Let's Talk Some Assumptions
- This model mostly applies to internal Red Teams. Consultancies will have some different considerations that aren't addressed here, or things they don't need to worry about that are found in the model.
- This model presumes you have Red Team that is staffed with operators - meaning more than simply a general Offensive Security program or a manager who coordinates 3rd-party assessments
- Except for subjects where lower levels are negative elements (e.g., "The Red Team is not..."), you cannot skip levels without meeting the prior level. This may mean your team is doing Level 5 things, but if they don't qualify for Level 4 they cannot claim credit for Level 5 yet.
- Unlike other CMMs, some elements in this CMM follow a sliding scale of maturity rather than an additive scale; meaning the higher level replaces the lower level's behaviors rather than adding additional capability on top of the prior level
Level Descriptors
- Level 1 - Occasional, Not Consistent, Not Planned, Disorganized, One-Size-Fits-All, Basic Technical Capability, No OPSEC Considerations
- Level 2 - Intuitive, Not Documented, Occurs Only When Necessary, Inconsistent Manual Processes, Somewhat Effective Capability, Limited OPSEC Considerations
- Level 3 - Documented, Predictable, Evaluated Occasionally, Understood, Custom Technical Solutions, Documented Manual Processes, Primary-Use Effectiveness, Best-Practice OPSEC Considerations
- Level 4 - Well-Managed, Formal, Often Automated, Evaluated Frequently, Majority-Effective Capability
- Level 5 - Continuous and Effective, Integrated, Proactive, Usually Automated, Easily Customized, Fully Effective Capability, Advanced OPSEC Considerations
General Definitions Descriptors
- Organization - The organization in question will differ based on the company, but refers to entities outside of the Red Team.
- Operations - Refers to hands-on-keyboard activities, excluding other Red Team lines of effort like Predictive (Adversarial) Analysis [defined below]
- Predictive (Adversarial) Analysis - Refers to Red Team support that provides an offensive perspective to other disciplines, usually without hands-on testing
And Now, Some Definitions
The Model
You can also find this model in Excel (if you trust me) and CSV format on my GitHub, where you can also submit ideas for future revisions.
Processes
Continuous Improvement
Level 1
The Red Team operates as individuals and might take notes to facilitate improvement
Level 2
The Red Team is goal driven and reflects on their progress by holding retrospectives only after major operations; the Red Team has a general understanding of team gaps and informal plans to address them
Level 3
The Red Team holds regular retrospectives on an identified cadence which are inclusive of activities beyond operations; the Red Team has a defined roadmap to address improvement and operational targets
Level 4
Metrics are in place to track improvement and progress toward roadmap objectives; improvement items are sometimes achieved, and work items are created based on findings and objectives
Level 5
The Red Team regularly discusses opportunities and uniformly decides to stay the course or pivot; retrospectives consistently deliver process/operational improvements; the Red Team roadmap is considered during organizational planning
Knowledgebase
Level 1
The Red Team holds working sessions to share knowledge as needs arise
Level 2
The Red Team has temporary or unorganized notes in various locations or mediums
Level 3
The Red Team has a common, secured knowledgebase that is irregularly updated
Level 4
The Red Team has a common, secured knowledge base that has undergone review and addresses most frequent needs
Level 5
The Red Team has a common, secured knowledge base that undergoes regular review for utility and is routinely updated as part of any actions the Red Team takes
Work Management
Level 1
The Red Team operates on different objectives at will
Level 2
The Red Team understands operational and improvement objectives but there is no mechanism for accountability and tracking if it is not done in the near term
Level 3
The Red Team has a roadmap of current and future work in a distributed tool; leadership is responsible for accountability
Level 4
The Red Team manages work with a platform specifically designed for work management; the team has understood measures for work items; and the Red Team is accountable within itself on achieving objectives without leadership oversight
Level 5
Red Team members have a strong understanding of other activity occurring within the Red Team to lend support or surge in key areas; the work management platform is successfully utilized to allow self-direction from a commonly understood backlog
Operational Planning and Selection
Level 1
Operation objectives are selected by individual interest or urgent need; planning may not include input from the whole team; operations are planned within a few weeks of commencement
Level 2
Operations target major services, infrastructure, or offerings of the organization
Level 3
Operations leverage Cyber Threat Intelligence to derive objectives and are planned out at least one quarter; the Red Team has a defined intake process for suggestions and operational needs
Level 4
Operations draw from Cyber Threat Intelligence, responders, hunters, and engineering/architecture teams' concerns; operations are planned for 2+ quarters
Level 5
Operations are based on objective criteria that consider business needs, threat intelligence, criticality, and/or other organizationally defined measures; unscheduled operations can be added ad hoc to address urgent issues without impacting other deliverables
