Executing Red Team Engagement Planning
Overview
Red team engagement planning is the foundational phase that defines scope, objectives, rules of engagement (ROE), threat model selection, and operational timelines before any offensive testing begins. A well-structured engagement plan ensures the red team simulates realistic adversary behavior while maintaining safety guardrails that prevent unintended business disruption.
Objectives
- Define clear engagement scope including in-scope and out-of-scope assets, networks, and personnel
- Establish Rules of Engagement (ROE) with emergency stop procedures, communication channels, and legal boundaries
- Select appropriate threat profiles from the MITRE ATT&CK framework aligned to the organization's threat landscape
- Create a detailed attack plan mapping adversary TTPs to engagement objectives
- Develop deconfliction procedures with the organization's SOC/blue team
- Produce a comprehensive engagement brief for stakeholder approval
Core Concepts
Engagement Types
| Type | Description | Scope |
|---|---|---|
| Full Scope | Complete adversary simulation with physical, social, and cyber vectors | Entire organization |
| Assumed Breach | Starts from initial foothold, focuses on post-exploitation | Internal network |
| Objective-Based | Target specific crown jewels (e.g., domain admin, PII exfiltration) | Defined targets |
| Purple Team | Collaborative with blue team for detection improvement | Specific controls |
Rules of Engagement Components
- Scope Definition: IP ranges, domains, physical locations, personnel
- Restrictions: Systems/networks that must not be touched (e.g., production databases, medical devices)
- Communication Plan: Primary and secondary contact channels, escalation procedures
- Emergency Procedures: Code word for immediate cessation, incident response coordination
- Legal Authorization: Signed authorization letters, get-out-of-jail letters for physical tests
- Data Handling: How sensitive data discovered during testing will be handled and destroyed
- Timeline: Start/end dates, blackout windows, reporting deadlines
Threat Profile Selection
Map organizational threats using MITRE ATT&CK Navigator to select relevant adversary profiles:
- APT29 (Cozy Bear): Government/defense sector targeting via spearphishing, supply chain
- APT28 (Fancy Bear): Government organizations, credential harvesting, zero-days
- FIN7: Financial sector, POS malware, social engineering
- Lazarus Group: Financial institutions, cryptocurrency exchanges, destructive malware
- Conti/Royal: Ransomware operators, double extortion, RaaS model
Implementation Steps
Phase 1: Pre-Engagement
- Conduct initial scoping meeting with stakeholders
- Identify crown jewels and critical business assets
- Review previous security assessments and audit findings
- Define success criteria and engagement objectives
- Draft Rules of Engagement document
Phase 2: Threat Modeling
- Identify relevant threat actors using MITRE ATT&CK
- Map threat actor TTPs to organizational attack surface
- Select primary and secondary attack scenarios
- Define adversary emulation plan with specific technique IDs
- Establish detection checkpoints for purple team opportunities
Phase 3: Operational Planning
- Set up secure communication channels (encrypted email, Signal, etc.)
- Create operational security (OPSEC) guidelines for the red team
- Establish infrastructure requirements (C2 servers, redirectors, phishing domains)
- Develop phased attack timeline with go/no-go decision points
- Create deconfliction matrix with SOC/IR team
Phase 4: Documentation and Approval
- Compile engagement plan document
- Review with legal counsel
- Obtain executive sponsor signature
- Brief red team operators on ROE and restrictions
- Distribute emergency contact cards
Tools and Resources
- MITRE ATT&CK Navigator: Threat actor TTP mapping and visualization
- VECTR: Red team engagement tracking and metrics platform
- Cobalt Strike / Nighthawk: C2 framework planning and infrastructure design
- PlexTrac: Red team reporting and engagement management platform
- SCYTHE: Adversary emulation platform for attack plan creation
Validation Criteria
- Signed Rules of Engagement document
- Defined scope with explicit in/out boundaries
- Selected threat profile with mapped MITRE ATT&CK techniques
- Emergency stop procedures tested and verified
- Communication plan distributed to all stakeholders
- Legal authorization obtained and filed
- Red team operators briefed and acknowledged ROE
Common Pitfalls
- Scope Creep: Expanding testing beyond approved boundaries during execution
- Inadequate Deconfliction: SOC investigating red team activity as real incidents
- Missing Legal Authorization: Testing without proper signed authorization
- Unrealistic Threat Models: Simulating threats irrelevant to the organization
- Poor Communication: Failing to maintain contact with stakeholders during engagement
Related Skills
- performing-open-source-intelligence-gathering
- conducting-adversary-simulation-with-atomic-red-team
- performing-assumed-breach-red-team-exercise
- building-red-team-infrastructure-with-redirectors