Here is a snip from a conversaton listed over at
hoff posed the question of
“does the team dial-up or dial-down the aggressiveness of the approach and execution KNOWING that they won’t be prosecuted, go to jail, etc.?”
Below was a response I wrote that may be of value or at least a good debate we can all go through.
To get to the answer of this, or at least my opinion, we need to start off with WHY they are Red Teaming. Now that this is becoming a bit more of an en vogue service there is starting to be a large degree of variance of “WHY and HOW.” for this one… let’s just take Red Teaming as “Modeling an adversarial force and executing the attacks with the expected capabilities of that force.” If we can stay to those definitions we get to some of the answer in a less grey area.
We like to look at testing like a fight.
First off, Its a fight. It is not theory, there isn’t some ” theoretical risk ranking” to how you are going to feel or a mapping to some color wheel that can communicate to you how you “WILL” feel during the event. It IS the event.
Now…. there are a few types of fights/fighters each type breeds a different type of fighter. (mind you… there are anomaly’s in all of these but let’s take it as sweeping generalizations)
Typical playground fight (Vulnerability Assessment):
The adversary is usually around the same size, motivation is similar, they aren’t out to kill ya, and over all they very rarely even know HOW to hurt you. Since the adversary has not had a lot of time to train or lots of experience in fighting the overall risk of total destruction is low. The benefit of it is feeling what it is like to get into a fight. You also take away some things you need to do to either avoid a fight or fight better.
True /Bar/Early Adult/Public Fight (Penetration Testing):
The adversarial gap is much larger an unknown. The size and strength difference is an assumption, as is their ability to hurt you. The adversary could be an expert or a first timer and the only time you will realize it is by the time the fight is underway or sometime OVER. The real thing to be concerned about in this type of fight is that the risk of “impact” is substantial. Mature humans with potentially TONS of experience may have the ability to completely destroy someone if the reigns are not pulled tight. The benefit of this fight is that they are usually over a specific threat and the winner can support the desired outcome **getting robbed and overpowering the robber …as the example**
training: Variable based on adversary
Risk: Moderate to High
education: moderate * when you are a little bit older is when you start to realize if you can survive it or not.
Professional fighting (Red Teaming)
Now apply that to a pro fighter. Their entire life is devoted to the fight. Their financial viability and lifestyle RELY on it. They have sparring partners, coaches, strength trainers, agility trainers, nutritionists, therapists, and more just to get ready for the fight. When they prepare for a fight, they don’t just fight anyone. They prepare for the fight with a very specific regimen. They are well beyond the days where they need to gain a sense of calm during the event. They prepare for the fight with a sense of purpose and extremely well defined goals
Risk: Low to Moderate ( these are trained professionals…. although death happens it is VERY rare)
The reason I had to go through all that is to give a sense that this exercise is not just a ” look at how hard I can beat someone up” as a matter of fact it is almost the complete opposite. It is much more about “how many areas can I test, and how will my adversary test those areas.” Each adversarial group will have a higher level of skill/competency in each of the 3 areas of red teaming (Physical, Social, and Electronic). By a company understanding their adversarial classes and their capabilities in each of those areas… they can determine the level of strength they need the red team to test in each. If we are testing an art museum, we can assume that the most likely adversary will be well equipped in the area of physical attack. Depending on the “type” of art museum…..we may find that the adversary has other skills in social or even electronic….. if we model out who the most likely attackers are. Maybe there is a diamond exhibit going on and we know the groups like the Pink Panthers (http://en.wikipedia.org/wiki/Pink_Panthers) are going after it. They have a particular set of skills that are readily available for research. Now there is no need for an insurance company to model the panthers type of attack because we can see through past compromise that the insurance companies get attacked in a much different manner. All of this is much like our pro fighter… they can watch the tapes… identify the likely attacks and the “surprise” moves the other opponent has. they prepare for the fight they ARE going to get in… not the one they MIGHT get in.
In addition to all of this, there is another component to red teaming…. the blue teamer. On every red teaming engagement we offer a blue teamer to ride along with the internal team. You can get a full picture of where there are breakdowns…. even if the red team does not expose it. The blue teamer also gets to measure how cool under fire people are. They may get lucky stopping an attack and the blue teamers job is to identify whether or not it was a fluke or part of the process. This is much like having a coach and a ref in the ring with you. You walk away with a better idea where/why/how to train while still staying within the comfort/pain level of the fighter. this is a CRUTIAL component and literally doubles the value of testing if done concurrently.
So … what’s the quick answer without all this blathering on and on and on????
“The red team’s job is to adequately scope the potential boundaries between training and fight night, and bring their opponent RIGHT TO THAT LINE but never over it”
A criminal doesn’t care about your safety, if you die as a collateral damage… who cares….. as long as they get what they want they do it. As red teamers we just can’t go that far. Don’t kidnap the CEO…. just show em every bit of Intel and surveillance needed to get to the point right before the bag n tag. Don’t burn down the building just to cause a diversion…. show em how it “would” be done. Don’t sell the data on the black market…. show them how/where /when u could get access. Don’t show them that you can bust a door down….. assess if you DID bust it down… how they would know and what the response would be. It’s a fine line to tow…. but if done right you get to patch the unpatchable…. HUMANS.
Security is a feeling not a static concept of technology. The only patch we get in our feelings is experience. The more we can get the defense team to experience a likely threat…. the more calm, cool and collected they will be the day that threat is real. Find the real Perimeter and just barely go over it.
Hunter S Thompson said it best.. ” The Edge… there is no honest way to explain it because the only people who really know where it is are the ones who have gone over. “