Operational Approvals
Level 1
Red Team operations are approved only by the first-line Red Team leader without executive leadership knowledge; OR higher level leadership (VP, CISO, etc. - organization dependent) is involved in approval for most Red Team operational aspects
Level 2
Operations are socialized with the leadership directly above the Red Team; OR Red Team approvals require individual, executive approval for operations
Level 3
The Red Team can conduct some operations, like Purple Teams, with standing executive leadership approval
Level 4
Red Team approvals are limited to the minimum number of parties required for coverage
Level 5
The Red Team has standard rules of engagement that are fully understood by executive leadership and legal, enabling continuous operations without individual approval requirements
Operational Documentation
Level 1
The Red Team has a rough set of personal notes related to operational activities
Level 2
The only detailed logs for documentation are from automated tools, like automated logging from a C2 platform
Level 3
Red Team actions are documented/logged in detail manually or with exports from tools
Level 4
Red Team actions are documented/logged in a central location with some automation
Level 5
Red Team actions are documented/logged in a central location and automated reporting of IOCs and behavior is available
Operation Reporting
Level 1
The Red Team does not share operation details beyond the responsible risk owner; findings are possibly informally shared with defensive teams
Level 2
The Red Team distributes findings to a static list of identified individuals
Level 3
The Red Team has a reporting structure that includes a core list of stakeholders in a known template; products are semi-formal and not internally reviewed
Level 4
The Red Team identifies additional stakeholders based on operational parameters; products are reviewed for quality
Level 5
The Red Team has a regular reporting schedule for core and ad hoc stakeholders
Findings Management
Level 1
Red Team responsible for tracking and closing all findings; no formal handoff process
Level 2
Informal handoff to remediation teams; criticality does not align to organizational definitions
Level 3
Documented handoff process to a defined risk management team (e.g., GRC) who tracks the findings to closure; Red Team provides advisory support; risk ratings align to industry best practices
Level 4
The Red Team supports ad hoc retesting (where retesting is feasible) of remediated issues; automated dashboards allow the Red Team to track finding and remediation metrics; Red Team findings align to organizational risk definitions and GRC frameworks
Level 5
The Red Team includes time for retesting (where retesting is feasible) as part of operation planning
Configuration Management
Level 1
The Red Team uses an inconsistent location for source code, infrastructure configurations, documentation, or tools
Level 2
The Red Team leverages a shared location, without version control, to house source code, infrastructure configurations, documentation, or tools
Level 3
The Red Team uses an industry-standard code repository for source code, infrastructure configuration files, and these items are versioned
Level 4
The Red Team uses merge and pull requests, or similar, prior to changing known-good versions
Level 5
The Red Team leverages automated CI/CD actions to expedite delivery and maintain quality of products
Resource Management
Level 1
Resources like licenses, accounts, or domains are only tracked upon reminder of expiration or renewal needs; ownership is dispersed across multiple people
Level 2
One person tracks resources; knowledge not available to the entire Red Team
Level 3
Resources are centrally tracked, understood, and reviewed as needed by the Red Team; Red Team account passwords are secured
Level 4
Recurring expenses or other resources are reviewed quarterly for need or expiration
Level 5
Tracking methods provide alerts or other easily identifiable information to indicate actions needed in the next thirty days
Technology
Tooling
Level 1
The Red Team primarily uses off the shelf tooling and/or basic custom scripts; not all operational needs are met by tooling
Level 2
The Red Team has modified, or can modify, tooling; C2 frameworks are current and capable of meeting operational needs
Level 3
The Red Team's tools accomplish primary operational use cases
Level 4
Custom or other tools accomplish the majority of operational needs; tools support automation or scaled execution of routine tasks
Level 5
Custom or other tools accomplish all operational requirements and the Red Team uses a custom C2 framework when operationally relevant
Infrastructure
Level 1
The Red Team uses on-network, corporate workstations to conduct operations; infrastructure does not account for OPSEC
Level 2
The Red Team uses a single set of externally accessed, static infrastructure for operations; infrastructure is manually set up per operation with inconsistent configuration; infrastructure accounts for minimal OPSEC considerations
Level 3
The Red Team's infrastructure deployment is well documented to expedite manual configuration; infrastructure configuration accounts for best practice OPSEC concerns
Level 4
The Red Team leverages automated deployments for infrastructure; Red Team infrastructure security is self-assessed
Level 5
The Red Team's infrastructure is easily customized; infrastructure configuration accounts for advanced OPSEC concerns and undergoes a third-party assessment (another team, whether internal or external to the organization); the Red Team uses operational variety in C2 channels
Test Environment
Level 1
