There are many misconceptions about what effective red team exercises entail. Overall, a Red Team Exercise should involve live testing of an environment to identify potential gaps in security controls. Instead of simply testing an isolated system or identifying patch deficiencies, the engagement should be a true test of the organization’s entire control set.
When scoping a Red Team Exercise the engagement should be flexible and meet the needs of a particular organization. Many decisions need to be made in collaboration with the red team assessors and the partner. This includes starting and entry points during the assessment and proper communication channels. Typically, the red team shouldn’t know much about the environment they are about to assess. Despite this, the red team should provide a project plan and document the types of exploit techniques that will be attempted. This ensures the organization will attain value from the assessment and gives the partner the opportunity to adjust prior to the engagement commencing.
In a Red Team Exercise, the rules of engagement are typically very open. This kind of is an all-out attempt to gain access to a system by any means necessary including cyber penetration testing, testing all wireless and RF systems present for potential wireless access, and testing employees through scripted social engineering and phishing tests. These are real-life exercises carried out by a select group of highly qualified individuals who are contracted to assess a system’s cyber security.