This chapter presents the final version of the comprehensive agile red teaming framework. The model is constructed with the following ideas:
1. A framework needs to be produced with continuous activities, flexible phases, steps and product backlog to gain comprehensiveness.
2. Agile Water-Scrum-Fall mentality needs to be followed when executing the framework.
3. Consecutive phases and steps receive input from the previous ones. This emphasizes the importance of structured process and planning.
4. Structured problem solving requires defined steps inside phases with ac-tivities and products in order to be understandable and repeatable. Steps control the change during process and scope can be altered adaptively.
5. Provide is the most important phase for creating better products, policies and processes. Engage and Planning phases are tools to provide.
6. Management needs to buy-in the red teaming idea. Therefore, the frame-work needs to be easily communicable and to the right personnel.
7. Red teams need to be educated in use of the framework effectively.
CART framework declares that a company has a baseline capability. The BASELINE is the prerequisite for all the other phases. Baseline is constantly developing. Baseline has only one step; The internal development which creates the baseline capability. Internal development consists of adopting the idea of comprehensive agile red teaming framework. This adaptation includes prepara-tion of platforms for communicaprepara-tion, intelligence, tooling and a service portfolio which has predefined product backlogs and courses of actions. These reusable components are the building blocks of the framework. Internal development in-cludes the active business domain and threat intelligence efforts. These are needed to build realistic adversary emulation methods and business environ-ment picture. Developenviron-ment and training of the own red teams’ and affiliated per-sonnel is continuous.
CART framework has five continuous activities which are driven by the red team leader and conducted by the team;
1. Planning is a structured activity to scope, define and solve a given assign-ment (problem). Planning defines the objective (what), timeline (when), envi-ronment (where), resources (who) and rationale (why) for the execution of the assignment. Plan describes how the assignment is conducted, including breakdown of product backlog, tasks and responsibilities.
2. Intelligence is a systematic methodology to collect, analyse and disseminate information from several sources and domains. It builds the situational awareness, which is prerequisite for planning, targeting and conducting red team efforts.
3. Targeting is a structured process to analyse systems and create means to de-liver effects to those systems. Targeting receives inputs from planning and intelligence. System analytics is used in describing target system architecture and break down the system to a component level.
4. Communication – Internal communication is an essential element of leading and developing the red team through all phases of the assignment. External communication with client is prerequisite in order to define objectives and raise awareness. It is needed for co-ordination and reviews during engage-ment and has a significant role for successful follow-on activities during pro-vide phase. Collaboration platforms propro-vide the technical capabilities for communication in all activities.
5. Assessment is a continuous activity that supports decision-making by ana-lysing progress towards objectives and changes in the environment. Assess-ment consists of monitoring, evaluation and feedback to all other activities.
Reviews and retrospective are the main tools for assessment.
CART framework has three phases which are divided into steps as depicted in figure 43 below. Detailed framework with product examples is in ANNEX 6.
FIGURE 43 Simple CART Framework.
1. PLAN – This phase includes intelligence preparation of the environment and analysing the future assignments scope. Concept of operation (CONOPS) is created to manage the future assignment. Planning phase has three steps.
1.1. SCOPE – During this step an initial scope is defined with client. Scope is based on the maturity and needs of the client.
1.2. CONOPS – Environment and initial factor analysis are done. These create the basis of choice between courses of actions and plans for the engage-ment. CONOPS is presented to the client for adjustment and approval.
1.3. PLAN – Detailed planning and analysis are done along with product backlog and sprint planning. This includes the intelligence collection plan and target system analysis.
2. ENGAGE – During this phase the active intelligence gathering, social engi-neering, network operations and other actions are commenced. Engagement phase does not have fixed step number, but it’s dependent on the depth and breadth of the assignment.
2.1. INTEL 1 – Collection focused step which builds the understanding of the comprehensive target architecture. This might include initial entries.
2.2. INTEL X – Several intel steps can be taken depending on the complexity and size of the target. Following steps should be more focused on analysis and post initial compromise activities like lateral movement and persis-tence.
2.3. ATTACK – This step aims to launch the attacks to provide the effects needed for the target (DDoS, Locker, Wiper, Manipulation, Physical, etc).
If production environment is not in use a simulation needs to be con-ducted which aids in the presentation.
2.4. CLOSE – Removal of modifications and malware from the clients’ sys-tems and remediation of social engineering effects. Sufficient time slot re-served for team reporting and preparation of the next phase.
