Leveraging frameworks and methodologies for offensive security assessments is a best practice to show your customers and clients you have a repeatable, professional offering. No one wants to hire or agree to an ethical hacking engagement without a plan in place that will bring value to the business. Sure there are many organizations that just want that compliance box checked off but that does not mean you need to cut corners. This post covers a list of all the known red team and threat-led penetration testing frameworks available in the industry and by various regulators.
There are many Red Team, Threat-Led Penetration Testing, and Adversary Emulation frameworks available for public use as you can see below. Unfortunately, the terms Penetration Testing, Red Teaming, Adversary Emulation, and Adversary Simulation are all used in various ways by regulators. As information security practitioners, we know we need to understand the scope of work and use the correct name for the assessment (don’t perform Vulnerability Assessment and call it a Red Team engagement).
The general guide is to not reinvent the wheel but to leverage one or a few industry frameworks to create your own internal framework or methodology for performing Red Team Exercises and Adversary Emulations. It is key to ensure you use and document a framework or methodology to ensure your assessments are professional and repeatable. This is a main differentiator in a professional assessment and in offering business value.
Industry Frameworks and Methodologies
Industry frameworks are created by those in the industry to be leveraged by other organizations without forcing any sort of regulatory compliance mandates.
- Cyber Kill Chain – Lockheed Martin - educated many non-technical consumers on how adversaries work and the steps they perform during a breach.
- Unified Cyber Kill Chain – Paul Pols - university paper bringing together a number of Cyber Kill Chains by various industry contributors such as Laliberte, Nachreiner, Bryant, Malone, Lockheed, and MITRE. https://unifiedkillchain.com/
- MITRE ATT&CK - the industry standard and language for Adversary Tactics, Techniques, and Common Knowledge.
- Purple Team Exercise Framework (PTEF) - SCYTHE and industry experts created the Purple Team Exercise Framework (PTEF) to facilitate performing adversary emulations as Purple Team Exercises and/or Continuous Purple Teaming Operations.
Regulatory Frameworks and Methodologies
For those working in highly regulated industries, such as financial institutions, and/or in various jurisdictions, the below regulatory frameworks may be required or suggested to be followed:
- G-7 Fundamental Elements for Threat-Led Penetration Testing - the Group of 7 nations provided guidance on performing Threat-Led Penetration Testing.
- CBEST Intelligence Led Testing – Bank of England - Regulation for financial institutions operating in England.
- Threat Intelligence-Based Ethical Red Teaming – TIBER-EU - framework that can be leveraged by any country in the European Union and offers cross-jurisdiction and mutual recognition of Red Team engagements
- Red Team: Adversarial Attack Simulation Exercises – ABS (Association of Banks of Singapore) - focused on financial institutions in Singapore
- Intelligence-led Cyber Attack Simulation Testing (iCAST) – HKMA (Hong Kong Monetary Authority) - focused on financial institutions in Hong Kong
- Financial Entities Ethical Red-Teaming – Saudi Arabian Monetary Authority - focused on financial institutions in Saudi Arabia
- Cyber Operational Resilience Intelligence-led Exercises (CORIE) - for financial institutions in Australia"
- A Framework for the Regulatory Use of Penetration Testing and Red Teaming in the Financial Services Industry – GFMA (Global Financial Markets Association) - given all the country mandated regulatory requirements, the Global Financial Markets Association set off to create a global framework that would meet multiple country’s regulatory requirements. See Figure 1
As one can see, there are many frameworks and methodologies for performing Red Team and Threat-Led Penetration Testing in the industry and in various regulatory jurisdictions. These should serve as a good starting point to building out a Red Team or Purple Team program.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email email@example.com