1 Joe Vest, James Tubberville Red Team Development and Operations
Risk Rating and Metrics Most security tests include a risk rating with a finding. A common scale uses risk matrix diagram composed of Impact vs. Likelihood in High, Medium or Low assignments. It is most often represented in ax square diagram. While this may give a general idea of risk, it is often too arbitrary and subjective. The values chosen are at the discretion of the report writers. Unless the target organization is included in the rating decision, these ratings include only the security tester perspective. These types of ratings work well for vulnerability assessments, where individual vulnerabilities are the primary goal and can be assigned associated CVE scores. It can also work for penetration tests when measuring and validating levels of exploitability is the primary goal. These types of ratings can be used in Red Team reports however, they are not appropriate for the observation methodology. Let's consider this example. If a Red Team had a goal of stealing proprietary organizational data, the observation write-up would describe how and where the data was taken and the volume of data acquired. This is difficult to summarize into a single dot on an impact vs. likelihood risk matrix. Consider another option, using the metrics of Red Team goals. Red Team goals were discussed earlier in the book. These goals have associated metrics in the form of questions. Instead of rating risk using a subjective scale, a narrative that answers the questions can describe the risk. This does not assign a High or Low value but provides an organization with information that can be used to determine the level of action needed. If an Impact vs. Likelihood risk matrix diagram is required, include both the Red Team goal narrative and the vulnerability risk matrix. Remember, Red Teaming focuses on goals and not vulnerabilities. Vulnerabilities will be discovered during a red team engagement and can be documented using the traditional risk matrix grid in a secondary findings section of the report.