<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=6226337&amp;fmt=gif">
Know Thyself
γνῶθι σεαυτόν – Know Thyself. It’s one of three maxims inscribed on the temple of Apollo at Delphi. Now, lest you think this is some vain personal attempt to appear intellectual at the beginning of a blog post, let me assure you I physically cannot grow a beard bushy enough to be considered a philosopher.

But I can apply it to cybersecurity. One way for us to know ourselves, and more specifically, know how effective our investments in cybersecurity are, is to become the attackers. Red Teams simulate threats against an organization: they challenge assumptions, poke holes in tech stacks, and find where defenses are good… and not so good. In other words, a Red Team helps an organization know itself and how it would fare against a real threat.

There are a lot of ways to attack an organization, and there are myriad, well-funded groups trying to find just one that works. How can a team sometimes as small as two or three people know it’s up to the task of accurately simulating these threats? And equally important: how can that team give leadership confidence that they are getting valid data?
Measuring Our Capability
The concept of a Capability Maturity Model (CMM) is not new in many fields, but many CMMs, even in the security realm, gloss over Red Teams. When I joined Humana, I knew we would need a way to plan for and track the Red Team’s growth while demonstrating the return on investment to leadership. 

I found an existing CMM which got us started, but as we dug into it, we ran into two specific problems: a divergent format (three levels instead of five) meant we couldn’t seamlessly communicate our state with leadership, and the simplification made consistent planning across core competencies challenging.

As a result, we undertook a new effort to develop a new CMM with a standard format that can provide consistent measurements of maturity across a more granular set of functions.
And In This Corner...
Our model addresses the two problem areas above by expanding from three levels to five, by aligning the levels to common descriptors like “often automated,” and by greatly expanding the number of subjects discussed. 

The form-factor change and alignment to standard CMM descriptors enables clear and effective communication with leadership by providing a common frame of reference for current and future state.

The underlying structure also aids with communicating. The model is arranged in four, typical categories – People, Process, Program, and Technology – found in many major CMMs. But the real improvement over existing options is the set of 27 subjects contained within those four categories.

Working backwards from the very broad question “what makes a Red Team effective,” we iteratively split processes and capabilities into sub requirements until we hit a point where further granularity would produce more overhead than value.

The subjects range from how the team selects its operations to how strong of a relationship it has with the organization’s legal team. I’ll cover a selection of the subjects in more detail in the next section, but if you’d like to dig into the thought process or definitions behind the full list of subjects, see this extended post.

This expansion pays massive dividends in the communication department (individual competencies can now be reported on distinctly), but also in the planning and measurement phase of implementing the model. Through granularity, teams can really home in on the core behaviors and capabilities that define Red Team operations and target them individually according to its needs.

This leads to fruitful planning discussions where the team is free to focus on insular targets rather than trying to “get gud” in a broad and complex area that hasn’t been decomposed. Sweetening the deal, it directly feeds other work management practices like Agile where target capability levels can be broken into discreet, tangible actions to feed your work management board with tasks/stories.

To best use the model, you should be aware of a few key assumptions:
  • This model is written for internal Red Teams – consultancies can use large portions of it but will have different considerations than an internal team in some areas.
  • This model presumes your internal team is staffed with dedicated Red Team operators. That means penetration testers doing “Red Team-y” things don’t count, and it definitely doesn’t mean Larry in IT who frequently stays late (you should watch that guy…).
Help Us Help You
Almost nothing we do as humans is done in a vacuum, and security is certainly no exception. I want to highlight a few areas where organizations and leadership can 1) get better data through higher Red Team maturity and/or 2) partner with the Red Team to help it mature (which gets you better data).
  • Operational Selection & Knowledge of the Business and Tech Environment
    • Red Teams are small, it’s hard to stay on top of a large organization’s structure. But if we aren’t familiar with it, we may target things that don’t align to key business needs, or worse, things that are planned to be decommissioned. Help us stay in touch.
  • Operational Approvals
    • Red Teams live and die on trust from peers and leadership. We need the opportunity to build that trust through interaction, which we can then leverage to dive into the organization’s most sensitive targets. Attackers won’t avoid certain things simply because you ask them to, so be bold with your team once they’ve shown they earned it.
  • Resource Management
    • The Red Team is going to need weird things sometimes, like licenses to Command and Control (C2) software that the organization’s defenders normally eradicate on sight. The organization can really enable better operations by providing flexibility in procuring some of those weird things.
  • Relationships
    • The biggest chunk of the CMM is a set of seven subjects aligned to different stakeholders. This isn’t “Red Team vs. the world”, it’s all of us trying to find and fix holes before other people find them, and that takes engagement from everyone.
  • Strategy
    • In an effort to “know itself,” an organization’s strategy should influence (and consume) Red Team strategy to generate actionable data for those tough questions and decisions.

The Insight

Red Teams generate data that helps advance our firms’ security and resilience, and we need a way to plan for, measure, and report on our capacity to do so. Data, without confidence that it’s accurate, is more or less useless, and we hope this CMM can help bridge the gap that often exists between Red Team and the business by providing consistent messaging on a team’s ability to simulate a threat.

If you missed the links above, you can find the model at https://www.redteammaturity.com. From there, you can get links to my GitHub to download the model in other file formats and contribute to the model. The website also has a longer post that digs into some of the definitions and other considerations from the drafting process if you want to learn more.

Happy hunting.

© 2024 FS-ISAC, Inc. All rights reserved.

Listen on

FS-ISAC members around the world receive trusted and timely expert information that increases sector-wide knowledge of cybersecurity threats.

Learn More