During a red team engagement, operators often find themselves dealing with data of sensitive nature. Such data is usually generated / gathered from following sources:

• Data generated as a result of activities performed by red team operators - This includes commands issued and their output, harvested credentials or hashes, domain user information etc.

• Data gathered during various reconnaissances phases - This includes data about the target organization, such as employee information, IP address ranges, domain and forest information, applications and services being used, vulnerability information etc., collected by red team operators during initial and subsequent recon activities.

• Data exfiltrated from the target environment - This includes data exfiltrated out of the target organization network as part of the engagement objective.

• Red team tools and documentation - This includes the red team tool arsenal, their playbooks and standard operating procedures.

Before the engagement enters the execution phase, guidelines must be established to safeguard data in each of the above mentioned categories. These guidelines must address at least the following:

• Type of data that the red team must not access, under any circumstance. Accessing such data may lead to legal or regulatory violations. This may include medical data, personal financial data, user’s personal data stored on their personal devices (in case of BYOD), trade secrets etc. The rules of engagement must clearly define actions that the red team must take if they come across such data.

• Data that the red team is allowed to exfiltrate, how to protect it before and after exfiltration and who can access it. For example, the red team maybe allowed to dump and exfiltrate a database but rules of engagement may require them to encrypt this data with AES-256 before exfiltration, transport it over secure channels, store it in an encrypted folder or drive on the C2 server and can only be accessed by limited personnel on the red team that too after proper authorization.

• Location where the exfiltrated data can and cannot be stored. Organizations may have geographical restrictions which do not allow them to store sensitive data in particular regions. If exfiltrated data is stored in these regions, the organization may be exposed to hefty legal and regulatory fines. This is one of the key factors that decide which components of C2 infrastructure can be hosted on the cloud.

• Intent and extent for collecting, gathering, accessing or exploiting data. For example, the objective of the engagement may require the red team to compromise the email server (intent) and in order to prove access they maybe allowed read mails from certain mailboxes only (extent). If then a red team operator randomly accesses an employee’s mailbox, that constitutes a violation of rules of engagements.

• Actions that the red team may and may not perform on the data they are allowed to access. For example, as part of rules of engagement the red team may be allowed to access and read certain type of data but they may not delete or modify that data.

• Controls that the red team needs to put in place to protect their toolset, playbooks and standard operating procedures. For example, these may be stored on an encrypted drive in a separate VLAN which only red team members can access.

• Controls that the red team needs to put in place to protect credentials, key material and other such sensitive material harvested during the engagement.

• Controls that the red team needs to put in place to safeguard their equipment and tools while traveling.

Red Team Notes
- Data handling considerations for a red team engagement include, but not limited to:
  - Type of data that the red team must not access, under any circumstance.
  - Data that the red team is allowed to exfiltrated, how to protect it before and after exfiltration and who can access it.
  - Location where the exfiltrated data can and cannot be stored.
  - Intent and extent for collecting, gathering, accessing or exploiting data.
  - Actions that the red team may and may not perform on the data they are allowed to access.
  - Controls that the red team needs to put in place to protect their toolset, playbooks and standard operating procedures.
  - Controls that the red team needs to put in place to protect credentials, key material and other such sensitive material.
  - Controls that the red team needs to put in place to safeguard their equipment and tools while traveling.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

The above are only a subset of data handling considerations and these will vary from one engagement to the other. Data handling guidelines and controls must be finalized before the engagement begins and included in the rules of engagement.