Rules of Engagements
Section Name | Section Details |
Executive Summary | Overarching summary of all contents and authorization within RoE document |
Purpose | Defines why the RoE document is used |
References | Any references used throughout the RoE document (HIPAA, ISO, etc.) |
Scope | Statement of the agreement to restrictions and guidelines |
Definitions | Definitions of technical terms used throughout the RoE document |
Rules of Engagement and Support Agreement | Defines obligations of both parties and general technical expectations of engagement conduct |
Provisions | Define exceptions and additional information from the Rules of Engagement |
Requirements, Restrictions, and Authority | Define specific expectations of the red team cell |
Ground Rules | Define limitations of the red team cell’s interactions |
Resolution of Issues/Points of Contact | Contains all essential personnel involved in an engagement |
Authorization | Statement of authorization for the engagement |
Approval | Signatures from both parties approving all subsections of the preceding document |
Appendix | Any further information from preceding subsections |
Campaign Planning
Type of Plan | Explanation of Plan | Plan Contents |
Engagement Plan | An overarching description of technical requirements of the red team. | CONOPS, Resource and Personnel Requirements, Timelines |
Operations Plan | An expansion of the Engagement Plan. Goes further into specifics of each detail. | Operators, Known Information, Responsibilities, etc. |
Mission Plan | The exact commands to run and execution time of the engagement. | Commands to run, Time Objectives, Responsible Operator, etc. |
Remediation Plan | Defines how the engagement will proceed after the campaign is finished. | Report, Remediation consultation, etc. |
Engagement Plan:
Component | Purpose |
CONOPS (Concept of Operations) | Non-technically written overview of how the red team meets client objectives and target the client. |
Resource plan | Includes timelines and information required for the red team to be successful—any resource requirements: personnel, hardware, cloud requirements. |
Operations Plan:
Component | Purpose |
Personnel | Information on employee requirements. |
Stopping conditions | How and why should the red team stop during the engagement. |
RoE (optional) | – |
Technical requirements | What knowledge will the red team need to be successful. |
Mission Plan:
Component | Purpose |
Command playbooks (optional) | Exact commands and tools to run, including when, why, and how. Commonly seen in larger teams with many operators at varying skill levels. |
Execution times | Times to begin stages of engagement. Can optionally include exact times to execute tools and commands. |
Responsibilities/roles | Who does what, when. |
Remediation Plan (optional):
Component | Purpose |
Report | Summary of engagement details and report of findings. |
Remediation/consultation | How will the client remediate findings? It can be included in the report or discussed in a meeting between the client and the red team. |
The Concept of Operation (CONOPS) is a part of the engagement plan that details a high-level overview of the proceedings of an engagement; we can compare this to an executive summary of a penetration test report. The document will serve as a business/client reference and a reference for the red cell to build off of and extend to further campaign plans.
The CONOPS document should be written from a semi-technical summary perspective, assuming the target audience/reader has zero to minimal technical knowledge.