• caglararli@hotmail.com
  • 05386281520

Red Teaming methodologies focused on op-sec and stealth

Çağlar Arlı      -    34 Views

Red Teaming methodologies focused on op-sec and stealth

We are in the process of developing a Red Teaming team to offer as a service, and one of the biggest obstacles we are struggling with is how to maintain a good op-sec and stealth during engagements.

Since most of our teams' experience comes from Penetration Testing, where you can afford to work with loud tools and scans and don't need to be concerned with detection, we are looking for methodologies that would be focused on stealth during engagements.

We have several methodologies developed over the years about how to approach internal infrastructure or web app pentesting, which really streamlines the test process since you know how to start and what not to forget. But for stealth Red Teaming engagements, where the main goal is to avoid detection, we're not even sure how to start - especially given the more and more advanced nature of detection tools we are up against.

Most of the methodologies or resources I have found so far are either too high-level, or fail to hold up against EDRs, which leads me to this question.

Are there any Red Teaming methodologies that would give us a starting point and introduce us to the mindset required for successful stealth Red Teaming engagement? Something similiar to OWASP Web App testing guide - which gives you a checklist of things you want to watch out for or a set of tools you need to have.

For example, if we take the reconnaissance phase - in traditional announced pentest, you can simply nmap the whole network, run Nessus and you have a pretty good starting point. But for Red Teaming, you can't do that. I'm looking for a methodology that would talk about how to start doing stealthy recon, what settings to watch out for in a stealth nmap scan, or what other concrete techniques or tools to start the recon with, along with some other recommendations of things to do to ensure success, i.e. have a lab with EDR and first try every action there, or consult every action with your SoC.

Are there such resources, or are we pretty much on our own and have to figure it out ourselves?