Additional responsibilities of the offensive program

So far, we have pointed out some of the core tasks that a red team program will be carrying out. There are additional responsibilities that should be looked at and possibly be integrated into the program. Let's look at some of them in more detail.

Security education and training

The offensive security team can help change the culture of an organization and help improve the overall security IQ. As a part of operations, pen testers learn a lot about the people, processes, and technologies of the organization. The offensive team is also in a powerful position to ignite cultural change and help the organization improve its unique understanding of security.

Increasing the security IQ of the organization

In tandem with education and providing training, the job of the offensive program should be to improve the security IQ of the entire organization, including blue teams, service and product teams, human resources, and finance.

Gathering threat intelligence

One role the offensive program might fill is the task of gathering threat intelligence to understand current trends in offensive security and what threat actors are active and what new techniques, tools, or processes threat actors are building or leveraging at the moment.

Especially in a smaller organization, where you don't have a dedicated threat intel program, it will be the red team's job to be up to date with the latest trends and threats, and know what data related to the organization flows around in the dark web.

Informing risk management groups and leadership

Another area the red team should be involved in is shaping and actively contributing to the risk management process of the organization. Information security threats might not be correctly considered when risk stakeholders discuss the risks the business faces.

The offensive program can provide insights into malicious activity that can result in critical business impacts. Additionally, an offensive program can highlight process flaws where too many people have unfettered access to information or capabilities that could accidentally affect the business negatively and cause lasting damage due to human error without malicious intent.

The security industry is focused on qualitative measurements and security scores. More meaningful ways to express risks are needed. In Chapter 3, Measuring an Offensive Security Program, we will explore other ideas about how to communicate risk.

Integrating with engineering processes

It is advisable that the red team program integrates and has regular checks with engineering and other relevant stakeholders for evaluation. If such collaboration does not exist, it's time to work on it. Lack of visibility is often why vulnerabilities that could have been discovered and mitigated early on make it into production. Smaller organizations may need an engagement once per year, while large commercial organizations may benefit from multiple assessments per year.

Such integration ensures that regular security assessments are performed, and that the security team can plan more complex red teaming operations that leverage and integrate the newest systems and services built to provide the best value.

Another idea in this regard is to require a recurring offensive drill for each business group.

I feel like I really know you – understanding the ethical aspects of red teaming

It is as creepy as it sounds, and something that is not much talked about, despite being the reality for offensive security engineers. An offensive security engineer will end up knowing secret and unfixed vulnerabilities. This includes passwords that people choose. With this knowledge comes great ethical considerations and professionalism that security engineers need to demonstrate.

Things can become odd and stressful—imagine learning that someone uses the password ID0ntWantTOL1ve!. Or imagine an offensive security engineer who comes across illegal content during an operation. Additionally, it is likely that, at times, an offensive security engineer will cross paths with true adversaries during their daily duties.

As I said, this is not something that is talked about a lot, and with knowledge comes a certain amount of stress related to potentially knowing things about people, processes, and technologies that put offensive security engineers in an ethical dilemma. A manager's job is also to make it certain that there is a place for offensive security engineers to seek guidance and counseling (from both legal and psychological experts). Additionally, if someone uses their work computer for private purposes, such as banking or email, an offensive engineer might get exposed to personal information of an individual as well.

Rules of engagement and standard operating procedures are there to help guide the handling of such matters, and we will describe both in this part of the book.

The phrase I feel like I really know you came from one of the best red teamers I had the opportunity to work with over the years – you know who you are.