Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Recommendations for Self-Managed FedRAMP Red Team Exercises

Published 03/22/2024

Home
Industry Insights
Recommendations for Self-Managed FedRAMP Red Team Exercises

Originally published by Schellman & Co.

When FedRAMP issued Revision 5 in May 2023, the changes included a new requirement for a red team exercise in addition to the already-mandated penetration test. Now that Rev 5 is officially being enforced as of 2024, organizations pursuing FedRAMP Authorization must get this new obligation right.

FedRAMP permits organizations two options to satisfy their red team exercise requirement:

  • You can have one performed by a third-party assessor organization (3PAO); or
  • You can perform one yourself internally (though your 3PAO must further attest that your prepared red team test plan and red team report meet or exceed their expectations).

While it’s ultimately your prerogative to determine whether you self-manage your required FedRAMP red teaming, as of February 12, 2024, the FedRAMP Project Management Office (PMO) has not published red team guidance. As the leading provider of FedRAMP assessments on the current Marketplace, we thought we would leverage our experience as both a 3PAO and as red teamers to try and fill that void.

In this article, we’ll outline the industry standards when it comes to red team deliverables so that if you decide to complete this exercise yourself, you can better ensure that your work meets FedRAMP standards and that you aren’t set back in your pursuit of Authorization.


How to Successfully Perform an Internal Red Team Exercise for FedRAMP

A red team exercise’s holistic nature means there’s quite the onus on cloud service providers (CSPs) performing their own as part of the FedRAMP journey, but what follows is what our team at Schellman would expect to see from a client-delivered red team exercise in order to sign-off on the effort.


Red Team Test Plan

The first necessary element we’d need to see is your red team test plan, which is a formal document detailing multiple components of your exercise. This document should be written before you begin the actual assessment, and the assessment should follow this plan as closely as possible—the more formalized this document is, the better.

At a minimum, we expect the following:

Plan Section

Explanation

Scope

The scope of the exercise dictates what is allowed to be targeted.

An important note: This is not limited to the FedRAMP boundary—your entire organization should be in scope. That being said, hosts, URLs, etc. do not need to be defined, since they’ll be encompassed within the wider scope.

Defined Goal(s)

Without any defined goals, a red team exercise risks becoming a normal pen test or phishing exercise—when you set a red team goal, you designate how the exercise will challenge your current defensive strategies (which you’ll then attempt using several avenues during the actual exercise).

(When Schellman performs a FedRAMP red team exercise, we always set the goal of accessing the FedRAMP production boundary without any initial access to your organization.)

Escalation Process

Outline a process for the testers to escalate issues should they discover something that needs immediate attention. Usually, this means alerting the organization’s CISO (or a backup to the CISO).

Start and End Dates

Document the start and end dates so that your 3PAO can determine if the exercise occurred within a reasonable timeframe for FedRAMP requirements. (The exercise usually takes multiple or several weeks.)


Red Team Exercise Execution

Once the plan is done and documented, remember that a real-world attacker won’t tell you you’re being attacked, and so your red team exercise should follow the same practice! As such, limit the overall knowledge that your assessment is happening to:

  • Executives;
  • Your CISO; and
  • Your designated backup contact to the CISO.*

*Additionally, if status reports are issued, they should be purposefully vague.

Some important things to keep in mind when performing your red team exercise include:

  • Do not limit it to a traditional pass/fail phishing exercise, since real-world attackers won’t just stick to phishing attacks when trying to breach your organization.
  • Remember, during a red team exercise, your entire organization is in scope.
  • Consider that real-world attacks are usually performed in tandem, and even chained together to accomplish the red team’s goals.

With all this in mind, your team should take the exciting opportunity to use diverse attack scenarios, such as:

Attack Scenario

Explanation

Open Source Intelligence (OSINT)

Scour the Internet for your sensitive data that may be publicly available, such as:

  • Company code repositories
  • Employee code repositories
  • Previous breaches
  • Unrelated database breach compilations

Credential Stuffing

Attackers can readily search for organization e-mail addresses within existing breach compilations and attempt these credentials against targets such as:

  • VPNs
  • Single sign-on (SSO) providers
  • Remote administration services (i.e. SSH, RDP)

Targeted phishing campaigns

Target specific individuals based on “reconnaissance” as real-world attackers would—in other words, create more realistic e-mails aligned to the target’s job role.

