Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
| Managing Risk This section discusses risk (as a result of Red Team activities) to the target environment, NOT inherent vulnerabilities or weaknesses. Risk management is the process of identifying, assessing, and controlling risks arising from engagement factors and making decisions that balance risk costs with target benefits. The objective of managing risk is not to eliminate all risk but to remove unnecessary risk. The engagement planning process should identify and minimize any risks that may occur either directly or indirectly as a result of the Red Team’s activities. The objective is to implement the efforts outlined in the ROE without causing any irreversible damage to the target environment. The ECG has overall responsibility for implementing risk management and accepting the risk to the target environment during the engagement. The Red Team Lead has responsibility for implementing risk management and accepting the risk guidelines into the team’s objectives during the engagement. Before and throughout the event, the Red Team Lead may request the TA and ECG to assess all risks associated with current Red Team activities and vice versa. Risk Management assists the engagement planning by: Conserving the limited resources used throughout an engagement Identifying potential risks early to avert this unwarranted risk Making an informed decision as to the course of action implementation (or alternate) Identifying feasible and effective control measures to ensure an engagement meets assessment goals without introducing unnecessary risk to the safety and health of the target Providing alternatives for objective or goal accomplishment when a risk is too high. Risk Management does not: Limit the Red Team’s ability to operate to the degree where engagement’s goals cannot be met Completely dissolve all risk (it manages risk) Mandate a decision on activity (it provides guidance to the ECG on mitigations or alternate decisions) Have the authority to violate the law even to support the successful execution of an engagement Eliminate requirements for SOP and TTP exercise What does this mean in practical execution? Every engagement must include risk management in planning and execution. Security testers and Red Team operators have been invited to play in someone else's playground. Care and consideration must be appropriately handled through risk management. Risk management does not mean risk elimination. The purpose is to identify risk early and develop a plan to handle situations where a pre-identified risk or unknown risk is realized. The risk management process. Identify potential issues, conflicts, or hazards (life, limb, eyesight, equipment, and production. Assess each to determine the direct impact to the target environment. Develop controls designed to mitigate risks. Make a risk decision. Implement controls. Identify residual risk (alter controls until the residual risk is acceptable or cannot be further reduced. Continually assess risk |