3. PROVIDE – This is the phase where results of the engagement are reported to the client along with a remediation plan which includes the consecutive steps. Goal is to reassess, design and implement better security. Training and raising awareness of clients’ employees supports the implementation. This phase has five steps.
3.1. PRESENT – During this step the results are presented to the client in meetings, workshops and reports. A remediation plan is also introduced.
3.2. ASSESS – First step in remediation is the comprehensive assessment of current policies, risk management and controls to provide overview of the security situation and corrections.
3.3. DESIGN – Step is taken to improve the previous assessments artifacts with corrective measures. User participation from client-side non-secu-rity branches is encouraged to increase commitment to secunon-secu-rity.
3.4. TRAIN – Various training initiatives are carried out in all levels of the company. Training supports the implementation of newly designed se-curity items, raises awareness and teaches the employees to mitigate cri-sis situations in simulations and tabletop games.
3.5. IMPLEMENT – Support the client in technical and policy implementation issues along with monitoring and threat intel.
The framework consists of products that are created during the steps i.e.
Intelligence collection plan, concept of operation, target system analysis, etc.
Products are only examples in the framework. Product backlog is created and tied to the steps. Some products are refined constantly during multiple steps and considered as living documents/products. Detailed products and descriptions call for future research. Example of products is depicted in Annex 6.
The scope of this study is wide and therefore results can be considered only general (Siponen & Klaavuniemi, 2019). The significance of this framework lies in its novelty and possibilities to adapt it to any red teams’ purposes due to gen-eral outcome. There are existing standards for penetration testing (PTES, 2014) and attack generation (Mitre, 2018) as well as kill chain completion (Hutchins et al., 2011) but none of them give a picture of the actual process how the entire operation could be planned and executed.
Usability of the military and agile methods is proven in the business world and in the battlefield. Framework delivers a good base for future work like build-ing the taxonomy and product catalogue for red teambuild-ing effort. Platforms to com-municate and manage red teaming operations need to be developed as well.
The supporting literature base for the framework comes from the infor-mation security research and standards. (ISO, 2018; NIST, 2013; The Institute of Risk Management, 2002) Information security lifecycle and risk management principles support the frameworks cyclical nature, phases and steps (Raggad, 2010; Baskerville, 1991; Baskerville, 1993; Tsohou et al., 2006). Knapp et al. (2009) provided an information security policy process model to extend to the field of red teaming for this study.
Military adaptive planning and execution framework, mission command, intelligence cycle and targeting are results of combat proven best practices coined with scientific studies. These methods deliver the structured problem-solving techniques and basis for various deliverables to the framework. (US Joint Chiefs of Staff, 2017; US Joint Chiefs of Staff, 2013; US Joint Chiefs of Staff, 2013b;
Department of the Army, 2012)
Agile methodologies have been removing bureaucracy and hierarchy from teamwork by creating productivity, quality, speed and better morale for the per-sonnel for decades. (Hilbert, 2017; Beck et al., 2001; Sutherland & Schwaber, 2011;
Sugimori et al., 1977) Agile scaling methods create possibilities to optimize the value chains for the whole enterprise, not just the single agile team. (Laanti, 2012;
Leffingwell, 2007)
9 CONCLUSIONS
“The road to wisdom? Well, it's plain and simple to express:
Err and err and err again
but less and less and less.”
- Piet Hein-
Mistakes were made during this research process, but we learned from them.
Selfcriticism is the opposite of overconfidence, which is the road to complecency.
Red teaming if properly adapted can be a structural way of avoiding complacency in organizations by a constructive method for exposing organization and its functions to critique and improvement.
The research problem was to create a comprehensive, agile red teaming framework by combining adaptive planning and execution framework in infor-mation security context. Design science research methodology was used to solve this problem (Peffers et al., 2007). Solid knowledge base and environment de-scription about red teaming and information security was completed in accord-ance with information systems research framework. (Hevner et al., 2004) Adap-tive planning and execution framework, intelligence, targeting and agile meth-odologies were introduced to support the creation of the framework in infor-mation security management context. Challenges in current red teaming opera-tions were identified by a survey to five cyber security companies. Challenges were remediated by success factors identified from literature and survey. The initial framework was created, and it underwent two Delphi iterations with sub-ject matter experts and was refined according to responses. This study presented interesting connections between military and agile practices and how they can be adapted together in red teaming.