Chapter 35 Quiz: Red Team Operations

Question 1

What is the primary difference between a penetration test and a red team engagement?

A) Red team engagements are always longer than penetration tests B) Penetration tests focus on finding vulnerabilities, while red team engagements focus on testing detection and response capabilities C) Red teams only use open-source tools, while penetration testers use commercial tools D) Penetration tests include social engineering, while red team engagements do not

Answer: B While penetration testing aims to discover as many vulnerabilities as possible within a defined scope, red teaming simulates a realistic adversary to test whether the organization's people, processes, and technology can detect and respond to an actual attack.

Question 2

What does the "assumed breach" model in red teaming mean?

A) The red team assumes the organization has already been breached by a real attacker B) The engagement starts from a point of initial access, skipping the initial compromise phase to focus on post-exploitation detection C) The blue team is assumed to know about the engagement D) The red team assumes all defenses will fail

Answer: B The assumed breach model provides the red team with initial access (such as a workstation or VPN credentials) so the engagement can focus on testing detection and response to post-exploitation activities, where defenders have the most opportunity to detect and contain an attacker.

Question 3

How many tactics does the MITRE ATT&CK Enterprise framework define?

A) 10 B) 12 C) 14 D) 18

Answer: C The MITRE ATT&CK Enterprise framework defines 14 tactics: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact.

Question 4

What is Atomic Red Team?

A) A commercial red team consulting firm B) A nuclear facility security testing framework C) An open-source library of small, focused tests for individual ATT&CK techniques D) A government-sponsored adversary simulation program

Answer: C Atomic Red Team, maintained by Red Canary, provides discrete, self-contained tests for individual ATT&CK techniques. Each atomic test exercises a single technique, enabling systematic testing and continuous validation.

Question 5

What is the purpose of a C2 redirector in red team infrastructure?

A) To speed up communication between the implant and team server B) To hide the true location of the team server from blue team analysis C) To encrypt C2 traffic D) To compress data during exfiltration

Answer: B Redirectors sit between implants on compromised systems and the team server. They forward C2 traffic while hiding the team server's true IP address. If the blue team identifies and blocks a redirector, the team server remains protected and other redirectors can maintain communication.

Question 6

In purple teaming, what happens when the blue team cannot detect a technique executed by the red team?

A) The technique is marked as out of scope and skipped B) The red team marks it as a critical finding for the final report C) Both teams work together to develop and validate a new detection for that technique D) The blue team is penalized in the exercise scoring

Answer: C Purple teaming is collaborative. When a detection gap is identified, the red and blue teams work together in real-time to develop, test, and validate new detection logic, then the red team tests evasion variants to ensure the detection is robust.

Question 7

What document must always be carried during physical security testing?

A) A printed copy of the ATT&CK framework B) Authorization documentation ("get out of jail free" letter) signed by authorized company leadership C) A list of all physical security vulnerabilities found D) The red team's insurance policy

Answer: B A signed authorization letter from company leadership must be carried at all times during physical testing. If confronted by security personnel or law enforcement, this letter provides proof that the testing is authorized. Without it, physical security testing activities could be treated as criminal trespass.

Question 8

What is MITRE Caldera?

A) A commercial endpoint detection and response platform B) A free adversary emulation platform that automates ATT&CK technique execution C) A physical security testing toolkit D) A social engineering framework

Answer: B Caldera is MITRE's free adversary emulation platform. It uses agents deployed on target systems to automatically execute ATT&CK techniques according to defined adversary profiles, enabling automated and repeatable adversary simulation.

Question 9

Which of the following is NOT a valid reason to choose red teaming over penetration testing?

A) Your security program is mature and you want to test detection capabilities B) You want to evaluate incident response procedures C) You need a comprehensive list of all vulnerabilities in a specific application D) Leadership wants to understand the real-world risk from specific threat actors

Answer: C Finding a comprehensive list of vulnerabilities in a specific application is the goal of a penetration test, not a red team engagement. Red teaming focuses on simulating realistic adversary behavior and testing detection/response, not exhaustive vulnerability discovery.

Question 10

What is the Vectr tool used for in purple teaming?

