it did, being able to prove that it was not the fault of the red team or covered by the red team assessment agreement can save a lot of legal trouble. Also, if the red team did anything to cover their tracks, the security team or system administrator may want unadulterated logs to provide them with a complete view of what actually occurred on their systems.

Writing the Report

If the red team has collected all of the appropriate information throughout the course of their assessment, then writing the report should not be very difficult. However, there are a few things to keep in mind when writing the report that could make clients become repeat customers.

Firstly, the client hired the red team to understand the weaknesses of their network (and possibly physical) security solutions. All content within the report should be factual and not contain any opinions of the red team members. In many cases, red teams learn the “what” rather than the “why,” and misinterpretation and theorizing can potentially cause serious damage to the relationship between the client and the team.

Another thing to keep in mind is that the customer hired the team hoping to get a clean bill of health. While this may not be the case, including some kudos or compliments to the organization’s employees and security team (where appropriate) doesn’t hurt the red team but can really help the organization’s pride and help them swallow the bad news. Unless necessary, an assessment report shouldn’t name names and it should never read like the exploits of James Bond.

Finally, the report from an assessment should look professional. If a red team member can’t be bothered to run spell check and have someone look over their grammar, why would the client trust that they performed a comprehensive and professional assessment? Reporting may not be the most glamorous part of an assessment, but it’s the only part that a client sees first-hand and shapes a lot of their opinion of the red team.

Wrapping Up

Even if the customer is not intimately involved in all phases of the assessment, the red team should always be working in the client’s interest. Regardless of the outcome of the assessment, a professional, comprehensive report clearly detailing the services provided and the resulting discoveries helps demonstrate value to all levels of the client organization. A well-executed assessment can help an organization improve its defenses and may encourage the customer to come back to the same team if they have future assessment needs.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

 

Sources

  1. 4 Things Every Penetration Test Report Should Have, Rhino Security Labs
  2. Sample Penetration Testing Report, Offensive Security
Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at howard@howardposton.com or via his website at https://www.howardposton.com.