Handling logistics, meetings, and staying on track

An approach that works well in my career when it comes to project and operational planning is that it's best to keep it lightweight and focus on the people, rather than implementing a detailed task tracking system. Tracking the high-level deliverables via a simple tracking solution that allows you to highlight the start and end dates of tasks should probably suffice.

The detailed tracking and progress of a project can be tracked within the attack plan (maybe in encrypted OneNote files), which goes beyond the project management aspects and already merges a lot of the logistical with the technical details. This is the place where the team tracks details of tasks, draft findings, the results of scans, and so forth. Such a shared document allows the team and authorized individuals to get insights into day-to-day detailed progress and work. It's a complete logbook in many ways.

When it comes to planning, the best approach is to revolve the tasks around the service offering of the team.

Team meetings

A sync meeting can be done rather quickly, just going over the high-level project plan to ensure the pipeline for operations is filled and that the dates all line up and make sense. This is also the time when any necessary customer communication around missing deadlines or the possible extension of a pen test can be discussed to make decisions accordingly.

A constant communication channel between the team and your internal customers during an engagement is an excellent way to ensure internal stakeholders loop you in for other conversations in the future. This can lead to great wins for the company in the future; for instance, when your team is contacted and can help find solutions to a tough problem early on during the design phase.

These team meetings are also the right place to share overall organizational announcements or have discussions about organizational challenges the team is observing. How often the team should have an official meeting depends on how close everyone works together during regular business hours. If the team is working closely together, syncs can be brief and focused on the most fundamental issues. It's good to have a form of regular walkthrough regarding what happens in the team sync. This is to avoid having to send out an explicit agenda on what will be discussed.

Working remotely

The topic of remote work comes up frequently, so it's worthwhile discussing how this relates to performing offensive security work. The benefit of operating via objectives during offensive security or following a dedicated attack plan is that it's easily possible to split work up into smaller pieces and have someone work on those tasks wherever they are.

If time zones allow, there can often still be regular team syncs with everyone included. Even if the time zones are off, this can be used to your advantage at times since it allows continuous operational engagement. I have experienced that it's better for individuals to work closely together since it makes it easier to build a strong team identity and morale. If everyone is remote, this might not matter, but, if only one or two members are remote, then individuals may experience a disadvantage since they are not included in many ad hoc conversations.

To mitigate these concerns, it is important to have a strict schedule for holding recurring team meetings and stands-up to always include team members working remotely. It's also a great idea to make sure individuals working remotely have some form of office hours, to enable ad hoc conversations and have time to just catch up.

Continuous penetration testing

The idea of having the red team be continuously active is something that I encourage if your organization and program are mature enough. At times, there might be concerns from stakeholders about authorization and scoping when testing. A former employer once told me that the fact they hired me is due to authorization, to go and engage at will, as long as the agreed upon rules of engagement and procedures of the program are followed. The employer basically only wanted to know about the big objectives of the program and how it will help improve security and show progress over time. Some CISOs might want to micromanage a red team, which certainly is bad for the program.

"You do not want a red team that you can control"

                                                                  – Red Team Journal Principle

Continuous resource adjustment

In case there are a lot of unexpected findings during a penetration test, there is always the option to send back the system under test to the engineering team and stop testing altogether.

Ideally, this is not necessary, but penetration testing resources are expensive, and you might not want the team to perform basic security testing tasks, such as validating access control or being the functional guinea pigs of the system under test.

Choosing your battles wisely

Organizations face a vast number of challenges when it comes to security. Some developers might even feel a form of fatigue with the number of requirements the security organization seems to come up with. The blue team might become overwhelmed at times as well, when there are too many findings and the offensive security team pushes too hard:

Figure 2.1: Red versus blue

Figure 2.1: Red versus blue

There is a certain amount of traction the red team will get when demonstrating impact and proposing mitigations for vulnerabilities and flaws. So, don't waste your ammunition on turf wars or focus too much on being right. Do what's right for the organization.

Choose your battles wisely and when you commit to something, stay on track. It's better to do few things well than to do many things in a mediocre way or, even worse, abandon them after long investments. If something doesn't work or turns out to be not worth it in the long run, admit failure, backtrack, and learn from the mistake.

Getting support from external vendor companies

Bringing in external vendor companies to help with their expertise, which might be lacking in your organization, is a great way to augment forces. Some good advice is to get referrals or interview the consultants coming on board to ensure they fit in well and have the right skills and values. Personally, I have had great experience pulling in external vendors for pen testing throughout my career.

In case your organization is small, hiring a third-party vendor might be the only option to get offensive security coverage. It's always possible to augment internal and external pen test resources to build out a diverse team that can produce great results over time.

Due to the price tag, if the requirements for security assessments and red teaming grow beyond a certain size, it might be economically more suitable to build an internal team of full-time employees to cover the most important offensive objectives and critical assets continuously.