External Network Penetration Testing

In addition to identifying outright exploitable vulnerabilities, attackers often gain other valuable details from external reconnaissance:

  • Services to attempt authentication against
  • Forgotten or old services
  • DNS misconfigurations (DMARC, dangling entries, etc.)

(Attacks can wield this intel to then chain to other attacks.)

Web Application

Since web applications often sit within the FedRAMP boundary, you’ll want to target these where possible while still keeping the red team’s goals in mind.

Some example attacks include:

  • Using a typical Cross-site Scripting vulnerability on a customer-facing website in a campaign to acquire an employee’s SSO session
  • Compromising a web host and then stealing the credentials of administrative users

Internal phishing

Using an employee’s e-mail account that was compromised earlier, send an incredibly convincing phishing e-mail or instant message to another employee and continue with the attack chain until the red team’s goal is met.

Vishing

When attempting vishing—that is, social engineering via phone calls—specific individuals and help desks can make great targets due to their level of access. If you have departments still using fax machines, consider targeting those as well.

Physical penetration tests

Attacks don’t need to be completely limited to the virtual realm—you can simulate and assess material attack vectors like:

  • Could an attacker posing as a contractor compromise an on-premises network closet?
  • Would an employee plug in a malicious USB stick they found within their building?
  • Could a hardware keylogger be placed on a desktop?

Wireless attacks

Because many devices—like printers—emanate their own Wi-Fi signals—consider attempting to compromise these, as they may serve as a pivot into an internal network.

Other wireless attacks to consider imitating include:

  • Capturing credentials via rogue access points
  • Mousejacking (during which malicious keyboard and mouse actions are inserted to compromise a device)
  • Testing whether key presses can be recorded


For any and all scenarios you choose to test—assuming some form of access is obtained—perform lateral movement just as a real-world attacker would to identify how far the access could get them to achieve the original goal of the exercise.

For example, if a system administrator’s SSO account becomes compromised, determine what level of access the attacker would then gain—would they be able to compromise another host or user? If so, recursively continue the lateral movement process until the red team’s goal is achieved.


Red Team Report

Finally, you’ll need to prepare a red team report. Similar to the red team test plan, this document should also be highly formalized and incorporate the scope, goals, escalation process, and dates of your exercise.

In total, your red team report should detail the following:

Section

Explanation

Executive Summary

For individuals who need a quick reference, include a summary that highlights the results of the exercise.

Framework(s)

Specify the red team framework you used within your report.

(The most popular red team framework at the moment is MITRE ATT&CK).

Attack Path Narrative

Discuss the overall thought process during testing, as well as attempted and successful attacks.

Identified Findings

Describe all identified security gaps, including but not limited to:

  • The initial access method
  • Level of access obtained
  • Lateral movement attempts
  • A high-level description of any sensitive data accessed or exfiltrated

Remediation Plan(s)

Detail your remediation plan for each identified security gap.


Moving Forward with Your FedRAMP Red Team Exercise

Red teams are a relatively new compliance need in the cybersecurity space. For FedRAMP, they are a brand new requirement, so expect a degree of growing pains as both CSPs and 3PAOs navigate these changes.

And while our aforementioned standards to formally attest your self-managed exercise can appear subjective—and may vary from other 3PAOs—you at least have a baseline for what you’ll need to create and include when internally performing your required FedRAMP red teaming.

ComplianceFedRAMPPenetration Testing

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Mark Your Calendar for Cyber Monday!
Map the Transaction Flows for Zero Trust
Advance AI Risk Management
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Establishing an Always-Ready State with Continuous Controls Monitoring

Published: 11/21/2024

5 Big Cybersecurity Laws You Need to Know About Ahead of 2025

Published: 11/20/2024

Managing AI Risk: Three Essential Frameworks to Secure Your AI Systems

Published: 11/19/2024

9 Tips to Simplify and Improve Unstructured Data Security

Published: 11/18/2024