Red Team Development and Operations: ROE Template

Rules of Engagement (ROE) Template

This is a sample rules of engagement document. Use this as a starting point or reference to create or enhance your own custom template.


Red Team Rules of Engagement

[Company Name and Logo] i♥redteams, Inc.

[TARGET NAME / CUSTOMER] ABC Industries, Inc.

[DATE] December 2018

Executive Summary

The Rules of Engagement (ROE) document the approvals, authorizations, and critical implementation issues necessary to execute the engagement. Signing of the ROE constitutes acknowledgement and approval of the customer, system owner, and Red Team of the Red Team’s authorities in execution of the engagement.

The objectives include: ( see Appendix for details )

  • Objective 1
  • Objective 2
  • Objective 3
  • Objective 4

Explicit Restrictions: ( see Appendix for details )

  • Restriction 1
  • Restriction 2

Authorized Target Space: ( see Appendix for details )

  • IP Range (or set)
  • Domains
  • URLs
  • Network Segments

Activities: ( see Appendix for details )

  • Reconnaissance
  • Access Types
  • Positioning
  • Impacts

Table of Contents

[TOC GOES HERE]

Rules of Engagement Introduction

Purpose

To establish the responsibilities, relationships, and guidelines between the [Red Team] Red Team hereafter referred to as [Red Team], [The Customer], [System Owner], and [any stakeholders required for engagement execution] for conducting a Red Team engagement on [Target Organization, network, or system] hereafter referred to as [Target of Engagement]. The engagement will be conducted from Red Team locations at [address] on target systems located at [IP/Domain, Address].

References

[Applicable References Here]

  1. PIA…
  2. HIPAA …
  3. ISO…

Scope

This agreement is applicable to [business, customer, system, network] for the receipt of Red Team activities. This document will establish the guidelines, limitations, and restrictions for conducting a Red Team engagement.

Definitions

[Short definition of terms]

Rules of Engagement and Support Agreement

a. [Red Team] has been agreed upon to conduct a Red Team engagement and supporting Red Team activities. This document provides the ground rules for planning, executing and reporting the engagement.

b. [Short description of the services requested and information about the requesting entity]. The following systems, networks and/or assets will be included:

  • [List of business/organization systems and networks included]
  • All software and hardware included as a target during the engagement.

c. The Red Team will [list of activities]

  • The engagement is designed to [objectives]. This means the system must [whatever the objectives are designed to test/assess/evaluate/stress].
  • For the Red Team, an open network will be utilized. An open network is defined as a network with access to the Internet.
  • Engagement activities will be conducted using scenarios detailed in the Threat Profile [Appendix x].
  • The customer is responsible for [List of responsibilities].
  • There will be complete and open coordination with all stakeholders required for engagement execution. Stakeholders are the parties represented by the signatories of this document.
  • Red Team activities are limited to the target of engagement.
  • Red Team tools and activities may be intrusive, but will not intentionally disrupt services outside the authorizations of these Rules of Engagement.
  • The Red Team will provide [X] updates ([list each]) as follows:
  • Update 1: [Conditions]
  • Update 2: [Conditions]

d. [Customer] will: [Include list of responsibilities]

  • Provide the Red Team administrative facilities and support for all team personnel as necessary to conduct the engagement (if on-site).
  • Provide support with network and resources for conducting the engagement, including adequate workspace (quiet facility), network drops and power connections for the Red Team’s systems.
  • Provide IP address ranges and administrative support for target of engagement.
  • Coordinate support of Red Team activities, with the appropriate stakeholders.
  • Provide contact information (i.e., names, job titles, phone & email address) to the signatories of this document.
  • Provide to the Red Team the results of the Vulnerability Assessment scans performed prior to the engagement to create the effects of intelligence gathering background efforts expected of a malicious entity.

e. Red Team efforts will be coordinated with [Insert POC position/title] for the duration of the engagement. The Red Team will target only those hosts and Internet protocol (IP) addresses within the confines and control of the target of engagement network.

