Rational Survivability has a question that I think is really interesting:
When a Red Team is engaged by an entity to perform a legally-authorized pentest (physical or electronic) with an explicit “get out of jail free card,” does that change the tactics, strategy and risk appetite of the team where they not to have that parachute?
Specifically, does the team dial-up or dial-down the aggressiveness of the approach and execution KNOWING that they won’t be prosecuted, go to jail, etc.?
Read the whole article. What do you think?
First, I think that every red team project should have a get-out-of-jail letter. We have this letter signed by whoever hired us with us at ALL times. This letter states who we are, what we are doing and the emergency contact withint the organization we are testing. Having said that, on more than once occasion I've been knock-down and almost shot by a security or police officer. If was after I handcuffed that they found the letter, call the contact and I was released... With a black eye.
Second, in my opinion a proper red team exercise has the boundaries set by the organization being tested. They can request a specific test, they can request that a red team checks a part of the organization or the whole... They can also request a full-on red team assessment, in which case all domains are tested: digital, physical and social. They may or may not allow the use (or exploitation) of their 3rd party vendors as a way in, although I usually try to convince them to let us do it. In any case, scope is important. Usually we go all the way on a full-on assessment, we don't tune it down. On the rest, well, it depends on the scope.
What are your thoughts?