Common Ground: Planning is Key

Organizational Fit

Assessment Models


Full-Scope Assessment

  • It measures the ability to recognize and respond to unknown threats. The majority of realistic threats an organization faces will be unknown.
  • Allows for the comparison of previously unknown tactics with known signatures and intel to practice categorizing activity.
  • Training of personnel with their real tools in the real environment and a debrief on the results from the attacker perspective.
  • Exercise of the C3 plan and possibly contingency plans depending on the levels of compromise.
  • Training is self guided by the blue team and their management. Such training requires buy-in and the willingness to participate in the fullest capacity
  • Requires careful coordination with a trusted agent inside of the blue team. This relationship will ensure proper deconfliction and prevent the engagement from being “gamed”
  • Sometimes will require trial and error. The red team has to be threat representative and sometimes will underestimate/overestimate the abilities or maturity of the targeted

Red Cell Engagement (Threat Emulation)

  • It measures the ability to respond to known threats that are targeting or have previously targeted the environment. This is the equivalent of doing a retest or reenactment of previous activity (if it had occurred).
  • It tests the adequacy of threat intelligence teams, tools, managed defense teams or signatures in the environment.
  • In the private sector, very few threats are properly known or understood. Battling a known threat limits the training opportunity.
  • In the private sector, the detailed coverage of tradecraft of known adversaries is generally lacking outside of popular threat reporting. This means that the red team will be restricted to a small set of available data and might not adequately test the organization.
  • While sexy to the decision makers, this form of engagement provides less training to the defensive teams because it will restrict the red team from adapting rapidly like a real adversary.

Adversary Simulation

Cooperative Engagement

Threat Models

Training Objectives

Master Scenario Event List (MSEL)

Escalatory Events

  • Action: Lockout Workstation Admin account
  • Time/Date: 1930 on June 23rd 2016
  • Red Team Procedure:
  • Utilize agent to attempt RDP access to a terminal server with a known bad password
  • Repeat previous step until lockout occurs
  • Indicators and Detection Methods
  • User Ticket Creation
  • Event ID 4740
  • Netflow traffic to/from Terminal Server after hours

Wrap Up




Tech: Threat Intel | Photographer @

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Three Simple Questions that Future Focused Leaders MUST Get Right

Building Organizational Capacity for Sustainable Business Transformation

Company culture

Project Management Soft Skills Mastery

Five Practices That Will Quickly Develop Leadership Skills

Top 7 simple tips to think STRATEGICALLY!

Effective Delegation Skills

You Can’t be the Perfect Boss- 10 Cool Tricks to Get Better

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Justin Warner

Justin Warner

Tech: Threat Intel | Photographer @

More from Medium

TryHackMe- Frank and Herby try again walkthrough

Library Writeup

Basic Pentesting — Process Report

Server-Side Request Forgery (SSRF)- PortSwigger Labs