Live security evaluations are essential to the good security health of an organization. An evaluation performed by a skilled internal organization—or a qualified third party—allows an organization to objectively test its security measures and defensive capabilities. This not only helps evaluate the effectiveness of existing security controls which may require remediation, it also identifies blind spots that represent pockets of previously-unknown risks to the organization.
When your organization evolves to a level of maturity in which active defense evaluation becomes a part of the security process, there are bound to be many concerns about the scope of the evaluation, the safety of the evaluation, and the risk of performing such an assessment. This is especially true when evaluating a live network; the greater the concern of network availability, the greater the importance of an active evaluation. If an organization fails to identify critical security vulnerabilities, it is only a matter of time before a malicious attacker does.
Fortunately, performing an active evaluation comes with one big advantage over having a malicious actor expose an organization’s weaknesses: the ability to structure a security incursion which produces maximum results without degrading or damaging the organization itself. Though capability and competence are at the core of a good evaluation, neither are a substitute for the solid foundation that comes as a result of well-defined Rules of Engagement (ROE).
ROE are critical to the success of an active defense evaluation, whether this comes in the form of an external penetration test, an internal penetration test, a combination red team/blue team engagement, or a holistic advanced threat simulation. ROE defines how all aspects of the engagement should be conducted; they set boundaries on systems, tactics, and personnel. Not only do they level-set and clarify expectations, they also provide the core guidance which will help optimize the value of the exercise. Importantly, they also paint clear lines of responsibility for both the testing entity and the recipient of the test.
A well-crafted ROE document should, at a minimum, provide three critical functions and answer key questions for each:
- Define who is controlling the evaluation, and the boundaries for the controllers. Is the red team going too far? Are critical assets being endangered? Is the blue team following the intent of the testing event? Are there areas that need further exploration?
- Inform the “attackers” where their boundaries are. Is physical breach allowed? What about social engineering? Key loggers and devices? Are there any subnets or systems that need to be left alone, for any reason? Are there any individuals who are out of play? Will “attackers” be hunted in physical space as well as cyberspace?
- Inform the “defenders” where their boundaries are. Who needs to be available to answer questions? Who is authorized to make the “go/no-go” call if a unique situation arises? Is active detection involved (red vs. blue team)? If so, is physical detection (security guards, cameras, etc.) in play? What behaviors are off-limits? What is considered “gaming the system” during an evaluation?
Live security assessments have two key goals: “testing security” and/or “training the defenders”, as bounded by real-world constraints, translated into the rules of engagement. Many of the real-world constraints that consistently impact security assessments come from the pragmatic world of program management, where one is often forced to balance between time, cost, and quality. If we modify this to change “quality” to “level of depth”, and include the operational concern about risk (damage) to operations, we arrive at a valid framework and foundation for developing the Rules of Engagement.
With these programmatic boundaries in mind, one can better tailor the ROE to fit the engagement. The ROE, in turn, can be tailored to maximize the potential of an engagement. Following these simple guidelines will provide the best security review possible.