Helpful Red Team Operation Metrics
Measuring progress and metrics across red team operations can be done in several different ways. In this post I will share some data points that I like to track during and across red team operations and that I believe translate to insightful metrics. This post is geared towards internal red teams (as opposed to consultancy).
I believe these data points are very insightful for red teams, blue teams, and members of management:
- Dwell Time Metric: Time from red team initial access until when red team is booted (Remediation Time - Initial Access Time). In other words, once the red team gained initial access, how long did they stay in before being completely removed from the network/environment? As you track this metric across operations, hopefully you will see dwell time shrinking to shorter periods of time.
- Time to Initial Access Metric: Time from when the red team started the operation (started the attack) until when they gained their initial access (Initial Access Time - Attack Start Time). I think this is an interesting metric to track across red team operations in order to reflect challenges the red team faces when attempting to gain initial access. Examples of operational challenges include phishing emails being quarantined before arriving in inboxes, network or host based preventions stopping a payload from running, or any other similar type of control that prevents the initial attack vectors from being successful.
- Time To Detection Metric: Time from red team initial access until blue team initial detection (Initial Detection Time - Initial Access Time). This detection can occur as an employee reporting something to blue or it may even be a detection or prevention sensor being tripped. Key thing to note with this metric — the detection timestamp used is the initial detection AFTER the red team has gained access to the environment (as opposed to a detection of the red team attempting to get into the environment). Also tracking what the initial detection method is across red team operations can be useful with seeing if there is a trend with how blue team initially finds the red team. As you track this metric across operations, hopefully you will see time to detection shrinking to shorter periods of time and happening earlier.
- Cyber Kill Chain Stage of Initial Detection: At what point in the Cyber Kill Chain was the red team detected? This is from the Lockheed Martin Cyber Kill Chain. Those stages include: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on Objectives. While there may be some differences in perspective with how relevant or useful these stages are, I still think the Cyber Kill Chain can provide useful data to map back to in terms of tracking how early in the kill chain the initial detection is happening. As you track this metric across operations, hopefully you will see this trending to earlier cyber kill chain stages.
- Time To Remediation Metric: Time from blue team initial detection until red team is booted (Remediation Time - Initial Detection Time). In other words, once the red team activity is detected how long does it take to enact and complete remediation steps? As you track this metric across operations, hopefully you will see this metric shrinking to shorter periods of time.
- Cyber Kill Chain Stage Reached: Tracking how far the red team is able to advance during operations. As you track this metric across operations, hopefully you will start seeing this trend from later kill chain stages to earlier kill chain stages.
Tracking these metrics above will require collaboration between both red and blue, as neither side alone will likely have enough data to generate the metrics above.
There are different ways to define different metrics. For instance some may refer to dwell time as initial access until initial detection. At this time there really are not any industry standards for these terms, so it is likely that you will run across different definitions for the terms above. I like to use the definitions above in my metrics as I believe they provide a straightforward understanding of things.
My goal with tracking the data points above is to help provide data to help answer questions such as:
- How effective are our remediation processes/steps?
- How specifically have red team ops helped improve our defenses and remediations?
- How is the blue team trending across operations?
- Are things getting harder or easier over time for the red team?
- What are we doing to shift our detections earlier in the attack life cycle?
I believe tracking the metrics above will help show the value of an internal red team program and also help quantify how red is helping to improve blue and how blue is challenging red team to grow and improve as well.
I have included a link to my very basic Red Team Operations tracking spreadsheet to help you with a starting point for tracking these metrics. The spreadsheet has columns for the items above and as you enter time stamps the spreadsheet will automatically calculate the dwell time, time to detection, and time to remediation. The spreadsheet also will automatically calculate trend graphs across operations. Link:
In a nutshell, having solid metrics that you can track across red team operations can go a long way. My intent with this post was not to try to make the metrics above a standard for others to follow. Instead, I just wanted to do a brain dump and help others who are looking for a starting place with tracking meaningful metrics. I hope you find this information useful!