f. Red Team methods may be intrusive, but should not be destructive, and will be terminated if information is gathered pertaining to an actual intrusion. Red Team is responsible for informing [Insert POC position/title] if an actual intrusion is discovered. [Insert POC position/title] will report the actual intrusion to the appropriate representative, along with any substantiating information regarding the detected intrusion.

g. Red Team operations require the use of exploitation and attack tools and techniques. All tools employed by the Red Team have been extensively tested by the team to ensure they are non-destructive and are under positive control when employed.

h. Red Team systems contain exploit tools, code, and technical references, which are not to be viewed, distributed or evaluated by external organizations.

i. The Red Team will attempt to gain access to the target of engagement.

j. Off-limit IP lists are provided as Appendix [X]. This list should only include those IP ranges within the network that are not part of the engagement.

k. The Red Team may only conduct activities against client networks that provide sufficient notice to system users that their use of those systems constitutes consent to monitoring. It is the responsibility of the target of engagement legal counsel to review these notice procedures and certify they provide sufficient notice.

l. Sensitive information reporting:

  • Vulnerabilities discovered during the engagement that present an immediate risk to life, limb, or eyesight will be reported promptly to [Insert POC position/title] to enable immediate response or action. Representatives of the signatories of this ROE will receive follow-on notification as appropriate.
  • Incidental discovery of information that relates to serious crimes such as sabotage, threats, or plans to commit offenses that threaten a life or could cause significant damage to or loss of customer property, and which does not present an immediate risk, will be reported to the applicable local authorities for action.
  • The Red Team reporting is otherwise conducted in a way that does not attribute information or particular activity to an individual.
  • Red Team activities may not be conducted in support of law enforcement or criminal investigation purposes.

m. Cease operations process:

  • The Red Team will suspend activity upon detection of computer anomalies that could potentially be unauthorized intrusions into target of environment networks. The Red Team will suspend activity when unintentional information as described above is encountered, and until the appropriate reporting has taken place.
  • All engagement activities operate under the direction of the Engagement Director, who may alter or cease activities as necessary.

n. Information usage: - The Red Team will not intentionally compromise Privacy of Information Act (PIA), medical, justice, worship or religious pursuit, or any other protected or privileged information. If a compromise does occur, it will be handled through normal procedures. The proper security personnel will be notified immediately. - The Red Team is authorized to exploit files, email, and/or message traffic stored on the network, as well as communications transiting the network for analysis specifically related to the accomplishment of their objectives. (e.g., identifying user ID’s, passwords and/or network IP addresses in order to gain further access). - The Red Team will not intentionally modify or delete any operational user data, or conduct any Denial of Service attacks. The Red Team will not otherwise intentionally degrade or disrupt normal operations of the targeted systems. - The Red Team reporting is conducted in a way that does not attribute information or particular activity, to a specific individual.

o. Deconfliction process:

  • All detected information assurance incidents, whether real-world or alleged Red Team activity, should immediately be reported using normal incident reporting processes.
  • The [the customer], [system owner (if different)] POC may contact the Red Team’s POC to determine if discovered activities are the result of the Red Team.

p. Deliverables:

  • The Red team will provide an engagement summary presentation for the target of engagement representatives at the completion of the engagement.
  • The Red Team will provide a written summary of the engagement results to the [insert POC position/title] representative within 30 days following completion of the test.

ROE PROVISIONS

The following additional provisions apply to this memorandum:

a. All operations will be conducted within guidelines established by applicable policy, regulations and laws.

b. All contact with computer networks/subnets will be from within the Red Team or target of engagement environment.

c. During the engagement, any deviations from these ROE must be mutually agreed to and approved in writing by the senior representatives for the Red Team, [the customer], [system owner (if different)], and [any stakeholders required for engagement execution].

