The unfortunate result of a competitive relationship
Since the dawn of Tiger Teams (in the 1970s — Wikipedia) which in some regards spawned “Pentesting” (in the late 1980s and 90s — Wikipedia) and finally into “Red Teaming” post 9/11 (2001–2003 — Wikipedia) it has always been a “competition” between the defenders and attackers. Even today, we hold competitions called “Cyber Collegiate Defense Competition” (CCDC) where blue teams from colleges are pitted against a professional red team.
Problem is, while competition is healthy and helps to drive innovation, it kills all possibility of trust. Red Teamers / Pentesters, how many times have you heard the phrase “If I told you that, that would be cheating”. Blue Teamers / CIRT Analysts / CIOs, how many times has a Red Team or Pentester showed off how awesome they were when they used “inside” knowledge to pop one of your systems.
This has got to stop.
We as an industry (very specifically the pentest/cirt relationship) have been stuck in a rut for DECADES. While the “purple team” ideals certainly are a move in the right direction, I still watch conference talks, webinars, and podcasts that just bleed the confrontational / competitive attitude that “purple” is supposed to be against.
Working together to make an organization better is the purpose of these tests right?. I can already hear you saying it:
“but Rob, if we don’t get in they won’t hire us back” — Red Teamer
“but Rob we need to be seen as “elite” or the customer will go somewhere else” — Red Teamer
“but Rob, I just want to shove it in that smug Red Teamer’s face that we caught them!” — Blue Teamer
“but Rob, If we don’t catch the Red Team it will affect how our managers see/rate us in the next review” — Blue Teamer
These are all valid concerns today, which is truly sad, because instead of doing what we (on both sides of the fence) are paid to do, it becomes a reputation thing. Either the CIRT or the Red Team will win this, but the organization always loses as it isn’t what they are paying for.
Imagine if you told the CFO of a big company that you were going to spend $50,000 so that some outside consultants and your CIRT could play video games for a week or two. At the end of that time, there would be a report on who won the most points, and some things about some random vulnerabilities in the org. Personally I think the CFO would fire you on the spot.
How do we fix it?
First, we need to go back into those board rooms we hate so much and explain the paradigm shift that needs to happen and that it can’t directly affect performance reviews. This will help, but the biggest hurdle is step two.
Second, since this is our bailiwick, Red Teamers, we need need to be the agents for change here. Put away that wonderful pride you have in your work and lets get down to fixing things. This has to be an active thing, “being nice” won’t cause change in mindsets. Ask your clients for their internal IP space, ask for what incident response procedures they have in place, ask about what phishing mitigations they have, ask what password policies they have in place? Do they have a WAF? Is it in front of all of their web apps? What does their badge system look like? Ask all the things. And when they ultimately come back with the “that would be cheating” or “I’d like this to be more of a black box to see how far an attacker could get” that is when you have the opportunity. Talk to them, explain that they are paying for your expertise for a week, two weeks, 3, help them to maximize the time they are paying for to test and break as many things as possible, even if that means “cheating”.
One of my best experiences at seeing this work well was at GE when I got to work hand in hand as a Red Teamer with the awesome CIRT they have there, solving issues, up and down the IT/Infosec stack. Sure, this “same-team” mentality was easier because we were employees of the same company, but there is no reason why the same trust can’t happen with outside consultants, but someone has to put the hand of trust out first. “I trust you not to screw me” is a really hard thing in a community of untrusting-by-nature people, but we need to get to that point to start making a difference.
Because I’m tired of fighting this mindset alone. I know I’m not, but it certainly feels like it now that I’m back out in the consulting world.
— Your friendly Infosec Tree Hugger