A Red Team Maturity Model
A model to reference when gauging Red Team maturity, as well as set goals and provide guidance when building internal Red Teams.*
The Matrix - This is the core of the model.
The Questions - Questions that need to be answered and understood at each level of maturity.
Meta - This are bits of wisdom that aren’t covered in a standard maturity model, but will play a large role in the success of a Red Team.
|Level 1 - Defined||Level 2 - Managed||Level 3 - Optimized|
|People||•Strong leadership support from Blue Team.
•Defined team roles and responsibilities.
•Defined capabilities per operator. Eg. Developer, Infrastructure support, etc.
•Training classes and time available as pertains to strengths/weaknesses of Red Team.
|•Operators considered Subject Matter Experts in targeted tech stacks and processes. Eg. cloud, finance, payment processing.
•Strengths, weaknesses and operator capabilities regularly evaluated.
•Organization wide support for Red Team.
•Internal professional development program. Eg. Options to level up in certain areas given training, certifications, practical experience, etc.
|•Job shadow opportunities defined for red/blue/SRE, etc.
•Dedicated developers, operators, leads, etc.
|Processes||•Defined Rules of Engagement
•Defined reporting processes and templates.
•Defined deconfliction process.
•Defined services, intake and output processes.
•Defined Mission Statement
|•Ability to measure Red Team impact 
•Findings integrated into GRC processes and intakes or dedicated remediation personnel.
•Defined run books for common TTP’s.
•Risk scoring consistent with GRC, rest of organizations risk scoring procedures.
•Strong partnership with Legal.
|•Defined processes and support for publishing and contributing open source tooling or knowledge.
•Red Team impact leads to measurable organizational improvements such as blue headcount, training opportunities, systemic security posture, etc.
•Regular Red Team self reflection and improvement cycles.
|Technology||•Open source only capabilities (tools, vulns, exploits, C2s)
•Manual infrastructure, logging and labs.
| •Custom tools and scripts.
•Lab with target environment tech stack.
•Automated infrastructure deployment.
•Automated logging and storage.
•Automation/validation of TTP's and blue controls.
|•Custom C2 and implant capabilities.
•0 or N-day exploit capabilities.*0 and N-days may include custom in-house applications.
•Automated reporting capabilities.
•Ability to adapt technology maturity based on threat actor emulation and organization needs.
|Red Team||•Ad hoc operations and goals.
•Technology focused ops
•Opportunity driven TTP's
•Understanding of blue maturity
•Metrics gathered per operation:
Mean time to (detect|respond|eradicate)
What processes were/not followed?
•Ability to answer the BASE Questions
|•Some proactive operations
•TTP's based loosely on threat groups
•Ability to answer the ADVANCED Questions
•TTP’s determined per operation based on Threat Intel
|•Accurate/intentioned threat group emulated modus operandi
•Long term operations addressing existential business risks.
•Proactively planned operations .
•Ability to leverage target technology SMEs (cloud, devops, finance, domain tech)
•Requirement to use novel TTP’s in many cases to bypass defense.
•Ability to modify operation types based on Organization needs. Eg. Tables tops, Unit testing, etc
https://idart.sandia.gov/_assets/documents/2017-09-13_Metrics_QRS-Paper-Size.pdf https://medium.com/@malcomvetter/how-to-create-an-internal-corporate-red-team-1023027ea1e3 https://firstname.lastname@example.org/how-to-build-an-effective-red-team-e5a49aa4c0cc#2a46
The Questions are sets of questions that need to be answered at a given maturity level. The answers are highly dynamic and should be reviewed frequently.
What does blue assume about their own abilities? Who/What is targeting your organization? What are your organizations crown jewels? Where are the strengths and weaknesses of the blue team? How do employees gain and lose authorization to access data and systems? What assets are important? What does the perimeter look like?
Where does the critical data live, and how is it transferred between systems? Who has access to the critical data? Who is supposed to have access to it? What processes are critical? What supply chains have the greatest impact on the org? How does the company function? This is a loaded question, it includes culture, salary, hiring techniques, etc.
Understanding the threats facing your organization will help you determine what parts of this model are valuable, and which parts should be discarded.
Understanding the security maturity of your organization will help you determine what parts of this model make sense to adopt, and which parts should be discarded.
Understanding what leadership wants out of your Red Team, will help you determine what parts of this model make sense to adopt, and which parts should be discarded
Red Teaming is not a one size fits all.