TR-89 - Guidelines for Notifying CSIRT/CERT of Red Teaming and Penetration Testing Exercises - Enhancing Detection and Coordination

TR-89 - Guidelines for Notifying CSIRT/CERT of Red Teaming and Penetration Testing Exercises - Enhancing Detection and Coordination

Back to Publications and Presentations

  1. Objective
  2. Who
  3. Why
  4. Notification
  5. Technical Recommendations
  6. References
  7. Classification of this document
  8. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Objective

This document outlines recommended practices for notifying Computer Security Incident Response Teams (CSIRT) and Computer Emergency Response Teams (CERT) when organizations plan to conduct red teaming, penetration testing, or other cybersecurity exercises. It highlights the importance of communication, coordination, and technical readiness to detect and differentiate simulated attacks from real threats.

Who

The guidelines are applicable to organizations (in Luxembourg or abroad) performing security exercises that involve simulated attacks on production or critical infrastructure, especially those that could trigger alerts in national or sectoral CSIRTs and CERTs.

Why

  • Reducing Misinterpretation: Why notifying CSIRTs/CERTs is essential to avoid misinterpreting simulated attacks as real threats, potentially disrupting incident response processes.
  • Enhancing Collaboration: The role of CSIRTs/CERTs in monitoring and threat intelligence and how advance notification strengthens collaboration but also improve existing detection mechanisms.

Notification

What to Nofify

  • Scope and objectives of the exercise. We don’t require a lot of details just a minimal description with the parties involved.
  • Timeframe (start and end) and schedule of testing activities in UTC.
  • Technical indicators and selectors to facilitate the detection by CIRCL.
  • A contact person or organisation if we have any question or specific issues during a potential detection.

When to Nofify

  • We recommend to notify us at least one week in advance before the scheduled testing activities start.

Technical Recommendations

Indicators and Selectors

  • Techniques for tagging or otherwise marking payloads and simulated malicious infrastructure to aid in detection.
  • It is recommended to assign a randomly generated unique tag (such as a SHA256 hex value or even YARA rule for detecting the payload) to be embedded in malicious payloads, scripts, or even in the headers of infrastructure components.
  • Classification such as exercise:generic="red-teaming" in the exercise taxonomy is recommended if a detection is shared after the timetrame period of the exercise. In case of detection in the wild, CIRCL will tag and share the information if it’s publicly detected.

References

Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:CLEAR - First version - 12th November 2024