How do we best red team soft targets? It’s a timely question that a lot of people are no doubt asking today. Believe it or not, my (qualified) answer is that we shouldn’t, even though we must.1 If this sounds like a paradox, you’re right—it is. Here’s my reasoning:
- Your job is to spend your limited security dollars as effectively as possible.
- Soft targets are by definition vulnerable.
- Finding one more vulnerability among a soft target’s known vulnerabilities usually represents marginal benefit.
- Your red teaming dollar is better spent examining the whole system with the goal of finding upstream choke points.
- But you don’t own the whole system, nor do you have the budget to red team it if you did.
- So you’re left red teaming your soft target.
Go and continue reading the rest of Mark's article. It's good.
Now, while the logical red teamer in me aggrees with Mark's reasoning, my operational red teamer mindset says: "So what?".
While looking at the whole system is the best thing to start with, sometimes you really need to focus on the soft targets first. Why? Because it's where you expect the attacker to go first. Yet, based on experience, the attacker would probably go for the hard target. So, all your attention is focused on the one point you know is vulnerable, but you get breached from a point you thought it was well defended.
Think about it.
For this reason I would red team the soft targets from the very beginning, making it a diversionary tactics while at the same time I would attack a hard target.
EDIT: Mark updates his post after the comments here and they make perfect sense. Go read the post again. But here's one part that should be in your mind:
We have to be smart, and to me, smart means countering them upstream: at the border, when they attempt to buy a weapon, when they communicate with their colleagues—things we are to some degree doing already, but things we can do much better with superior red teaming.
Thank you Mark.