Red-teaming must be about more than ‘gotcha’: Atlassian team lead

CSO conference
IDG

Red-teaming is “one of the best jobs in security” but it carries the weight of responsibility in engaging productively with unknowing victims, the head of Atlassian’s red-teaming efforts has warned while highlighting the importance of ‘consent-based hacking’.

Speaking at this month’s inaugural Women in Security Conference and Awards, Atlassian Red Team lead Brianna Malcolmson joined a roster of dynamic speakers in sharing her experiences running red-teaming in one of the most successful, fastest-growing companies in technology today.

Diversity in the red team had proven crucial in designing innovative attack campaigns, she told CSO Australia. “Whether you’re a defender or an attacker, it’s important to have a diverse team because you are going to come up with a lot of different ideas,” she explained.

People are often surprised by her “really creative and very tricky social-media campaigns” to manipulate and ensnare targets, she said. “I don’t know if that’s about my being a woman or not, but I do know that if everyone is speaking the same way, you’re going to miss a lot of that perspective.”

Although red-teaming does require a certain veritas to effectively test organisational security responses, getting consent before a red-teaming exercise – from the highest-level stakeholder of the area that the operations are targeting – is crucial to avoid unpleasant surprises afterwards.

“We have had cases where a red team hacked a target and delivered a report, and the person in charge was completely taken aback because they didn’t know it was happening,” Malcolmson said.

“It’s important to get consent, and an enthusiastic ‘yes’, from the person whose area is being targeted. They are the ones who will be driving the changes in response to the testing – so they are the ones you want to be onboard with having the test in the first place.”

Making smart staffing choices was also crucial in building out red teams – particularly in avoiding the “brilliant hackers who could break anything on the planet but think they are better than anyone”.

Such hackers may be technically proficient but, Malcolmson warned, they often lack the empathy that is necessary to make red-teaming truly effective on an organisational basis.

Building a culture of empathy within the red team “means hiring people who really understand that defending an organisation is one of the hardest jobs that you can do,” she explained, highlighting the importance of “being able to speak about red teaming in a way that is empathetic and caring and kind and considerate.”

“That helps us do things in a way that can be constructive and helps people improve, as opposed to getting defensive about being hacked.”

Constructive engagement

Indeed, maintaining the red team as a valued part of Atlassian’s culture has required Malcolmson’s team to spend a considerable amount of time on non-hacking jobs such as outreach, marketing, and “propaganda” campaigns.

This includes designing logos that are consistently used across presentations and blog posts, and unique names for each red-teaming exercise that are printed onto stickers that are handed out to people after the exercise is complete.

“These are logos that people can put on their laptops and recognise,” Malcolmson explained. “We want this to stick in their minds for a very long time, and want them to have those visual reminders about what they think about and what happened.”

That empathetic approach, backed by concerted efforts around brand-building, are crucial to helping red-teaming legitimise itself as an ongoing operational unit inside the organisation – particularly since its core function runs in opposition to the ongoing efforts of cybersecurity staff.

Ultimately, Malcolmson believes, following those three main practices – consent-based hacking, a culture of empathy, and active engagement with the company community – will help legitimise red-teaming within a company and foster an overall positive dialogue that leads to constructive change.

“If we’re going to continue to grow as a relatively new kind of job inside of cybersecurity,” she explained, “we’ve got to focus on not just the tradecraft and our technical skills – but on the soft skills around that, and around how we communicate with the organisation to ensure we are getting the most value from the work we are doing.”

“We want people to respond to us in a positive way, as a positive force.”

Copyright © 2019 IDG Communications, Inc.

The 10 most powerful cybersecurity companies