Common Ground: Planning is Key

Organizational Fit

Assessment Models


Full-Scope Assessment

  • It measures the ability to recognize and respond to unknown threats. The majority of realistic threats an organization faces will be unknown.
  • Allows for the comparison of previously unknown tactics with known signatures and intel to practice categorizing activity.
  • Training of personnel with their real tools in the real environment and a debrief on the results from the attacker perspective.
  • Exercise of the C3 plan and possibly contingency plans depending on the levels of compromise.
  • Training is self guided by the blue team and their management. Such training requires buy-in and the willingness to participate in the fullest capacity
  • Requires careful coordination with a trusted agent inside of the blue team. This relationship will ensure proper deconfliction and prevent the engagement from being “gamed”
  • Sometimes will require trial and error. The red team has to be threat representative and sometimes will underestimate/overestimate the abilities or maturity of the targeted

Red Cell Engagement (Threat Emulation)

  • It measures the ability to respond to known threats that are targeting or have previously targeted the environment. This is the equivalent of doing a retest or reenactment of previous activity (if it had occurred).
  • It tests the adequacy of threat intelligence teams, tools, managed defense teams or signatures in the environment.
  • In the private sector, very few threats are properly known or understood. Battling a known threat limits the training opportunity.
  • In the private sector, the detailed coverage of tradecraft of known adversaries is generally lacking outside of popular threat reporting. This means that the red team will be restricted to a small set of available data and might not adequately test the organization.
  • While sexy to the decision makers, this form of engagement provides less training to the defensive teams because it will restrict the red team from adapting rapidly like a real adversary.

Adversary Simulation

Cooperative Engagement

Threat Models

Training Objectives

Master Scenario Event List (MSEL)

Escalatory Events

  • Action: Lockout Workstation Admin account
  • Time/Date: 1930 on June 23rd 2016
  • Red Team Procedure:
  • Utilize agent to attempt RDP access to a terminal server with a known bad password
  • Repeat previous step until lockout occurs
  • Indicators and Detection Methods
  • User Ticket Creation
  • Event ID 4740
  • Netflow traffic to/from Terminal Server after hours

Wrap Up




Tech: Threat Intel | Photographer @

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The New Agenda for Diversity and Inclusion

diverse collection of people and colours

Leading Through Uncertainty

Change Fatigue: 7 Strategies To Overcome Employee Resistance

Employee resistance to organizational change

6 Criteria for Providing Feedback That is Heard

Noticing Prepositions: The Key to Moral Leadership

The Project Manager is not a Scrum Master

Successful Habits A Leader Uses To Run A Construction Company

Effective leader never stop learning.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Justin Warner

Justin Warner

Tech: Threat Intel | Photographer @

More from Medium

Exfiltrating data outside the O365 secure Tenant, Outlook example

Detail Description about SPF Records

Exploiting Azure Queue Storage: Unexpired SAS Token with Excessive Permission

Auror Project — Challenge 1 (Automated Active Directory Lab Deployment)