<< All Posts

Red Team and Threat-Led Penetration Testing Frameworks

December 30, 2020

Leveraging frameworks and methodologies for offensive security assessments is a best practice to show your customers and clients you have a repeatable, professional offering. No one wants to hire or agree to an ethical hacking engagement without a plan in place that will bring value to the business. Sure there are many organizations that just want that compliance box checked off but that does not mean you need to cut corners. This post covers a list of all the known red team and threat-led penetration testing frameworks available in the industry and by various regulators. 

There are many Red Team, Threat-Led Penetration Testing, and Adversary Emulation frameworks available for public use as you can see below. Unfortunately, the terms Penetration Testing, Red Teaming, Adversary Emulation, and Adversary Simulation are all used in various ways by regulators. As information security practitioners, we know we need to understand the scope of work and use the correct name for the assessment (don’t perform Vulnerability Assessment and call it a Red Team engagement).

The general guide is to not reinvent the wheel but to leverage one or a few industry frameworks to create your own internal framework or methodology for performing Red Team Exercises and Adversary Emulations. It is key to ensure you use and document a framework or methodology to ensure your assessments are professional and repeatable. This is a main differentiator in a professional assessment and in offering business value.

Industry Frameworks and Methodologies

Industry frameworks are created by those in the industry to be leveraged by other organizations without forcing any sort of regulatory compliance mandates.

  • Cyber Kill Chain – Lockheed Martin - educated many non-technical consumers on how adversaries work and the steps they perform during a breach.
  • Unified Cyber Kill Chain – Paul Pols - university paper bringing together a number of Cyber Kill Chains by various industry contributors such as Laliberte, Nachreiner, Bryant, Malone, Lockheed, and MITRE. 
  • MITRE ATT&CK - the industry standard and language for Adversary Tactics, Techniques, and Common Knowledge.
  • Purple Team Exercise Framework (PTEF) - SCYTHE and industry experts created the Purple Team Exercise Framework (PTEF) to facilitate performing adversary emulations as Purple Team Exercises and/or Continuous Purple Teaming Operations.

Regulatory Frameworks and Methodologies

For those working in highly regulated industries, such as financial institutions, and/or in various jurisdictions, the below regulatory frameworks may be required or suggested to be followed:

Figure 1 from https://xkcd.com/927/

As one can see, there are many frameworks and methodologies for performing Red Team and Threat-Led Penetration Testing in the industry and in various regulatory jurisdictions. These should serve as a good starting point to building out a Red Team or Purple Team program.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io

STAY UP TO DATE WITH OUR CONTENT!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form

More Unicorn Content

See All Posts

let our tech speak for itself

Know where you stand with SCYTHE. Talk to us to start the evaluation process today! We’d love to talk to you about how SCYTHE can fit into your cybersecurity workflow.

EVALUATE

LEARN MORE