Module 1

Question 1

According to Vest and Tubberville, red teaming is the process of using TTPs to emulate a real-world threat to measure the effectiveness of an organization’s _____, _____, and _____.

Answer 1

people, processes, and technologies

Question 2

What is the primary goal of a red team engagement?

Answer 2

To achieve a pre-agreed operational objective, demonstrating business risk.

Question 3

In the TTP framework, what does ‘Tactics’ represent?

Answer 3

A tactic is the overall tactical goal or the reason for performing an action, such as privilege escalation or lateral movement.

Question 4

In the TTP framework, what does ‘Techniques’ describe?

Answer 4

A technique describes how an adversary will achieve a tactic, such as extracting credentials from LSASS memory.

Question 5

In the TTP framework, what does ‘Procedures’ describe?

Answer 5

A procedure describes the exact step-by-step process of how a technique is performed, such as using Mimikatz to read LSASS memory.

Question 6

What is the primary role of a blue team?

Answer 6

A blue team’s role is to defend an organization from attack by detecting and responding to incursions.

Question 7

What do blue teams heavily rely on to differentiate between malicious and non-malicious activity?

Answer 7

They rely heavily on log telemetry from assets like workstations, servers, and firewalls.

Question 8

Adversary _____ involves mimicking a specific, known threat actor using their established TTPs.

Answer 8

emulation

Question 9

Which type of adversary engagement is narrow in scope and designed to enhance defenses against a specific threat?

Answer 9

Adversary emulation.

Question 10

Adversary _____ involves acting as a hypothetical threat, leveraging unknown or unique TTPs.

Answer 10

simulation

Question 11

Which type of adversary engagement is broad in scope and designed to enhance defenses against a range of threats?

Answer 11

Adversary simulation.

Question 12

What is a common strategy organizations use that combines both emulation and simulation?

Answer 12

They use emulation to set a baseline capability, then use simulation to improve that capability against more advanced TTPs.

Question 13

What is the English translation of the Latin phrase “primum non nocere”?

Answer 13

“First, do no harm.”

Question 14

In the context of red teaming, what is the risk of performing harmful actions like disabling security controls?

Answer 14

Once in place, you cannot guarantee they won’t be abused by another party, increasing the client’s risk exposure.

Question 15

What should a red teamer do before performing any potentially harmful actions during an engagement?

Answer 15

They should ensure the actions are permitted and have the consent of the client, as documented in the rules of engagement.

Question 16

Term: OPSEC (Operations Security)

Answer 16

Definition: A measure of how likely a red team’s actions can be observed and subsequently interrupted by a blue team.

Question 17

OPSEC is a more significant concern during adversary simulation than emulation. Why?

Answer 17

In a simulation, the goal is to achieve the objective without getting caught, whereas emulation is constrained to specific, known TTPs.

Question 18

According to Gartner, what is threat intelligence?

Answer 18

Evidence-based knowledge about a menace or hazard that can be used to inform decisions regarding response.

Question 19

What do the initials STIX stand for in the context of threat intelligence standards?

Answer 19

Structured Threat Information eXpression.

Question 20

What do the initials TAXII stand for in the context of threat intelligence standards?

Answer 20

Trusted Automated eXchange of Indicator Information.

Question 21

Who introduced the attack lifecycle framework known as the ‘Cyber Kill Chain’?

Answer 21

Lockheed Martin.

Question 22

What is the first phase of the Cyber Kill Chain?

Answer 22

Reconnaissance: scouting a target and finding potential attack vectors.

Question 23

What is the ‘Weaponisation’ phase of the Cyber Kill Chain?

Answer 23

Developing a malicious payload.

Question 24

In the Cyber Kill Chain, the ‘Exploitation’ phase refers to what action?

Answer 24

The initial attack of delivering the weaponized payload.

Question 25

What is the 'Command & Control' phase of the Cyber Kill Chain?

Answer 25

Establishing a means of controlling compromised targets.

Question 26

What is the final phase of the Cyber Kill Chain?

Answer 26

Actions on Objectives: achieving the operational goal, such as data theft.

Question 27

What is the most significant shortcoming of the original Cyber Kill Chain framework?

Answer 27

It lacks detail on post-compromise activities, such as how an adversary moves within a network to achieve their objective.

Question 28

Which vendor introduced the 'Targeted Attack Lifecycle'?

Answer 28

Mandiant.

Question 29

In Mandiant's lifecycle, what is the 'Establish Foothold' phase?

Answer 29

Maintaining continued control over a compromised system by installing persistent backdoors.

Question 30

In Mandiant's lifecycle, what is the objective of the 'Move Laterally' phase?

Answer 30

To use obtained credentials to compromise additional systems within the internal network.

Question 31

What modern, widely-used framework serves as a knowledge base of adversary behavior and taxonomy reflecting attack lifecycle phases?

Answer 31

MITRE ATT&CK.

Question 32

What document establishes the authorized targets, restrictions, and objectives for a red team engagement?

Answer 32

The Rules of Engagement (ROE).

Question 33

What is one of the most important 'do's' for tradecraft, essential for reporting and deconfliction?

Answer 33

Log all actions taken during the engagement.

Question 34

What is a key tradecraft 'do' regarding the use of tools and techniques?

Answer 34

Understand how a tool or technique interacts with a target, the changes it makes, and the artifacts it leaves behind.

Question 35

After gaining access to a new system, a red teamer should always perform _____ _____ to understand the environment.

Answer 35

situational awareness

Question 36

Why is it a 'don't' to use untested or pre-compiled public tools on an engagement?

Answer 36

To ensure the tool won't have a negative impact, crash a system, or contain backdoors.

Question 37

What is a major tradecraft 'don't' regarding Command and Control (C2) traffic?

Answer 37

Do not use unencrypted channels for C2.

Question 38

Why should red teams avoid using unencrypted C2 channels like netcat?

Answer 38

Plaintext data is easier for IDS/IPS to detect and it leaves credentials vulnerable to sniffing by third parties.

Question 39

What is the recommended practice for a red team that gains access to sensitive datasets like PII or HIPAA?

Answer 39

Obtain proof of access but do not access or exfiltrate the data itself to avoid causing a data breach.

Question 40

Why is disabling security controls like anti-virus considered a bad practice ('don't') for red teams?

Answer 40

It places unnecessary risk upon the client and weakens their security posture, violating the 'primum non nocere' principle.

Question 41

In the TTP model, gaining access to credentials by extracting them from LSASS memory is an example of a _____.

Answer 41

Technique

Question 42

In the TTP model, 'Credential Access' is an example of a _____.

Answer 42

Tactic

Question 43

Using `sekurlsa::logonpasswords` in Mimikatz to dump credentials from memory is an example of a _____.

Answer 43

Procedure

Question 44

Which attack lifecycle model is represented as having cyclical phases, such as a 'Low privileges Lateral movement cycle'?

Answer 44

The Microsoft-published model.