A Red Team Maturity Model

A model to reference when gauging Red Team maturity, as well as set goals and provide guidance when building internal Red Teams.*

The Matrix - This is the core of the model.

The Questions - Questions that need to be answered and understood at each level of maturity.

Meta - This are bits of wisdom that aren’t covered in a standard maturity model, but will play a large role in the success of a Red Team.

The Matrix

Level 1 - Defined Level 2 - Managed Level 3 - Optimized
People •Strong leadership support from Blue Team.
•Defined team roles and responsibilities.
•Defined capabilities per operator. Eg. Developer, Infrastructure support, etc.
•Training classes and time available as pertains to strengths/weaknesses of Red Team.
•Operators considered Subject Matter Experts in targeted tech stacks and processes. Eg. cloud, finance, payment processing.
•Strengths, weaknesses and operator capabilities regularly evaluated.
•Organization wide support for Red Team.
•Internal professional development program. Eg. Options to level up in certain areas given training, certifications, practical experience, etc.
•Job shadow opportunities defined for red/blue/SRE, etc.
•Dedicated developers, operators, leads, etc.
Processes •Defined Rules of Engagement
•Defined reporting processes and templates.[1]
•Defined deconfliction process.[2]
•Defined services, intake and output processes.
•Defined Mission Statement
•Defined KPI's
•Ability to measure Red Team impact [3]
•Findings integrated into GRC processes and intakes or dedicated remediation personnel.
•Defined run books for common TTP’s.
•Risk scoring consistent with GRC, rest of organizations risk scoring procedures.
•Strong partnership with Legal.
•Defined processes and support for publishing and contributing open source tooling or knowledge.[4]
•Red Team impact leads to measurable organizational improvements such as blue headcount, training opportunities, systemic security posture, etc.
•Regular Red Team self reflection and improvement cycles.
Technology •Open source only capabilities (tools, vulns, exploits, C2s)
•Manual infrastructure, logging and labs.
•Custom tools and scripts.
•Lab with target environment tech stack.
•Automated infrastructure deployment.
•Automated logging and storage.
•Automation/validation of TTP's and blue controls[5]
•Custom C2 and implant capabilities.
•0 day exploit capabilities.
•Automated reporting capabilities.
Red Team •Ad hoc operations and goals.
•Technology focused ops
•Opportunity driven TTP's
•Understanding of blue maturity
•Metrics gathered per operation:
Mean time to (detect|respond|eradicate)
What processes were/not followed?[6]
•Ability to answer the BASE Questions
•Some proactive operations
•TTP's based loosely on threat groups
•Ability to answer the ADVANCED Questions
•TTP’s determined per operation based on Threat Intel
•Accurate/intentioned threat group emulated modus operandi
•Long term operations addressing existential business risks.
•Proactively planned operations .
•Ability to leverage target technology SMEs (cloud, devops, finance, domain tech)
•Requirement to use novel TTP’s in many cases to bypass defense.

References:

https://redteam.guide/docs/templates/report_template/
https://redteam.guide/docs/definition-lexicon/#deconfliction
https://medium.com/starting-up-security/measuring-a-red-team-or-penetration-test-44ea373e5089
https://gitlab.com/gitlab-com/gl-security/gl-redteam/red-team-tech-notes
https://github.com/redcanaryco/atomic-red-team
https://idart.sandia.gov/_assets/documents/2017-09-13_Metrics_QRS-Paper-Size.pdf https://medium.com/@malcomvetter/how-to-create-an-internal-corporate-red-team-1023027ea1e3

The Questions

The Questions are sets of questions that need to be answered at a given maturity level. The answers are highly dynamic and should be reviewed frequently.

Base Questions

What does blue assume about their own abilities?
Who/What is targeting your organization? 
What are your organizations crown jewels?
Where are the strengths and weaknesses of the blue team?
How do employees gain and lose authorization to access data and systems?
What assets are important?
What does the perimeter look like? 

Advanced Questions

Where does the critical data live, and how is it transferred between systems?
Who has access to the critical data? Who is supposed to have access to it?
What processes are critical?
What supply chains have the greatest impact on the org?
How does the company function? This is a loaded question, it includes culture, salary, hiring techniques, etc. 

Disclaimer

This is not a one size fits all, the matrix should be modified to fit the needs of your organization.

This model is based on my limited experience working as a Red Team Operator, not from experience building and running Red Teams.