You've Gained +2 Perception! Leveling Up Your Red Team with a New Maturity Model

Presented at BSidesLV 2023, Aug. 9, 2023, 2 p.m. (Unknown duration).

The Red Team, helps an organization know itself. It asks questions. It challenges assumptions. It pokes holes, not just in ideas but also in an organization's technology so that the organization gets quantitative information about how well its security is doing. But how does a Red Team know itself? Red Teams need to possess a lot of different skills, cover a lot of different attack surfaces, and are often small in the personnel world. How can the team know that it's up to the task, and how can the team communicate that readiness to leadership so they have confidence in the data the team generates? This presentation will cover a new, first of its kind Capability Maturity Model to help solve that exact problem. It may not be the sexy new tool to pwn all the things, but if we as offensive security practitioners cannot relate to and support the business-side of the organization, we're not much better than actual hackers. We'll discuss how we got to this point and spend the bulk of the time discussing how new and established teams can employ the model to help plan for and report on continued maturity.

Presenters:

  • Brent Harrell
    Brent took the scenic route to security, beginning his career with a degree in Political Science and International Affairs and working for Uncle Sam for several years. He saw the light, though, and set out to apply his love for poking holes in things to technology instead of government work. He moved through threat intelligence and system security engineering before achieving his goal of joining a Red Team. He is now a Principal Engineer and the Red Team Lead at Humana.
  • Garet Stroup
    Garet is a self-described builder, breaker, and automator of things. He thrives when he can enable those around him to bring creative ideas and products to the table to keep things moving forward without getting stuck waiting for perfection. He has made a career of building threat and vulnerability management programs, governance, risk, and compliance programs, and now serves as the Director for Cyber Threat Simulation (all things offensive security) at Humana.

Links:

Similar Presentations: