1 Joe Vest, James Tubberville Red Team Development and Operations
Frequency A Red Team engagement can be a very stressful experience. People can react negatively or defensively when their character, tools, or processes are brought into question. Even a well-managed engagement where individual attribution is kept to a minimum can place tremendous stress on staff. Doing this too often may not provide the organization time to apply mitigations, may cause the organization to treat the results with little regard, or result in poor morale and few positive benefits. Testing too infrequently can be just as damaging as testing too frequently. When testing is conducted too infrequently, the organization can become complacent and lax in its security operations. Red Team engagements typically fall into three categories Single, Periodic, or Continuous. The appropriate frequency depends on the target organization and the goals of the engagement. Single Performing a Red Team engagement as a single activity is typically done for organizations new to Red Teaming or those with large footprints and limited resources. It allows them to get their feet wet without a significant commitment. A onetime engagement can be as simple or complex as needed. Organizations that desire a onetime Red Team engagement may not know specifically what they need. An effective Red Team will interview and question an organization's management to best determine the need and requirement. If the Red Team does not guide this discussion, an engagement is likely to beat risk of becoming just another vulnerability assessment or penetration test. Onetime engagements area great way to introduce organizations to Red Teaming as long as the planning is managed and focused on Red Teaming goals and objectives. Periodic Periodic, annual, or biannual Red Team engagements are very common. Mature organizations that perform comprehensive Red Team engagements balance the stimulus needed to keep security operations sharp and the time needed to improve defenses. When performing an annual engagement, be cautious not to treat it as a compliance audit. It will be tempting to just go through the motions. When testing becomes routine, an organization may not treat the results as seriously as a one-off test. To combat this complacency, engagements should be challenging and engaging. They should focus on severe areas of risk and not be "just another test to see if the bad guys can get in" Focused scenarios, the strategic use of white carding (to be discussed later, and incorporating current threats will keep an engagement fresh and provide better results.