Be Your Best Threat

Know Thyself

γνῶθι σεαυτόν – Know Thyself. It’s one of three maxims inscribed on the temple of Apollo at Delphi. Now, lest you think this is some vain personal attempt to appear intellectual at the beginning of a blog post, let me assure you I physically cannot grow a beard bushy enough to be considered a philosopher.

But I can apply it to cybersecurity. One way for us to know ourselves, and more specifically, know how effective our investments in cybersecurity are, is to become the attackers. Red Teams simulate threats against an organization: they challenge assumptions, poke holes in tech stacks, and find where defenses are good… and not so good. In other words, a Red Team helps an organization know itself and how it would fare against a real threat.

There are a lot of ways to attack an organization, and there are myriad, well-funded groups trying to find just one that works. How can a team sometimes as small as two or three people know it’s up to the task of accurately simulating these threats? And equally important: how can that team give leadership confidence that they are getting valid data?

Measuring Our Capability

The concept of a Capability Maturity Model (CMM) is not new in many fields, but many CMMs, even in the security realm, gloss over Red Teams. When I joined Humana, I knew we would need a way to plan for and track the Red Team’s growth while demonstrating the return on investment to leadership. 

I found an existing CMM which got us started, but as we dug into it, we ran into two specific problems: a divergent format (three levels instead of five) meant we couldn’t seamlessly communicate our state with leadership, and the simplification made consistent planning across core competencies challenging.

As a result, we undertook a new effort to develop a new CMM with a standard format that can provide consistent measurements of maturity across a more granular set of functions.

And In This Corner...

Our model addresses the two problem areas above by expanding from three levels to five, by aligning the levels to common descriptors like “often automated,” and by greatly expanding the number of subjects discussed. 

The form-factor change and alignment to standard CMM descriptors enables clear and effective communication with leadership by providing a common frame of reference for current and future state.

The underlying structure also aids with communicating. The model is arranged in four, typical categories – People, Process, Program, and Technology – found in many major CMMs. But the real improvement over existing options is the set of 27 subjects contained within those four categories.

Working backwards from the very broad question “what makes a Red Team effective,” we iteratively split processes and capabilities into sub requirements until we hit a point where further granularity would produce more overhead than value.

The subjects range from how the team selects its operations to how strong of a relationship it has with the organization’s legal team. I’ll cover a selection of the subjects in more detail in the next section, but if you’d like to dig into the thought process or definitions behind the full list of subjects, see this extended post.

This expansion pays massive dividends in the communication department (individual competencies can now be reported on distinctly), but also in the planning and measurement phase of implementing the model. Through granularity, teams can really home in on the core behaviors and capabilities that define Red Team operations and target them individually according to its needs.

This leads to fruitful planning discussions where the team is free to focus on insular targets rather than trying to “get gud” in a broad and complex area that hasn’t been decomposed. Sweetening the deal, it directly feeds other work management practices like Agile where target capability levels can be broken into discreet, tangible actions to feed your work management board with tasks/stories.

To best use the model, you should be aware of a few key assumptions:

• This model is written for internal Red Teams – consultancies can use large portions of it but will have different considerations than an internal team in some areas.
• This model presumes your internal team is staffed with dedicated Red Team operators. That means penetration testers doing “Red Team-y” things don’t count, and it definitely doesn’t mean Larry in IT who frequently stays late (you should watch that guy…).

Help Us Help You

Almost nothing we do as humans is done in a vacuum, and security is certainly no exception. I want to highlight a few areas where organizations and leadership can 1) get better data through higher Red Team maturity and/or 2) partner with the Red Team to help it mature (which gets you better data).

• Operational Selection & Knowledge of the Business and Tech Environment
  • Red Teams are small, it’s hard to stay on top of a large organization’s structure. But if we aren’t familiar with it, we may target things that don’t align to key business needs, or worse, things that are planned to be decommissioned. Help us stay in touch.
    
• Operational Approvals
  • Red Teams live and die on trust from peers and leadership. We need the opportunity to build that trust through interaction, which we can then leverage to dive into the organization’s most sensitive targets. Attackers won’t avoid certain things simply because you ask them to, so be bold with your team once they’ve shown they earned it.
    
• Resource Management
  • The Red Team is going to need weird things sometimes, like licenses to Command and Control (C2) software that the organization’s defenders normally eradicate on sight. The organization can really enable better operations by providing flexibility in procuring some of those weird things.
• Relationships
  • The biggest chunk of the CMM is a set of seven subjects aligned to different stakeholders. This isn’t “Red Team vs. the world”, it’s all of us trying to find and fix holes before other people find them, and that takes engagement from everyone.
• Strategy
  • In an effort to “know itself,” an organization’s strategy should influence (and consume) Red Team strategy to generate actionable data for those tough questions and decisions.