Planning Red Team Engagements

RED TEAM

Planning Red Team Engagements

Aligned to SOC 2, ISO 27001, and CMMC 2.0

Purpose. Provide a concise, standards-aligned handbook for planning and executing authorized red team engagements that measurably improve defensive posture and produce audit-ready evidence.

Scope. Enterprise environments (on-prem, cloud/SaaS, identity, endpoints, networks). This article is written for organizations conducting authorized security testing; nothing herein should be used for illegal activity.

Table of Contents

1) Where Red Teaming Fits in Your Compliance Stack

  • SOC 2. Red team results provide objective evidence for Security & Availability criteria (e.g., monitoring, incident response, and vulnerability management) that underpin SOC 2 examinations; they do not replace controls, but validate them.
  • ISO/IEC 27001:2022. Red team exercises support the ISMS lifecycle (risk treatment, performance evaluation, continual improvement) and the security testing/monitoring controls referenced by 27001 with implementation guidance in 27002.
  • CMMC. For defense contractors, red teaming is a powerful way to verify capabilities required under NIST SP 800-171 (Level 2) and to stress test incident response and monitoring ahead of assessments defined in the CMMC program rule (32 CFR part 170).

2) Operating Principles & Ethics

  • Written authorization is mandatory. Obtain signed authorization and scope from the proper authority before any testing. Plan engagements per NIST SP 800-115, which lays out preparation, legal/coordination considerations, and risk management for security testing.
  • “Assurance with safety.” CISA’s Red Team Assessment guidance emphasizes realistic adversary simulation while protecting business operations—use it to shape safe, measurable objectives.
  • Integration with IR. Red teaming should feed your incident response program and exercises (playbooks, detection tuning). Align handoffs and lessons learned with NIST SP 800-61 Rev. 3.

3) Engagement Lifecycle

The following flow is based on NIST SP 800-115 (adapted for objective-based red teaming).

  1. Plan & Design

    • Business objectives → threat scenarios → acceptance criteria.
    • Define scope/constraints, data-handling rules, safety guardrails, and communications matrix.

  2. Reconnaissance (OSINT & Targeted Discovery)

    • Enumerate publicly exposed assets, identity/SSO posture, external attack surface.
    • Validate in-scope targets and deconfliction points.

  3. Initial Access & Foothold (Objective-led)

    • Attempt in-scope access paths (e.g., credentials reuse tests, misconfigurations) as approved in the ROE.
    • Establish controlled footholds with strong OPSEC and logging to support later forensics.

  4. Privilege Escalation, Lateral Movement, and Objective Actions

    • Move only as required to reach the agreed objectives; minimize operational impact.
    • Maintain detailed activity logs and indicators for blue team replay.

  5. Proof of Impact & Controlled Exfiltration (If in Scope)

    • Demonstrate objective attainment with minimally invasive proofs (e.g., screenshots, cryptographic hashes, synthetic “canary” data).

  6. Clean-up & Verification

    • Remove access, revert changes, validate with stakeholders that systems are back to pre-test state.

  7. Reporting & Retrospective

    • Executive summary, ATT&CK-mapped TTPs, timeline, evidence, business impact, and prioritized fixes.
    • Purple-team working session to convert findings into detections and control improvements.

4) Threat-Informed Emulation with MITRE ATT&CK

Build your scenarios around MITRE ATT&CK (Enterprise Matrix) so findings are portable, measurable, and easy to translate into detections. Use technique IDs in your plan, collect per-technique evidence, and provide a heatmap of observed vs. prevented behaviors.

Tip: When testing Windows identity pivots, consult the ATT&CK platform-specific matrices to keep TTPs precise and reproducible.

5) Scoping & Rules of Engagement (ROE)

Scope dimensions

  • Objectives: e.g., “obtain read-only access to crown-jewel repository” or “reach finance data store and exfiltrate a canary record.”
  • In/Out of Scope Systems: cloud accounts, identity providers, production data, SaaS tenants.
  • Techniques Allowed/Disallowed: phishing (yes/no), physical access (yes/no), social engineering (yes/no), supply-chain targets (yes/no).
  • Constraints: maintenance windows, performance thresholds, forbidden data types.
  • Safety Controls: time-boxed operations, “kill-switch,” real-time comms with a white cell.
  • Evidence Standards: timestamps, command transcripts, hashes of artifacts, ATT&CK technique IDs.

Why it matters to the frameworks

A tight ROE and documented scope demonstrate responsible governance under SOC 2 description/criteria, align with ISO 27001 ISMS planning and control operations, and help substantiate CMMC assessment objectives in Security Assessment (CA) and Risk Assessment (RA) families.

6) Safety, OPSEC & Deconfliction

  • Operational Security (OPSEC): Use dedicated infrastructure, strong encryption, and least-privilege operator accounts. Separate data capture from C2 channels; keep detailed operator logs to enable blue-team replay.
  • Production Safety: Prefer atomic changes, synthetic data, and low-impact proofs. Pre-stage backups or snapshots for any destructive tests; obtain explicit consent per NIST SP 800-115 planning guidance.
  • Deconfliction: Establish a white-cell hotline, real-time chat, and a “stop-now” code word. If blue-team detects you mid-engagement, follow the ROE on disclosure/continuation.
  • Handover to IR: Any real incident indicators discovered during testing must be escalated through the NIST SP 800-61 Rev. 3 incident response process.

