The guy’s last podcast made me really think about how I see red teaming; not just today but in the past and into the future. So, I thought it may be a good idea to try to explain how I see it (since this is my first real blog post, no pressure).
For me, testing has not always accurately reflected the actual tactics, tradecraft, or simple, pure grit and determination of a real-world adversary. My personal introduction to red teaming, as I remember it, was understanding the process of viewing a problem from an adversarial perspective, within the target environment. At its core, it is really proactive problem-solving, but problem-solving before you know you have a problem.
It is the process of challenging assumptions and identifying vulnerabilities to make the environment you are testing more productive and secure, and not easily attacked, compromised or influenced.
Your team needs to have the ability to understand and tap into the mindset of the adversary within the target environment and understand the climate from every viewpoint, not just digital. This is why having a diverse team is so important. People from different walks of life see angles that you will not. Having a range of different experiences, cultures, and perspectives in your corner, the red corner, is critical.
This will allow you and your team to adapt and play out worst-case scenarios holistically. Nothing should prevent your team’s minds from working that environment and seeing how it comes out on the other side, in a practical sense - this should be the ultimate pressure test.
When the practical part of the engagement is completed, relaying the threats and the underlying risk to the business, and advising how to manage those risks, is essential. This is where the red team will communicate their findings at multiple levels, in both visual and written context. This will allow the business to take a real-world perspective of their risk and decide how to move forward safely and securely.