A smart way I’ve seen CISOs organize their red teams when they need to explore access vectors early on is to stop access to the system so that part of the team can initiate the process of getting part of the engagement while another prospect can do the first game. access, rejoining the group when/if they complete that phase. I’ve seen more mature organizations break these deals up into separate projects, sometimes bringing them together to tell a story. One of my favorite examples of this was a financial organization that ran two early access projects – a phishing and an external exploitation attack – at the same time for eight weeks. The results of this interaction, which included users who blew up the phishing payloads and external systems from which the group obtained the exploit code, became the sea heads to which the red team was given access.
Keep egos out
The debate over red team engagement can often be very difficult. The red team is likely to reveal a major failure in their approach to attack and you have all stakeholders sitting at the table, or when they hear the call about them, often for the first time. Why didn’t your SOC see their lateral move? Why did your ID team block MFA for your business executives? Why did your security engineering team fail to deploy your EDR to all hosts in the area? It becomes very easy to start pointing fingers and blaming, leaving everyone angry, frustrated, and ashamed.
Remember, however, that the friendly team has just discovered major mistakes before the enemy has and you get a chance to correct them. Focus on creating an environment of honesty, humility and compassion. This does not mean that people will no longer have negative feelings, but the tone of the conversation from the beginning will greatly improve the quality of the conversation.
Source link