I am seeing lots of “debate” about the value in red teaming, so I thought I would put together my thought process of how I look at as a broad stroke when I consider a generic starting position in an organisation. When I’m defending a business, I tend to ask myself (and the team/customers etc.) these kind of questions (they are not exhaustive):

  • Do you have a good understanding of your Enterprise Architecture?
  • Do you understand your service architectures?
  • Do you understand your security architecture/s?
  • Have you done an asset discovery exercise?
  • Have you modelled data flows?
  • Have you conducted security hardening of the environment/scope?
  • Have you done vulnerability assessments?
  • Have you done penetration testing?
  • Have you done control on/off testing?
  • Have you got a defensive security capability/team?
  • Have you reviewed your monitoring capabilities against common and known exploitation paths?
  • Do you need/want external help to understand your posture, capability strength and detection and response capabilities?

If yes to all the above: Conduct a red team exercise!

If no consider this question:

Do the key stakeholders understand the value of investing in security? If they don’t and you can’t secure resources to do the first tranche of activities, you may want to conduct an offensive security testing exercise to demonstrate the value in having a good security posture. This however may not be the only route, you may simply need to do a contract review and understand the delta between contractual requirements to customers and the current state of an organisation, the revenue/income loss risk (let alone the potential legal costs) may be enough to tip the scales and change mindsets (there is never “just” 1 path that works for every organisation or scenario).

“Understand and review before pew pew!” – mrr3b00t

Almost everything in life “depends”. I would however not want to have my ass kicked by an external team if I didn’t have a handle on the current state, resources to defend and had already invested in creating a strong defence (unless I was struggling to get investment. then f*ck it, pew pew all the way home!)