The contact information of the researchers and the supervisor has been removed from this letter.
ANNEX 4: CART FRAMEWORK VERSION 0.1
These is the material that was sent to the recipients during round 1 of the Delphi-questionnaire.
The initial model was formed with the purpose of solving the comprehensiveness problem in red teaming. Model is simple and does not include all the recognized challenges and remediations because the first goal is to see if the framework idea is conceivable.
CART framework version 0.1 consists of:
- Five continuous activities - 1 baseline and 3 active Phases
- 13 steps that are divided under the phases - Products that are defined in the backlogs The model is constructed with the following ideas:
1. A framework needs to be produced with continuous activities, flexible phases and product backlog to gain comprehensiveness.
2. Consecutive phases receive input from the previous ones. This empha-sizes the importance of structured process, initial analysis and plan-ning.
3. Structured problem solving requires defined steps inside phases with fixed actions and products in order to be understandable and repeata-ble.
4. Red teaming cannot stop in presentation of the engagement results.
5. Nothing happens if management does not buy-in the red teaming idea.
Therefore, the framework needs to be easily communicable.
CART - model has five continuous activities;
1. Planning is a structured activity to scope, define and solve a given assign-ment (problem). Planning defines the objective (what), timeline (when), environment (where), resources (who) and rationale (why) for the execu-tion of the assignment. Plan describes how the assignment is conducted, including breakdown of products, tasks and responsibilities.
2. Intelligence is a systematic methodology to collect, analyse and dissemi-nate information from several sources and domains. It builds the situa-tional awareness, which is prerequisite for planning, targeting and con-ducting red team efforts.
3. Targeting is a structured process to analyse systems and create means to deliver effects to those systems. Targeting receives inputs from planning and intelligence. System analytics is used in describing target system ar-chitecture and break down the system to a component level.
4. Communication – Internal communication is an essential element of lead-ing and developlead-ing the red team through all phases of the assignment.
External communication with client is prerequisite in order to define ob-jectives and raise awareness. It is needed for co-ordination and reviews during engagement and has a significant role for successful follow-on ac-tivities during provide phase. Collaboration platforms provide the tech-nical capabilities for communication in all activities.
5. Assessment is a continuous activity that supports decision making by an-alysing progress towards objectives and changes in the environment. As-sessment consists of monitoring, evaluation and feedback to all other ac-tivities.
and 1 baseline + 3 active phases which are divided into steps;
The BASELINE is the prerequisite for all the other phases. Baseline is con-stantly developing. Baseline has only one step; The Internal development which creates the baseline capability. Internal development consists of adopting the idea of comprehensive agile red teaming framework. This adaptation includes preparation of platforms for communication, intelligence, tooling and service portfolio which has predefined product backlogs and courses of actions. These reusable components are the building blocks of the framework. Internal devel-opment includes the active business domain and threat intelligence efforts to build realistic adversary emulation methods. Development and training of the own red teams’ and affiliated personnel is continuous.
1. PLAN – This phase includes intelligence preparation of the environment and analysing the future assignments scope. Concept of operation (CONOPS) is created to manage the future assignment. Planning phase has three steps.
1.1. Scoping – During this step an initial scope is defined with client. Scope is based on the maturity and needs of the client.
1.2. Mission analysis – Environment and initial factor analysis are done.
These create the basis of initial courses of actions and plans for the en-gagement. COA is presented to the client for adjustment and approval.
1.3. Concept of operation – After course of action is approved by client it is refined to a more detailed CONOPS. Detailed planning and analysis are done along with product backlog and sprint planning.
2. ENGAGE – During this phase the active intelligence gathering, social engi-neering, network operations and other actions are commenced. Engagement phase does not have fixed step number. Steps are defined in the CONOPS.
2.1. Intel Sprint 1 – Collection focused step which builds the understanding of the comprehensive target architecture. (Not just technical)
2.2. Intel Sprint x – Several intel steps can be taken depending on the com-plexity and size of the target. Following steps should be more focused on analysis and post initial compromise activities like lateral move-ment and persistence.
