A Simple Self Red Teaming Assessment or the Art of Red Teaming the Plans

The purpose of this small post is to help you identify threats and vulnerabilities, and help prevent them. Think about it as a: simple and effective self Red Teaming and it's the method we use to Red Team our plans.

Now, Let's define a few concepts that are important to understand.

  • Risk: is the the likelihood of being targeted by a given attack.
  • Threat: is what could happen.
  • Vulnerability: is the flaw or weakness that an adversary will exploit to make the attack successful.

To put it in other words: you have a lot of jewelry at home and you talk about it, so you are at risk of someone coming in and stealing that. The threat is that thieves can break into your house. And the vulnerability is that the lock you have in your door is easy to pick.

The process to run a simple self Red Teaming assessment can be divided in 3 parts (well, there are more, but for the sake of simplicity we can group them into these 3 parts):

  1. Identify the functions and processes (focus on the most important of them, the critical ones). Functions and processes are the main elements of your daily activities, or the main components of your products, or the main parts of your plans… You get the picture.
  2. Identify threats most likely to impact those processes and functions.
  3. Determine the vulnerabilities of critical functions and processes to those threats.

Start with the functions and processes. List them. Once you have identified them, identify which of those are really important.

Rank them according to criticality:

  • Critical: necessary and/or vital. Disruption will create a massive problem.
  • Essential: important but not critical. Disruption would cause difficulties, but you can recover.
  • Non-Essential: disruption is merely inconvenient.

Then rank those processes and functions by recovery time (times are examples here):

  • Immediate: 0 to 24 hours.
  • Delayed: 24 hours to 7 days.
  • Deferred: beyond 7 days.

Having these ranks, by criticality and recovery time, will help you assess how important a process or function really is. It will be clear to you which of those need more focus. Be aware, though, that sometimes a non-essential process can become critical only because the recovery time is long. So, play with this.

Next, try to identify the threats. These can be threats that may halt or disrupt each of the critical functions, or they can be long term threats, where effects may not be immediate but long terms.

Try to think like your competitor, or a bad guy trying to steal something from you. What are the things that can happen? What kinds of attacks? What is most likely to happen and when? What's less likely to happen?
Don't focus too much on the "most likely", place your focus equally on those that seem unlikely to happen. Maybe those are the ones that will be targeted by your adversaries.

Then, move into the vulnerabilities. It gets a little tricky here. Some people are good in seeing the possible attacks but not the actual problems. Try to enlist a second pair of eyes for this (well, for the threats as well).

Start by determining the vulnerabilities of each critical function and process. To really separate the critical threats, think about them like: Which of the threats identified above have the greatest likelihood of disrupting or attacking each critical function. How likely it is that a threat will occur. How often a threat is likely to occur.

Once you have this, try to identify a set of vulnerabilities that your adversary might exploit for each threat to become real. Now, this is where it gets tricky. You know your security, you know your products and plans and procedures. However, because you know them you might not see the problems. It really helps to have an external source for this part in particular. He or she might see things that you miss. Trust me on this one.

Now, once you have all this make a plan to respond to any of this, if and when it happens. Confirm that appropriate people and resources are in place to respond in a timely manner. Talk to your employees, or family about what you discovered. Enroll them into helping you find a solution and train them in what to do if a treat becomes a reality. Proper reaction time and disaster recovery can help you keep your business going even when your main plans or products have been disrupted.

And when an attack happens, and it will happen, learn from it. Start with the analysis again and factor in what you have learned.

Remember, when in doubt - Red Team it.