Defining the mission – the devil's advocate

At a high level, one of the best ways to look at a red team is to consider it the devil's advocate. The vision is to ensure alternative views are considered and that stakeholders are held accountable. The program is there to provide reality checks at times of forming a consensus. This is done by demonstrating not just the theoretical but the real-world impact of exploiting weaknesses and informing the organization's risk management process and leadership.

In many ways, an offensive program fulfills a security testing function within the organization, a sometimes rare but much-needed function in the modern world of software engineering, full-stack development, and DevOps.

To run an effective internal offensive security program, a simple yet inspiring mission to help communicate the purpose and motivate the team is important. The mission should be about what is being done, there is no reason to dive into how something will be achieved. A mission along the lines of emulating adversarial behavior and finding and exploiting vulnerabilities for defensive purposes is a good starting point.

Highlighting the defensive aspect is important because the goal of a mature red team should be to improve the security posture of the organization and drive cultural change. The red team's main purpose is to help the organization to understand weaknesses, highlight them, and help them to improve and measure those improvements over time. Finding and exploiting an issue by itself does not automatically lead to change. This is the first big pitfall of an offensive program that struggles to help the organization improve. To achieve cultural change and improve the security posture of an organization, a red team needs some form of measurement and a way to communicate KPIs to the organization and management so that informed investments can be made. We will discuss a set of ideas about how to achieve this in Chapter 3, Measuring an Offensive Security Program.

As stated, an important aspect of an offensive security team is to drive cultural change, so including a mission goal related to improving the security posture and the security culture of the organization is also a good idea.

Here are a few points on what your mission might contain:

• Devil's advocate
• Emulate adversaries for defensive purposes
• Measure, communicate, and improve the security of the organization
• Increase the security IQ of the organization
• Break the norm and challenge the effectiveness of the organization
• Provide alternative analyses and "think evil"
• Challenge everything!

A good tactic that can resonate with leadership and management is to reflect your organization's core values in the mission statement as well.