Red Teaming: Making sure no one loses.

As an SRE focused on security I've been on both sides - on the security response team ("Blue Team") protecting internal systems, as well as on the offensive security team ("Red Team") probing these internal systems with realistic attack scenarios to prepare for an effective response.

When I was on the defensive side and a Red Team operation concluded, I would often informally debrief with members of the team involved thinking that they had just "won" by evading the response team (who had just "lost").

In this talk, I'll explain how this approach can be harmful to both sides of the organization, and drawing from lessons learned participating in Red Teams, learn how we need to plan appropriately to ensure both teams can work together in harmony rather than competition.

A lot of people may hold the view that a Red Team finds a weakness and uses it to compromise as much as possible.

The best perspective for planning a Red Team exercise is to think of preparing a prize fighter (your response team) for a major fight.

If you as the Red Team come in "too strong" and use techniques that are not those of a "realistic" attacker you run the risk of convincing the responding team the battle is unwinnable and can tire out your responding team for any upcoming threats.

Similarly, coming in "too weak" and not using new techniques that external attackers have developed potentially leaves your response team unprepared for realistic threats.

The best case situation is to walk the fine line in the middle, leaving enough breadcrumbs for a response team and helping them reason about future plans for protection and telemetry - guiding them to "level up" the internal infrastructure and skills to prepare for attackers.