REQUIREMENTS, RESTRICTIONS, AND AUTHORITY

a. The Red Team will:

  • Provide the appropriate support and input for the planning of the engagement.
  • Coordinate engagement approval and support via this Rules of Engagement (ROE).
  • Inform target of engagement POCs of all team requirements (logistics, administrative, etc.).
  • Coordinate team personnel and administrative issues/concerns with [insert POC position/title].
  • Provide contact information (i.e. names, job titles, phone & email address) to the [customer] representatives.
  • Escalate problems and issues to the appropriate representatives.
  • Upload, where appropriate, indicators on systems to demonstrate a compromised state.
  • When necessary, add/modify/disable accounts (not delete them) on compromised systems.
  • Conduct exploitation with the intent of emulating threat techniques, tactics and procedures.
  • May view/read or modify personal data files, PII, or emails.
  • NOT use unapproved tools.
  • NOT damage systems or networks.
  • NOT conduct denial of service (DOS), except as explicitly approved.

GROUND RULES

This section identifies specific rules associated with the execution of this event.

a. Network Operations

  • All systems outside the IP ranges provided under separate cover are off limits
  • All [insert here] applications that are discovered during network operations will be off limits. This includes the following (list provided)
  • [insert here] are off limits. IP addresses will be provided Appendix [X].

b. Physical Engagement

  • All [insert here] areas are off limits to Red Team personnel including transient movement due to potential loss of life, limb, or eyesight
  • Buildings [0] through [1] are off limits
  • [X] binders in any office will not be inspected, touched or removed.

RESOLUTION OF ISSUES/POINTS OF CONTACT (POC)

Any issues that may develop, which are not covered by this ROE, will be resolved mutually with all stakeholders.

  • CIO Representative: Mr. Joe Snuffy, (555) 555-0001, joe.snuffy@iheartredteams.com
  • CIO: Mrs. Jane Doe, (555) 555-0005, jane.doe@customer.com
  • Red Team Lead: Mr. James Tubberville, 123.456-7890. james@iheartredteams.com
  • Red Team Tech Lead: Mr. Joe Vest, 123.456.7890, joe@iheartredteams.com
  • [Trusted Agent]: Mr. Blah Phisher, 123.456.7890, blah.phisher@customer.com
  • [System Owner]: (REPRESENTATIVE) (PHONE) (EMAIL)
  • [Engagement Director]: (REPRESENTATIVE) (PHONE) (EMAIL)
  • [White Cell Lead]: (REPRESENTATIVE) (PHONE) (EMAIL)
  • [CEO]: (REPRESENTATIVE) (PHONE) (EMAIL)

AUTHORIZATION

This agreement becomes effective upon the date of the last approving official’s signature. Termination of this agreement can be directed by any of the stakeholders listed in this document at any time by giving notice in writing to the non-terminating parties. This agreement can only be modified by mutual written consent of the signatories. Changes must be coordinated by means of an exchange of memoranda between the signatories. This agreement will undergo a review in its entirety with each modification request or by the request of either party after giving notice in writing at least 7 days prior to the review.

Approval

The signatures below denote that all parties have read and agree to this Memorandum of Agreement.

[Sign with signature authority from red team and target organization]

Red Team Target / Customer
Name
Title
Date
Signature

APPENDIX A

List of assets, systems and data Restricted IP Addresses:

Restricted IP Assets

  • 10.10.10.0/24
  • 10.10.11.0/24
  • 10.11.0.0/16

Authorized IP Space

  • 10.10.12.0/24
  • 10.10.13.0/24
  • 10.12.0.0/16

Restricted Hosts:

  • customer_workstation_1-1000
  • customer_server_1-20

Authorized Hosts:

  • PII_workstation_1-1000
  • PII_server_1-20
  • All hosts not expressly restricted

Restricted Buildings:

  • Bldg. 1 Office 310
  • Bldg. 2 Office 600

Authorized Buildings:

  • Buildings 1, 2, 3, 4 All spaces not expressly restricted

APPENDIX B - POINTS OF CONTACT

[Role, Name, Title, Phone, Email, Office]