A) Vulnerability scanning during red team exercises B) Tracking purple team exercise results, detection coverage, and historical trends C) Automated adversary emulation D) Network traffic analysis during engagements

Answer: B Vectr is a free tool from SecurityRisk Advisors designed to track purple team exercises. It provides campaign management, technique tracking with ATT&CK mapping, detection coverage visualization, and historical trending.

Question 11

In the context of red team reporting, what does per-technique reporting provide?

A) A list of all tools used during the engagement B) A technique-by-technique breakdown including detection results, time to detect, and recommended improvements C) A ranking of the red team's skill level D) A comparison with other organizations' red team results

Answer: B Per-technique reporting maps each action to an ATT&CK technique and documents whether it was detected, how it was detected, how long detection took, and what improvements are recommended. This structured reporting enables organizations to track detection improvement over time.

Question 12

What is a Malleable C2 profile in Cobalt Strike?

A) A configurable communication profile that customizes how C2 traffic appears on the network B) A flexible user interface configuration file C) A type of malware payload D) A report template for engagement findings

Answer: A Malleable C2 profiles allow red teams to customize the network indicators of Cobalt Strike's Beacon implant, making C2 traffic mimic legitimate services (e.g., Amazon web traffic, Microsoft update traffic) to evade network detection.

Question 13

What are the key differences between "short-haul" and "long-haul" C2 channels?

A) Short-haul is encrypted, long-haul is unencrypted B) Short-haul is for interactive operations with frequent check-ins; long-haul is for persistent access with infrequent beaconing C) Short-haul uses TCP, long-haul uses UDP D) Short-haul is within the network, long-haul is external

Answer: B Short-haul C2 is used for interactive sessions requiring real-time command execution, with frequent check-ins. Long-haul C2 is designed for maintaining persistent access with minimal network footprint, using infrequent beaconing intervals (hours or days) to avoid detection.

Question 14

What is Kerberoasting (T1558.003)?

A) An attack that exploits vulnerabilities in the Kerberos protocol implementation B) An attack that requests Kerberos service tickets for accounts with SPNs and cracks them offline to recover passwords C) An attack that denies Kerberos authentication services D) An attack that replays captured Kerberos tickets

Answer: B Kerberoasting involves requesting Kerberos Ticket Granting Service (TGS) tickets for service accounts with Service Principal Names (SPNs). These tickets are encrypted with the service account's password hash, which can be cracked offline without generating additional authentication events.

Question 15

What is the recommended approach when a red team discovers evidence of a real, active threat during an engagement?

A) Ignore it and continue the engagement B) Exploit it to enhance the red team findings C) Follow the pre-defined escalation procedures in the ROE to immediately notify the organization D) Complete the engagement first, then mention it in the report

Answer: C The Rules of Engagement should include escalation procedures for discovering active threats. When real adversary activity is discovered, the red team must immediately notify the designated contacts so the organization can respond to the actual threat, regardless of the engagement status.

Question 16

Which of the following metrics is most important for measuring purple team program effectiveness over time?

A) Number of techniques tested per exercise B) Cost per exercise C) Detection coverage trend across quarterly exercises D) Number of tools purchased

Answer: C Detection coverage trend -- the percentage of tested ATT&CK techniques that are detected -- tracked over quarterly exercises shows whether the security program is actually improving. This metric directly measures the outcome of purple team investments.

Question 17

What is the primary advantage of adversary emulation over adversary simulation?

A) Emulation is faster and requires less expertise B) Emulation provides higher fidelity by manually replicating a specific threat actor's TTPs with realistic tools and procedures C) Emulation is fully automated D) Emulation produces more comprehensive vulnerability lists

Answer: B Adversary emulation involves manually or semi-manually replicating a threat actor's known TTPs with high fidelity, using similar tools, infrastructure, and procedures. This provides the most realistic test of detection and response capabilities, though it requires more expertise and time than automated simulation.

Question 18

During a red team engagement, what should you do if you are confronted by security personnel during physical testing?

A) Run away to avoid identification B) Pretend to be a regular employee and continue C) Stop all activities, remain calm, identify yourself, and present your authorization documentation D) Call the police to establish your legitimacy

Answer: C When confronted during physical security testing, the correct response is to stop all activities immediately, remain calm, identify yourself as an authorized security tester, and present your authorization documentation. Never resist, argue, or flee, as this could escalate the situation and create safety risks.