1. Technical Assessment (Generic Adversary Model):
Focus is on technology without an adversary model. Examples include running vulnerability scanning tools or even other generic off the shelf tools to identify weaknesses in the environment. This would include vulnerability assessments as well as some basic penetration testing aimed at simply finding misconfigurations.
What are some other items we think should be in place for Level 1 Red Teaming At <ORG>:
- Basic Penetration Testing
- Level Rubric
- Standard Red Team Interview Processes and Questions
- Centralized Documentation for SOP/ROE/ETC
- Define clear current & future metrics for leadership
- Begin planning Phishing User Education Program
- Begin planning Password Security Program
- Identify Key Rubric for Red Team Adversary Levels
- Build Base Documentation around SOP/ROE/ETC
2. Operational Assessment:
Focus is on defender operations and disrupting/bypassing/breaching those. The red team represents the adversary and the main question is “How can the red team get through?”
What are some other items we think should be in place for Level 2 Red Teaming At <ORG>:
- Red v. SOC Exercises(Purple Team)
- Stable Repo for Scripts
- Stable Repo for Exploits (Tested and Tried)
- Stable Repo for Shellcode (Tested and Tried)
- Metrics Dashboard/Reporting Structure
- Mature Phishing User Education Program
- Mature Password Security Program
- Begin Smaller Red Team Operations at level 1 adversary
3. Analytical Red Team:
Focus again is on the defender’s operations but may also include things that do not exist yet (designs, plans). Adversary model varies and often includes multiple possible adversaries. Question is “What are the ways different adversaries at different levels of sophistication might get through and how to they compare from a risk perspective?”
What are some other items we think should be in place for Level 3 Red Teaming At <ORG>:
- Red team joint effort with SOC for table top scenarios that require cross functional collaboration and communication
- Constant Syncs with Threat Intel for Adversary Knowledge
- Year Plan for Assessments
- Mature Collaboration during assessments (Shared Central Location)
- Red Team Operations upgraded to have the ability to run level 1 – 2 adversaries
- Stream Line Penetration Testing Requests
- Working with SOC to map MITRE to TTP’s used during Operations for ticketing
- Establish Trusted Agents Network
- Begin Planning on Objective assessments (Support, HR, Recruiting)
4. Organizational Assessment:
Focus is on upstream organizational behaviors that lead to downstream security problems. Question is “Why do security flaws continue to emerge?”. Goal is to treat the disease and not the symptoms. Adversary model can be anything from generic to specific.
What are some other items we think should be in place for Level 4 Red Teaming At <ORG>:
- Physical red team and office breach assessments
- Red team scenarios specifically around usage of the <ORG> platform
Red Team Operations upgraded to have the ability to run level 1 – 4 adversaries
- Manage 3rd Party Red Team Assessments for Validation
- Joint Job Training with SCO Team
5. Adversary research and emulation exercises:
This is the north star and desired end state. Focus is on researching and understanding nation state actors and then building the tooling necessary to emulate the same steps/process/tooling/TTPs used by nation state attackers in the real world against other organizations in the wild.
What are some other items we think should be in place for Level 5 Red Teaming At <ORG>:
- In-depth study of nation state attackers and the TTPs used to breach other organizations
- Coordination with <ORG> Threat Intelligence to identify threat actors most likely to target <ORG>
- Custom tooling mimicking nation state TTPs
- Red Team Operations upgraded to have the ability to run level 1 – 5 adversaries
- Dedicated R&D time for new attacks/TTPs