Engagement Director:

  • Name
  • Phone
  • Email
  • Office Location

Trusted Agent:

  • Name
  • Title: Chief Information Officer
  • Phone
  • Email
  • Office Location

White Cell Lead:

  • Name
  • Title: Chief Executive Officer
  • Phone
  • Email
  • Office Location

Emergency Contact:

  • Name
  • Title: Executive Assistant
  • Phone
  • Email
  • Office Location

Red Team Lead:

  • Name
  • Phone
  • Email
  • Office Location

APPENDIX C – RED TEAM METHODOLOGY

[Example or representative activities only – Detail not required] ]

Get In

  • Reconnaissance
    • Perform Open Source Intelligence (OSINT)
    • Target websites
    • Social Media
    • Search engines
    • Public code repositories
  • Enumeration
    • Identify external assets
    • Perform reverse DNS scan to identify hosts
    • Identify URLs and other external touch points
    • Web presence evaluation
    • Browse as a normal user through a web proxy to capture intelligence and understanding
    • Identify known vulnerabilities and vulnerable conditions
  • Exploitation
    • Attempt to exploit targets based on current knowledge
    • Perform situational awareness on target
    • Attempt Local Privilege Elevation
    • Attempt Domain or other system level Privilege Elevation

Stay-In

  • Post Exploitation
    • Identify domain user/groups memberships
    • Identify IP space
    • Identify file shares
    • Establish persistence
    • Use persistence plan to place agents on target systems
    • Move Laterally
    • Continued Lateral Movement
    • Continued Enumeration

Act

  • Operational Impact
    • Perform planned operational impacts

APPENDIX D – ENGAGEMENT OBJECTIVES

As part of the Red Team engagement, [Red Team] will be replicating the TTPs associated with the group known as [insert group]. Details have been provided in the threat profile listed in the Appendix . This threat has been known to exploit and attack the systems and networks servicing the transactional records, customer order database, and XYZ of organizations similar to [Customer].

Objective 1:

  • Integrity of critical customer transactional data
    • Determine ability of threat to [insert objective]
    • Determine the system’s ability to [insert objective]

Objective 2:

  • Integrity of customer’s order database
    • Determine ability of threat to [insert objective]
    • Determine the system’s ability to [insert objective]

Objective 3:

  • Evaluation of Incident Response Procedures

    • Determine ability of threat to [insert objective]
    • Determine the system’s ability to [insert objective]

APPENDIX E – THREAT PROFILE

As part of the Red Team engagement, [Red Team] will be replicating the TTPs associated with the group known as [insert group]. Details have been provided in the form of threat profile. The profile a description of the threat being portrayed. Details include the threat’s description and technical indicators that a threat leaves behind.

Note: This is a simplified example intended to be used as reference. A full threat profile will likely be several pages in length.

Description

  • General mid-tiered threat that uses common offensive tools and techniques.

Goal and Intent

  • Exist in the network to enumerate systems and information in order to maintain Command and Control to support future attacks.

Key IOCs

  • Cobalt Strike HTTPS beacon on TCP 443
  • Payload: c:\programdata\microsoft\iexplore.exe
  • Timestamp: 7/13/2009 10:04 PM
  • MD5: a7705501c5e216b56cf49dcf540184d0

C2 Overview

  • HTTPS on port 443 Cobalt Strike Beacon with a five-minute callback time. Calling directly to threat-owned domains.

TTPs (Enumeration, Delivery, Lateral Movement, Privilege Escalation, etc.)

Assumed Breach Model, no initial delivery via exploitation. POST-exploitation via Cobalt Strike commands. Enumeration and lateral movement via Cobalt Strike and native Windows commands. Privilege escalation limited and determined POST-exploitation.

Exploitation

  • Assumed Breach Model, no exploitation.

Persistence

  • User-level persistence using Microsoft Outlook rule triggered by specific email.

Templates

Rules of Engagement Template (docx)

Last modified January 21, 2020