Appendix B – Requirements for Reporting
The following content should be considered when drafting the reports and providing the deliverables.
Note. All reports should only be provided via secure communication channels and shared under on agreed communication protocol (i.e. need-to-have and for-you-eyes-only). Red Team Evaluation Report (RTER)
At the end of the red teaming exercise, the Red Teaming Provider will draft an evaluation test report, which contains an assessment of the Member Organization's cyber security resilience against the executed cyber security attacks. The report should include a diagram of how the attack scenarios were executed. This report should be issued to the White Team, Blue Team and Green Team.
Below the outline of the report and the required elements (not limitative):
Red Team Evaluation Report (RTER) 1. Introduction
2. Executive summary
3. Scope
Scope of the agreed red teaming test
Background on the agreed targeted critical (information) assets and functions
Goal and objectives of the red teaming test
Items which were explicitly out-of-scope
4. Control Framework - references
F.E.E.R. Framework
OWASP (Top-10)
Others
5. Execution Methodology
Listing all the attack stages and actions performed by the Red Team during the red teaming test
How the each attack scenario was conducted, how, when and where (i.e. the exploited cyber kill chains, summarized in the form of attack vector diagrams)
Explanation of the Cyber Kill Chain methodology and Tactics, Techniques and Procedures that were planned and eventually executed
The timeline of activities performed (dates and time)
What specific tools or software and methods were used during the attack scenarios
Methodology for the risk rating for the observations
6. Observations
Listing of the identified vulnerabilities and the weaknesses of events that did occur
Observations focused on people, process and technology
Observations focused on detection, response and recover
Suggested risk description and risk rating for each observations
Recommendations on suggested improvements
7. Conclusions
An overall conclusion of the cyber resilience of the Member Organization
Detailed conclusions for each attack scenario performed
A conclusion per agreed critical information assets or function
Appendices
The list of involved teams and team members
Screenshots with evidence
Any other supportive materials
The report should be classified as: Confidential
Blue Team Report (BTR)
After the distribution of the Red Team Evaluation Report, the Blue Team will generate their own report. This report should be based on the monitoring and detection alerts, response and recover activities and process-steps taken by the Blue Team during the exercise. The report should include the defense and monitoring techniques and capabilities that the Blue Team is currently using to detect cyber security attacks (e.g. events, alerts, incidents). The report should also include the Blue Team's observations regarding the identified limitations or weaknesses.
Below the outline of the report and the required elements (not limiative):
Blue Team Report (BTR) 1. Introduction
2. Executive summary
3. Background of the report
Goal and objectives of the red teaming test
4. Introduction into the financial sector current threat landscape and cyber-attack trends
5. Explanation of the current incident handling, incident response and crisis management processes regarding cyber incidents within the Member Organization
Process flows
People/teams involved
Overview of the relevant tasks and responsibilities
6. Time line of the detected activities or generated alerts (against the performed red teaming exercise and activities)
7. Observations per performed attack scenario (chronological)
First notification(s) or s)
The monitoring and defense tools and techniques used
Incident response plan and steps performed (e.g. was the crisis management organization activated and what where the observations)
Involvement of other departments (e.g. Help desk, CISO, CIO, HR, Legal, Public Relations)
What where the results reported by the Red Team
What went well or what can or should be improved
Results of the root-cause analysis performed
8. Recommendations or areas of improvement
Recommendations focused on people, process and technology,
Recommendations focused on detection, response and recover
Suggested priority rating for each recommendation
Roadmap for the suggested improvements
Suggested input for upcoming cyber security awareness campaigns
9. Conclusions
An overall conclusion of the current cyber resilience state of the Member Organization
The conclusions regarding the required and suggested improvements (from both the Blue and Red Team)
Detailed conclusions for each attack scenario performed and the state of the current capabilities of the Blue Team
Appendices
The list of involved departments, teams and team members
Screenshots with supporting evidence
Any other supportive materials
The report should be classified as: Confidential
Remediation Plan (RP)
The White Team should draft a Remediation Plan, which should be based on the Red Teaming Evaluation Report and the Blue Team Report. The remediation plan should provide clear areas of improvements, priorities and a roadmap how and when to improve the prevention (e.g. hardening), detection, response and recover capabilities within the Member Organization. Important is that the status and progress of the remediation plan is monitored and periodically reported to the Cyber Security Committee of the Member Organization as well as the Green Team.
Below the outline of the report and the required elements (not limitative):
Remediation Plan (RP) 1. Introduction
2. Executive summary
3. Background of the remediation plan
Goal and objectives of the remediation plan
4. Target audience and stakeholders
5. Agreed recommendations and areas of improvement provided by the Red and Blue Team
Agreed recommendations focused on people, process and technology,
Agreed recommendations focused on (prevention) detection, response and recover
Agreed priority rating for each recommendation
6. Prioritized list of the agreed areas of improvement
7. Agreed Remediation Plan
What, when, where, and how
Overview of the persons-to-act (e.g. where possible involvement business management)
Agreed due dates
8. Roadmap for the agreed and prioritized improvements
9. Frequency of updating the Cyber Security Committee of the Member Organization and the Green Team
10. Project Management Organization
People/teams involved
Overview of the relevant tasks and responsibilities
Appendices
The list of involved departments, teams and team members
Screenshots with supporting evidence
Any other supportive materials
The remediation plan should be classified as: Confidential / Internal Use Only
Red Teaming Test Summary Report (RTTSR)
When the Remediation Plan is finalized, the White team will generate a summary test report (fully anonymized) in order to share via SAMA (i.e. the Green Team Test Manager) to all relevant Member Organization Committees (e.g. the BCIS). The summary test report should cover the current threat landscape for the financial sector, the red teaming test results and the observed weaknesses or vulnerabilities during the red teaming test and should include the lessons learned.
This report should only be provided via a secure communication channel and shared under an agreed communication protocol (i.e. need-to-have and for-you-eyes-only).
Below the outline of the report and the required elements (not limitative):
Red Teaming Test Summary Report (RTTSR) 1. Introduction
2. Personalized distribution list (to ensure the agreed communication protocol)
3. Executive summary
4. Background of the executed red teaming test
5. The financial sector current threat landscape and recent cyber-attack trends
6. The outline of each attack scenarios executed
Listing of the most relevant identified vulnerabilities and weaknesses
Most relevant observations focused on people, process and technology
Most relevant observations focused on detection, response and recover
7. Lessons learned
8. Suggestions for the Financial Sector
9. Recommendations for adjusting the Saudi Arabian Financial Entities Ethical Red Teaming Framework
The Red Teaming Test Summary plan should be classified: Highly Confidential (need-to-have and for- you-eyes-only)