2.3. Attack Sprint x – This step aims to launch the attacks to provide the effects needed for the target (DDoS, Locker, Wiper, Manipulation, Physical, etc). If production environment is not in use a simulation needs to be conducted which aids in the presentation.
2.4. Closure – Removal of modification and malware from the clients’ sys-tems and remediation of social engineering effects. Sufficient time slot reserved for team reporting and preparation of the next phase.
3. PROVIDE – This is the phase where results of the engagement are reported to the client along with a remediation plan which includes the consecutive steps. Goal is to reassess, design and implement better security. Training and raising awareness of clients’ employees supports the implementation. This phase has five steps.
3.1. Hot washup – During this step the results are presented to the client in meetings, workshops and reports. A remediation plan is also intro-duced.
3.2. Security Assessment – First step in remediation is the comprehensive assessment of current policies, risk management and controls to pro-vide overview of the security situation and corrections.
3.3. Security design – Step is taken to improve the previous assessment ar-tifacts with corrective measures. User participation from client-side non-security branches is encouraged to increase commitment to secu-rity.
3.4. Training & awareness – Various training initiatives are carried out in all levels of the company. Training supports the implementation of newly designed security items, raises awareness and teaches the em-ployees to mitigate crisis situations in simulations and tabletop games.
3.5. Implementation – Support the client in technical and policy implemen-tation issues along with monitoring and threat intel.
The model consists of several different products that are produced during the steps i.e. Intelligence collection plan, Concept of operation, target system analysis, HWU-brief, etc. For the planning purpose a product backlog is created and tied to the steps which is easy to follow by clients. Some products are refined constantly during multiple steps and considered as living documents/products.
Products are not presented yet in the initial framework. The CART framework version 0.1 is depicted below.
ANNEX 5: DELPHI QUESTIONNAIRE 1
RED TEAMING QUESTIONNAIRE - 1st DELPHI ROUND 7.-26.4.2019 You may answer in English tai sitten suomeksi.
1. Please answer the five questions based on the material you've read as a group. Open comments are valued.
2. Please explain your group composition with the level of details you prefer (Table below, GROUP COMPOSITION)
3. If you have any additional questions or comments about this questionnaire, please add them to your answer sheet to additional comments part (Table below ADDITIONAL COMMENTS)
4. Please submit your answer sheet no later than 26 April 2019 to jussi.t.tuovinen@student.jyu.fi and kimmo.j.frilander@student.jyu.fi
Q1 - How are you acquainted with the background material? Answer from (1) to (5) with the help of reference grading below.
(1) I just read the Basic material (Framework abstract and 6 slides) (2) x
(3) I looked through the background and initial survey material once to get overall picture.
(4) x
(5) I studied the material thoroughly and understood it.
Q2 - Is the CART framework conceivable? Can you understand and differentiate the purpose of continuous activities, phases, steps and products?
(1) Framework is obscure.
(2) x
(3) Framework is understandable, but it needs changes.
(4) x
(5) Yes, I could utilise CART framework for red teaming assignments in my organization.
Q3 - Give grade for the continuous activities from (1) to (5), with the help of ref-erence grading below.
(1) I cannot understand purpose of the activities.
(2) x
(3) Activities are needed, but they call for improvement.
(4) x
(5) Activities are justified and their role in different phases and steps is easy to understand.
ANNEX 5: DELPHI QUESTIONNAIRE 1
Q4 - Give grade for the phases from (1) to (5), with the help of reference grading below.
(1) I cannot understand purpose of the phases.
(2) x
(3) Phases are needed, but their sectioning in relation to steps calls for im-provement.
(4) x
(5) Phases are justified and they are convergent with activities and steps.
Q5 - Give grade for steps from (1) to (5), with the help of reference grading below.
(1) I cannot understand purpose of the steps.
(2) x
(3) Steps are needed, but they call for improvement.
(4) x
(5) Steps are justified and their relation to activities and phases is easy to un-derstand.
ANNEX 6: CART FRAMEWORK
These are the pictures that were explained during the second Delphi round as a part of the presentation.
SIMPLE CART FRAMEWORK.
COMPREHENSIVE CART FRAMEWORK with product examples.