A standardized, community-informed Capability Maturity Model to measure, report on, and plan for internal Red Team maturity
Want to hear a short talk about this from BSides LV?
Let's Talk Some
Assumptions
This model mostly applies to internal Red Teams. Consultancies will have some different considerations that aren't addressed here, or things they don't need to worry about that are found in the model.
This model presumes you have Red Team that is staffed with operators - meaning more than simply a general Offensive Security program or a manager who coordinates 3rd-party assessments
Except for subjects where lower levels are negative elements (e.g., "The Red Team is not...), you cannot skip levels without meeting the prior level. This may mean your team is doing Level 5 things, but if they don't qualify for Level 4 they cannot claim credit for Level 5 yet.
Unlike other CMMs, some elements in this CMM follows a sliding scale of maturity rather than an additive scale; meaning the higher level replaces the lower level's behaviors rather than adding additional capability on top of the prior level
Level Descriptors
Level 1 - Occasional, Not Consistent, Not Planned, Disorganized, One-Size-Fits-All, Basic Technical Capability, No OPSEC Considerations
Level 2 - Intuitive, Not Documented, Occurs Only When Necessary, Inconsistent Manual Processes, Somewhat Effective Capability, Limited OPSEC Considerations
Level 5 - Continuous and Effective, Integrated, Proactive, Usually Automated, Easily Customized, Fully Effective Capability, Advanced OPSEC Considerations
General Definitions
Organization - The organization in question will differ based on the company, but refers to entities outside of the Red Team.
Operations - Refers to hands-on-keyboard activities, excluding other Red Team lines of effort like Predictive (Adversarial) Analysis [defined below]
Predictive (Adversarial) Analysis - Refers to Red Team support that provides an offensive perspective to other disciplines, usually without hands-on testing
And Now, Some
Definitions
And Now,
Some Definitions
Level Descriptors
Level 1 - Occasional, Not Consistent, Not Planned, Disorganized, One-Size-Fits-All, Basic Technical Capability, No OPSEC Considerations
Level 2 - Intuitive, Not Documented, Occurs Only When Necessary, Inconsistent Manual Processes, Somewhat Effective Capability, Limited OPSEC Considerations
Level 5 - Continuous and Effective, Integrated, Proactive, Usually Automated, Easily Customized, Fully Effective Capability, Advanced OPSEC Considerations
General Definitions
Organization - The organization in question will differ based on the company, but refers to entities outside of the Red Team.
Operations - Refers to hands-on-keyboard activities, excluding other Red Team lines of effort like Predictive (Adversarial) Analysis [defined below]
Predictive (Adversarial) Analysis - Refers to Red Team support that provides an offensive perspective to other disciplines, usually without hands-on testing
The Model
Very few things happen in a vacuum, and this model is no exception. We want to offer our thanks to our contributors who have helped refine this CMM into a community-owned product.
* This model can also be found in Excel (if you're trusting of me) and CSV format over on GitHub.