Your team must have a leader who can drive the program and technical staff who will perform the day-to-day activities. As you build a red team, keep in mind some key characteristics that make for a group that works together effectively.
Key personnel with leadership and vision can drive a red teaming program to success. Your team leaders should have not only the technical expertise but also the business sense to identify and pursue opportunities in the organization. This will help them communicate strategic goals to their team and outline business risks with senior organization leadership. They’ll also shape and drive the mission of the team and lead the program to success.
The team leader must be able to help senior executives quantify the assets that need to be protected and the threats that should be protected against. That critical information will help inform the types of attack scenarios that your team carries out.
Red team practitioners require a certain mindset, which can be best described as “thinking maliciously.” A red teamer is someone who can look at corporate policy, procedure, and technology and find ways to bypass controls put in place.
The technical side of an engagement can be very demanding, so team personnel must be comfortable with penetration testing tools and exploitation and persistence techniques once inside the network.
Frequently, red team engagements allow for social engineering, or exploiting human weaknesses around trust in various mediums, such as phone, email, and in person. Team personnel should be comfortable exploiting trust relationships and abusing societal norms to conduct social engineering campaigns.
Once you build a red team with these core members in place, they’ll be able to perform impactful assessments and generate insightful results as to the overall effectiveness of your security program. These assessments will shine a light on your organization’s weak spots when faced with real-world attacks. And when you understand your weak spots, you can put controls in place or modify policy to prevent outside threats from performing those attacks successfully.