Pre-Scoping Questionnaire Crafting

In the world of red teaming, preparation is crucial for mission success. Well-designed pre-scoping questionnaires form the basis for understanding client needs, establishing rules of engagement, and developing realistic adversary profiles. This blog post outlines how to create and use a pre-scoping questionnaire to ensure your red team engagements are both effective and valuable to your clients.

Use the PDF template in the Resources > Pre-Engagement Planner section to enhance your understanding. You can find a more detailed analysis in the Cyber Red Teaming book.

The Importance

“Proper planning and preparation prevent poor performance. In red teaming, this axiom is not just a catchy phrase—it’s the foundation that determines mission success or failure.” A thorough pre-scoping process helps establish clear expectations, identify potential challenges, and tailor the assessment to the client’s specific threat landscape. Use the pre-scoping questionnaire and adapt it to your specific needs. Most times, clients don’t know what to expect or need—it’s our responsibility to provide them with options that deliver value. Understanding and providing this information will minimize effort when developing the rules of engagement and scoping documents.

Essential Components

1. Organizational Information

• Industry and Business Model: Understanding the client’s industry helps identify relevant threat actors and common attack vectors.

• Size and Structure: Number of employees, locations, and organizational hierarchy provide context for the assessment scope.

• Critical Assets: Identify the crown jewels—what would cause the most damage if compromised?

2. Technical Environment Details

• Network Architecture: Request network diagrams, IP ranges, domain information, and cloud environments.

• Security Controls: Gather information on current security controls such as EDR, IDS/IPS, SIEM, and DLP.

• Previous Assessments: Information about prior security assessments helps avoid duplication and identifies persistent vulnerabilities.

3. Scope Definition

• Assessment Goals: What specific security aspects does the client want to test? (e.g., detection capabilities, response procedures, accreditation)

• Target Systems: Which systems, networks, and applications should be included in the assessment?

• Out-of-Scope Elements: Identify systems, techniques, or actions to exclude.

4. Rules of Engagement

• Timing: Determine when testing can occur (business hours vs. after hours).

• Communication Protocols: Establish emergency contacts and reporting procedures.

• Acceptable Actions: Define what techniques are permitted (e.g., social engineering, physical access, DoS).

• Safe Harbor: Outline protections for the red team from legal repercussions when operating within agreed parameters.

5. Threat Actor Profile Development

• Threat Intelligence: What APT groups or threat actors are most relevant to the client’s industry?

• TTP Alignment: Based on the MITRE ATT&CK framework, which TTPs should we emulate?

• Capability Level: What skill level should the simulated adversary possess?

Implementation Strategies

Conducting the Pre-Scoping Interview

The questionnaire serves as a guide for your client interview. Here are some strategies for effective implementation:

• Involve Key Stakeholders: Ensure that both technical and business leadership contribute to align technical and business objectives. This is ideal but more times than not, rarely conducted.

• Use Open-Ended Questions: Allow clients to elaborate on their concerns rather than limiting them to yes/no responses.

• Document Everything: Record all agreements and decisions for future reference.

Developing an APT Adversary Profile

Using the information gathered during pre-scoping, create a detailed adversary profile:

• Map to MITRE ATT&CK: Use the MITRE ATT&CK framework to map out the TTPs your simulation will use.

• Define Capabilities: Outline the tools, techniques, and infrastructure the simulated adversary will employ.

• Set Objectives: Establish specific goals for the adversary based on the client’s critical assets.

Crafting Rules of Engagement

The pre-scoping data informs the rules-of-engagement document:

• Specific Limitations: Detail any techniques that are prohibited (e.g., “no social engineering against the CEO”).

• Timeline: Establish clear start and end dates for the assessment.

• Escalation Procedures: Define what happens if the red team encounters a critical vulnerability.

Sample Questions

Organizational Information

• “What are your organization’s most valuable assets or data?”

• “Which regulatory frameworks apply to your business?”

• “What would make up a ‘worst-case scenario’ breach for your organization?”

Technical Environment

• “What security monitoring tools do you employ?”

• “How is your SOC or incident response team structured?”

• “What authentication mechanisms are in place for internal systems?”

APT Adversary Development

• “Are there specific threat actors known to target your industry?”

• “What attack vectors are you most concerned about?”

• “Would you like the assessment to focus on persistence, data exfiltration, or another specific objective?”

Conclusion

A well-designed pre-scoping questionnaire is more than just a formality—it’s a critical tool that shapes the entire red team assessment. By gathering information about the client’s environment, objectives, and concerns, you can develop a tailored approach that provides maximum value. The time invested in thorough scoping pays dividends as a more realistic assessment, clearer expectations, and a stronger security posture for your clients.

Remember, as cyber effects continue to affect both digital and physical realms, understanding the specific context of each client becomes important. Your pre-scoping questionnaire should grow to address emerging threats and changing technology landscapes, ensuring your red team assessments remain relevant and effective.