Post-Engagement & Reporting
The final reports that are issued by the red team are critical to get right. Once the engagement has concluded, these reports are needed by the organisation to help them implement any additional security measures as identified by the red team. If you're coming from a penetration testing background, you may find this report writing incredibly difficult (I did). Many pentest reports can be boiled down to findings such as:
Missing Patch for CVE-XXXX-XXXX
CVSS Score: 10
Rating: Critical
Recommendation: Install patch from Microsoft
However, the issues identified during a red team engagement are much more holistic and systemic, and therefore much harder to address than simply installing patches. Given that these engagements are scenario-based, it leads to a report style that is much more "story-focused".
\
Attack Narrative
An attack narrative should contain the observations made during the engagement, in chronological order. An example of an observation could be:
A vulnerability on this host was identified which allowed an elevation of privilege to that of a local administrator. This enabled the red team to obtain the credentials of other users on this host, which included a Domain Administrator. The red team did not observe any indication that this activity had been detected."
In practice, an observation should be extended to include any relevant technical details.
\
Recommendations
It's not always viable for a red team to provide an effective set of recommendations prior to discussions with the organisation, particularly defenders and incident responders. The red team have their own perspective on the engagement, which is only one side of the coin. In the example observation above, the red team observed no response, but that doesn't make it an accurate reflection of reality.
It could be that the blue team did detect the activity but failed to respond or respond appropriately.
Only through this two-way dialogue can the true gaps be identified.
\
Indicators of Compromise
Red teams may also provide other useful indicators of compromise (IoC) that don't necessarily fit into the observation sections. This is often provided as an annex to the report and can include everything from domain names, IP addresses, artifact filenames, md5 checksums and more. This also helps any deconfliction process at a later date.
There is an excellent set of document templates available on https://redteam.guide.
Last updated