Don’t Leave Hungry! Plan a Full Red Teaming Meal

Muddying the waters today is the growing gap between cybersecurity red teamers and red teamers of other kinds. I’ve done my best to define the differences, but it wasn’t until this week that I finally realized explicitly that the confusion isn’t just about types of red teaming, it’s also about red teaming roles.

Read more

Managing the Engagement Model

All adversarial assessments (red teaming, pentesting, threat modeling) employ an engagement model, defined here as a set of implicit and explicit parameters governing the nature, scope, and procedures of the assessment. Knowingly managing the engagement model is a key to success in nearly all forms of adversarial assessment. Ignoring and skipping aspects of the engagement model can lead to ambiguity, a false sense of confidence, and other downstream problems.

Read more

The Dilemmas and Illusions Model, Part 1

Whether knowingly or not, red teamers, pentesters, and threat modelers employ what we call engagement models: the implicit and explicit frames governing the red teaming engagement. These models commonly include defining details such as the threat actor to be emulated, the threat actor’s assumed operational code, the engagement’s time horizon and scenario, the rules of engagement, and so on.

Read more

Read More Borges

It is our opinion—and probably our opinion only—that a red teamer will learn more about red teaming by reading the short stories of Jorge Luis Borges than by reading any number of books on technical topics. “But how can it be,” the hardened technophile will ask, “that I have anything to learn from Borges, who lived and died in an era before big data, online shopping, and dank memes?” Of course, this question merely confirms the asker's status as a hardened technophile and underscores his/her urgent need to read Borges.

Read more

Gene Wolfe and the Unreliable Narrator

I went on a bit of a Gene Wolfe binge recently. If you like speculative fiction and haven't read any of his books or short stories, give them a try. One of the things you'll notice is that you can't trust the narrator. This is true of his highly regarded longer works such as The Book of the New Sun and The Fifth Head of Cerberus and of (most of?) his short stories such as "The Ziggurat," a disquieting and much-debated yarn.

Read more