7) Reporting that Drives Remediation

Minimum viable report set

  • Executive Summary: business risk framed against objectives and real-world actors.
  • TTP Catalog: technique-by-technique results mapped to ATT&CK, including artifacts/IOCs for detection tuning.
  • Impact & Evidence: concise proofs, affected assets/users, and data-handling notes.
  • Root Causes & Fixes: control gaps mapped to NIST SP 800-53 control families (for depth) and to NIST SP 800-171 (for CMMC), plus near-term and structural remediations.
  • Purple-Team Plan: backlog of detections to build, hardening changes, playbook updates, and a retest window.

8) Evidence & Framework Crosswalk

This is a concise speaking map; tailor for formal audits/assessments.

Red team elementSOC 2 (AICPA TSC)ISO/IEC 27001/27002CMMC (basis & families)
Authorization, ROE, scopeSupports system description & Security/Availability criteria evidenceISMS planning, operational control & improvementNIST 800-171 (CA, RA) evidence and readiness for assessments under 32 CFR part 170
Threat-led objectives & ATT&CK mappingEvidence of risk-based monitoring/detectionRisk treatment & performance evaluationSI, AU, IR families validated via scenario testing
Execution logs & artifactsAudit evidence of operations & changeOperational records for monitoring/testingEvidence package supporting assessor objective tests
Report & remediation trackingManagement response evidenceContinual improvement & performance reviewPOA&M inputs; control effectiveness validation

9) Metrics that Matter

  • Efficacy: % objectives achieved; median steps to objective; dwell time before detection; % techniques detected vs. prevented.
  • Defender outcomes: mean time to detect/contain (MTTD/MTTC); # new high-fidelity detections deployed; # control hardening changes merged.
  • Program health: % findings remediated on time; retest pass rate; evidence completeness for SOC 2/ISO/CMMC packages.

CISA and NIST guidance encourage measuring both attack outcomes and defensive improvements, not just counts of findings.

Appendix A — ROE / Authorization Template

Title: Authorized Red Team Engagement — [Org Name]
Authorizing Official: [Name, Title]
Dates & Timeboxes: [Start → End; maintenance windows]
Objectives: [Business outcomes + success criteria]
In Scope: [Targets, accounts, environments, geos]
Out of Scope: [Forbidden targets/data/third parties]
Techniques Allowed/Disallowed: [e.g., phishing = yes/no; physical = yes/no]
Deconfliction: [White-cell contacts, “stop-now” word, paging rules]
Safety Controls: [performance thresholds, kill-switch, snapshots/backups]
Evidence & Privacy: [PII minimization, hashing, chain-of-custody, retention]
Notification Matrix: [who gets notified when and how]
Legal: [Authorization statement, indemnities, compliance references to NIST SP 800-115]

Appendix B — Scoping Questionnaire

  • What business objectives are most valuable to test (e.g., disrupt billing, read HR data)?
  • Which crown-jewel systems and data classes are in scope?
  • Which entry vectors may be tested (external, partner, insider/assumed breach)?
  • What operational constraints (SLOs, peak hours, vendor change freezes) apply?
  • What safety measures are required (e.g., “read-only proofs,” synthetic data only)?
  • What evidence is required for SOC 2/ISO/CMMC packages?

Appendix C — Deliverable Checklist

  • ☐ Executive summary (business risk & objectives)
  • ☐ ATT&CK-mapped TTP catalog with artifacts/IOCs
  • ☐ Root causes & prioritized fixes, mapped to NIST SP 800-53 and NIST SP 800-171 families
  • ☐ Purple-team plan (detections, hardening, playbook updates)
  • ☐ Evidence bundle (operator logs, hashes, screenshots, consent/ROE) for SOC 2/ISO/CMMC

Authoritative References

  • AICPA Trust Services Criteria / SOC 2 — overview and TSC with revised points of focus.
  • ISO/IEC 27001:2022 — ISMS requirements (with ISO/IEC 27002:2022 implementation guidance).
  • CMMC Program — 32 CFR part 170 and DFARS implementation context; Level 2 based on NIST SP 800-171; Level 3 adds selected NIST SP 800-172 safeguards.
  • NIST SP 800-115Technical Guide to Information Security Testing and Assessment (testing methods, planning, legal/coordination).
  • MITRE ATT&CK (Enterprise Matrix) — adversary tactics/techniques for emulation and detection mapping.
  • CISA Red Team Assessment (RTA) — methodology/fact sheet; public lessons-learned advisories.
  • NIST SP 800-61 Rev. 3 (2025) — incident response recommendations aligned to CSF 2.0.
  • NIST SP 800-53 Rev. 5 — security & privacy control catalog used for mapping root causes to control families.
  • NIST SP 800-171 Rev. 2 — security requirements that underpin CMMC Level 2.

Legal & Safety Reminder: Only conduct testing with explicit, written authorization, and follow the ROE and laws in your jurisdiction. This article is for defensive security and compliance readiness.