11 stakeholder strategies for red team success

These best practices will help ensure a successful red team exercise by getting all the stakeholders on the same page.

1 2 Page 2
Page 2 of 2

This seems counterintuitive, but red teams do not store sensitive company data on these devices and secure guidelines for them can still be enforced (20-digit passwords, MFA, disk encryption, etc.). Red teams should be storing information gained and exfiltrated in an operation in a secure cloud environment. Therefore, the device really serves as a terminal for callbacks, whose commands should also be logged in a remote server. This is highly beneficial to red teams because it is a waste of company time and resources to have them accidentally burn an IP address or malicious domain in testing weeks before the operation kicks off, only to have the operation end at a SOC with a false positive victory.

11. Don’t expand red team objectives mid-operation

It often happens that once objectives have been delivered and a scenario has been designed, another objective comes up. An audit is announced or a renewal is coming up and having a few more things added to the list of objectives doesn’t seem like a huge ask. “Can’t we just have them add this while they’re in there?” The answer is no. Again, when a red team is in an environment, they have access to a lot of resources and could do a lot, but they stay on target and bypass anything not furthering the direct objective. Scope creeping during an operation means they’re no longer standing by an operations plan, which might have CTI-driven behavior limitations. Some objectives might seem closely related but need to be punctuated in their own operation to stay true to red team tradecraft.

It boils down to effective policy

Just as security is everyone’s responsibility, the success of a red team is the responsibility of stakeholders and policymakers as much as the operators themselves. Leaders possess the ability to advocate for their offensive teams in the face of organizational politics, changes, and stakeholder views. We recognize we’re not always everyone's favorite department, but red teams can’t be effective and have their hands tied.

At the end of the day, they're there to do a job to secure the organization’s and customers’ best interests. You can do your part by breaking down silos, understanding and enabling proper tradecraft, and believing in and defending their methods when they come into question. Any red team would follow that leader into cyber warfare.

Copyright © 2022 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)