background

RED TEAM MATURITY

A standardized, community-informed Capability Maturity Model to measure, report on, and plan for internal Red Team maturity

Want to hear a short talk about this from BSides LV?

Let's Talk Some Assumptions

  • This model mostly applies to internal Red Teams. Consultancies will have some different considerations that aren't addressed here, or things they don't need to worry about that are found in the model.
  • This model presumes you have Red Team that is staffed with operators - meaning more than simply a general Offensive Security program or a manager who coordinates 3rd-party assessments
  • Except for subjects where lower levels are negative elements (e.g., "The Red Team is not...), you cannot skip levels without meeting the prior level. This may mean your team is doing Level 5 things, but if they don't qualify for Level 4 they cannot claim credit for Level 5 yet.
  • Unlike other CMMs, some elements in this CMM follows a sliding scale of maturity rather than an additive scale; meaning the higher level replaces the lower level's behaviors rather than adding additional capability on top of the prior level

Level Descriptors

  • Level 1 - Occasional, Not Consistent, Not Planned, Disorganized, One-Size-Fits-All, Basic Technical Capability, No OPSEC Considerations
  • Level 2 - Intuitive, Not Documented, Occurs Only When Necessary, Inconsistent Manual Processes, Somewhat Effective Capability, Limited OPSEC Considerations
  • Level 3 - Documented, Predictable, Evaluated Occasionally, Understood, Custom Technical Solutions, Documented Manual Processes, Primary-Use Effectiveness, Best-Practice OPSEC Considerations
  • Level 4 - Well-Managed, Formal, Often Automated, Evaluated Frequently, Majority-Effective Capability
  • Level 5 - Continuous and Effective, Integrated, Proactive, Usually Automated, Easily Customized, Fully Effective Capability, Advanced OPSEC Considerations

General Definitions

  • Organization - The organization in question will differ based on the company, but refers to entities outside of the Red Team.
  • Operations - Refers to hands-on-keyboard activities, excluding other Red Team lines of effort like Predictive (Adversarial) Analysis [defined below]
  • Predictive (Adversarial) Analysis - Refers to Red Team support that provides an offensive perspective to other disciplines, usually without hands-on testing

And Now, Some Definitions

And Now, Some Definitions

Level Descriptors

  • Level 1 - Occasional, Not Consistent, Not Planned, Disorganized, One-Size-Fits-All, Basic Technical Capability, No OPSEC Considerations
  • Level 2 - Intuitive, Not Documented, Occurs Only When Necessary, Inconsistent Manual Processes, Somewhat Effective Capability, Limited OPSEC Considerations
  • Level 3 - Documented, Predictable, Evaluated Occasionally, Understood, Custom Technical Solutions, Documented Manual Processes, Primary-Use Effectiveness, Best-Practice OPSEC Considerations
  • Level 4 - Well-Managed, Formal, Often Automated, Evaluated Frequently, Majority-Effective Capability
  • Level 5 - Continuous and Effective, Integrated, Proactive, Usually Automated, Easily Customized, Fully Effective Capability, Advanced OPSEC Considerations

General Definitions

  • Organization - The organization in question will differ based on the company, but refers to entities outside of the Red Team.
  • Operations - Refers to hands-on-keyboard activities, excluding other Red Team lines of effort like Predictive (Adversarial) Analysis [defined below]
  • Predictive (Adversarial) Analysis - Refers to Red Team support that provides an offensive perspective to other disciplines, usually without hands-on testing

The Model

Very few things happen in a vacuum, and this model is no exception. We want to offer our thanks to our contributors who have helped refine this CMM into a community-owned product.

* This model can also be found in Excel (if you're trusting of me) and CSV format over on GitHub.

© Brent Harrell and Garet Stroup, 2022 The Red Team Capability Maturity Model is licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0