Contingency Planning for the Red Team

Written by

Business Continuity (BC), Incident Response (IR), and Disaster Recovery (DR) are terms that may seem synonymous due to their functional similarities, but they all fall under the umbrella of contingency planning. This is about developing a strategy to be able to prepare for pre-disaster action (BC), present action (IR) and post-disaster action (DR).

Jordyn Short is a cybersecurity Analyst, and a full-time graduate student at the University of Tampa. Jordyn has studied contingency planning, and contacted Infosecurity about tips on how to be efficient in preventing, responding and post-activity actions.

In this article, the specific focus is on Short’s report on contingency planning strategies for an organization participating in a Red Team exercise.

"I chose to cover this topic because I have observed numerous documents on Contingency Planning, and they are oversaturated with generalized guidance," Short said. "The content is always valuable, but sifting through mounds of text in an effort to create a plan tailored to your organization takes a tremendous amount of time. I think that the cybersecurity community may benefit from integrating 'playbook' concepts when developing Contingency Plans. My goal with this article is to provide a snippet of the aforementioned 'playbook' notion." 

In the personnel section, Short determined the technical personnel to include: red team, IT manager, cyber security incident response team (CSIRT), cyber threat hunters, cyber network defense team, network infrastructure, help desk and customer service support, and endpoint users. The non-technical personnel are senior management including the CISO, stakeholders, HR, legal, and marketing.

Infosecurity asked why the CISO is considered to be among the non-technical personnel, would they not be involved in the exercise, or is it the case that they need to be separate if they are preparing the response?

Short said: “The CISO should definitely be involved. Senior management is responsible for authorizing and defining the scope of the red team activity. During the exercise, they should be informed at a high-level (as deemed appropriate by the personnel identified as SME’s). Information should flow to them throughout each stage of the process.”

Short went on to say that ideally, the response preparation should be achieved prior to the exercise. “The intent of the exercise is to test an organization’s ability to effectively implement BC/DR/IR policies and procedures; it examines the value and strength of training within an organization, and it allows an organization to remediate vulnerabilities exploited by the red team (i.e. Identify what worked and what did not work regarding the policies and procedures and discuss ways to improve the process).”

For the preventative stage, Short determined that this should consist of five stages:

  • Create Contingency Plan policies and procedures
  • Review Policies and Procedures Routinely
  • Maintain Awareness of Emerging Threats via Public, Government, and Private Forums
  • Consistent Training: Technical, Tactical, and Communications
  • Generate and Analyze Cyber Threat Hunt Information Security Reports

While the response stage consists of six stages:

  • Identify the Exploit
  • Exercise the Contingency Plan
  • Assign Personnel
  • Create an Event Tracking Ticket and Procedure
  • Review Emerging Threat Reports
  • Contain and Eradicate Red Team Activity

Short said that the response “phase occurs when preventative measures fail to stop the red team.” So is it the case that once the red team gets in, the exercise ends? “The exercise begins once the red team bypasses the preventative measures,” Short said. “This is the time to exercise the ‘response’ phase within the Contingency Plan. The exercise does not end until the activity is contained and eradicated/mitigated.”

For post activity, this is the final step of the contingency planning process and consists of three stages:

  • Perform an After-Action Review
  • Review and Amend TTPs as Necessary/Appropriate
  • Draft a Report Describing the Activity

With a focus on contingency planning, Infosecurity asked if a company can really do enough contingency planning to prepare for an attack that they do know about, in order to protect them for an attack that is more likely to catch them unawares?

Short said that staying active in regard to emerging threats and trends during the preventive phase will assist with preparedness. “There are several OSINT platforms that provide insight into emerging threats, vulnerabilities, and exploits discovered in the wild. There are even times when ‘proof of concepts’ are made publically available so that controls may be implemented to alleviate an organization’s susceptibility.”

Short’s conclusion was that organizations “should perform research to gain a better understanding about the significance of a legitimate contingency plan and its impact on business continuity”. In our next article, we will look at the development of a contingency plan, when the red team are not heading your way.


Jordyn Short is a military veteran from Chicago, IL. She works as a full-time Cyber Security Analyst, and she is currently pursuing her MS in Cybersecurity at the University of Tampa. She is hoping to make an impact on the cybersecurity community through research and innovative thinking. When she is not in school or defending networks, you can find her practicing Jiu Jitsu at Gracie Tampa South. You can reach her on LinkedIn.


What’s hot on Infosecurity Magazine?