A Simple Self Red Teaming Assessment

The purpose of this article is to help you identify and understand threats and vulnerabilities, and put a plan in place to prevent them. Think about it as a simple and effective self red teaming assessment. It's the method we use to red team our plans.

Let's define a few concepts first:

• Risk: is the the likelihood of being targeted by a given attack.
• Threat: is what could happen.
• Vulnerability: is the flaw or weakness that an adversary will exploit to make the attack successful.

To put it as an example: if you have a lot of jewelry at home and you talk about it, you are at risk of someone hearing about it and coming in to steal that. The threat is that thieves can break into your house to steal your jewelry, and the vulnerability is that the lock you have in your door is easy to pick.

The process to run a simple self red teaming assessment can be divided in three parts (well, there are more, but for the sake of simplicity we can group them into these three):

1. Identify the main functions and processes (focus on the most important and critical ones). Functions and processes are the main elements of your daily activities, or the main components of your products, or the main parts of your plans... You get the picture.
2. Identify threats most likely to impact those processes and functions.
3. Determine the vulnerabilities of critical functions and processes to those threats.

Start by listing them, with a focus on those are really important. Mark them as such.

Rank them according to criticality:

• Critical: necessary and/or vital. Disruption will create a massive problem.
• Essential: important but not critical. Disruption would cause difficulties, but you can recover.
• Non-Essential: disruption is merely inconvenient.

Then rank those processes and functions by recovery time (times are examples here):

• Immediate: 0 to 24 hours.
• Delayed: 24 hours to 7 days.
• Deferred: beyond 7 days.

Having these ranked by criticality and recovery time will help you assess how important a process or function really is. It will be clear to you which of those need more focus. Be aware, however, that sometimes a non-essential process can become critical only because the recovery time is long. So, play with this.

Next, try to identify the threats. These can be immediate things that may halt or disrupt each of the critical functions, or they can be long term threats, where effects may not be immediate but long terms.

Try to think like your a bad guy trying to steal something from you or trying to cause you pain. What are the things that could happen? That could break? that could be exploited to reach the end goal? What kinds of attacks are most likely to happen and when? What's less likely to happen? Don't focus too much on the "most likely", place your focus equally on those that seem unlikely to happen. Maybe those are the ones that will be targeted by your adversaries.

Then, move into the vulnerabilities. It gets a little tricky here. Some people are good in seeing the possible attacks but not the actual weaknesses and problems that may enable them. Try to enlist a second pair of eyes for this (well, for the threats as well).

Start by determining the vulnerabilities of each critical function and process. To really separate the critical threats, ask yourself: Which of the threats identified above have the greatest likelihood of disrupting or attacking each critical function? How likely it is that a threat will occur? How often a threat is likely to occur?

Once you have this, try to identify a set of vulnerabilities that your adversary might exploit for each threat to become real. Now, this is where it gets tricky: You know your security, you know your products, and plans and procedures. However, because you know them you might not see the problems. It really helps to have an external source for this part in particular. He or she might see things that you miss. Trust me on this one.

Once you have all this, make a plan to respond to and mitigate any the issues found, both proactively, and if and when they happens. You build resiliency, and you create an Incident Response Plan. Confirm that appropriate resources (and people) are in place to respond in a timely manner. Talk to your family/employees about what you discovered. Enroll them into helping you find a solution and train them in what to do if a treat becomes a reality. Proper reaction time and disaster recovery can help you keep your business going even when your main plans or products have been disrupted.

And when an attack happens, and it will happen, learn from it. Start with the analysis again and factor in what you have learned.

Remember, when in doubt - red team it.