The Red Team uses disparate configurations in a test environment, such as different VM configurations or dates for AV signatures
Level 2
The Red Team has a consistent, but minimally customized, test environment
Level 3
The Red Team's test environment is representative of the target organization's endpoint security tools (e.g. EDR, Domain Policies)
Level 4
The Red Team's test environment matches the target organization's larger security stack, like configurations or other services, and deployment is automated if managed within the team
Level 5
The organization maintains a separate test environment for collaborative operations that can be reconfigured to test different elements of the technology stack without affecting production
People
Relationships with Responders (SOC, IR, Physical)
Level 1
Inconsistent and occasional interaction without identified points of contact, such as after operation activity is detected
Level 2
Unscheduled interactions but with identified points of contact; subsets of the teams converse and share knowledge (e.g., manager to manager or individual contributor to individual contributor); there's a general understanding of deconfliction processes
Level 3
Responders identified and leveraged as stakeholders for the Red Team, and the Red Team has a documented deconfliction process; response teams and Red Team meet on a recurring, scheduled basis to discuss operational needs or other relevant topics, like metrics or collaborative goals
Level 4
The teams have scheduled interactions to share knowledge and build camaraderie; deconfliction efforts are well managed with regard to points of contact, communication mediums, and roles and responsibilities
Level 5
Red Team understands and leverages response teams' concerns when planning operations; strong individual relationships facilitate frequent and unscheduled knowledge sharing and improvement
Relationships with Engineering Teams (Enterprise/endpoint/server architecture and engineering, detection engineering, etc.)
Level 1
Inconsistent and occasional interaction without identified points of contact, such as intermittent SME-based questions
Level 2
Unscheduled interactions but with identified points of contact; subsets of the teams converse and share knowledge (e.g., manager to manager or individual contributor to individual contributor)
Level 3
SMEs identified on most relevant engineering teams to aid in operations; engineering teams receive appropriate Red Team reporting for their respective areas
Level 4
Engineering teams and Red Team meet on a recurring, scheduled basis to discuss pending changes to the environment; the teams have scheduled interactions to share knowledge and build camaraderie
Level 5
Red Team operations impact engineering and architecture decisions during planning or before implementation is complete; strong individual relationships facilitate frequent and unscheduled knowledge sharing and improvement
Relationship with Cyber Threat Intelligence
Level 1
Inconsistent and occasional interaction without identified points of contact, such as recent news articles related to breaches at other organizations
Level 2
Unscheduled interactions but with identified points of contact; subsets of the teams converse and share knowledge (e.g., manager to manager or individual contributor to individual contributor)
Level 3
The Red Team has defined, standing requirements with the CTI team related to emerging TTPs and current threats to the organization
Level 4
Red Team and Cyber Threat Intelligence share information on a recurring, scheduled basis and this information informs Red Team operations, or procedures
Level 5
The teams collaboratively create adversary emulation operation plans and objectives to accurately emulate selected threat actors; strong individual relationships facilitate frequent and unscheduled knowledge sharing and improvement
Relationship with Legal
Level 1
Inconsistent and occasional interaction, such as asking targeted questions about a particular situation
Level 2
Legal is advised, and provides counsel, on operational rules of engagements during planning
Level 3
Red Team seeks recurring training from Legal on privilege or other legal matters related to Red Team operations
Level 4
The Red Team proactively incorporates prior Legal counsel or input into its rules of engagement or future operational practices
Level 5
The Legal team is considered a strong partner for operations and can be sought to provide ad hoc legal advice during ongoing operations
Relationship with Governance, Risk, and Compliance (GRC)
Level 1
The Red Team engages with system owners rather than GRC for findings discussions
Level 2
The Red Team is a normal user of GRC processes rather than a preferred stakeholder
Level 3
Red Team and GRC agree on shared risk taxonomy and rating criteria; GRC helps align findings to business impact
Level 4
Red Team contributes to risk assessment methodologies and participates in risk committees
Level 5
GRC and Red Team routinely discuss organizational risks and use these discussions to drive operations and organizational risk strategy
Relationship with Human Resources (HR)
Level 1
The Red Team doesn't consistently engage HR on matters the team believes may have HR implications
Level 2
HR partners are advised and provide counsel on operational rules of engagements during planning
Level 3
Operational situations that have HR implications requiring consultation are clearly identified and documented
Level 4
HR is included in operational after-action reports and treated as an operational stakeholder if consulted during operations
Level 5
Identified points of contact on the HR team are considered strong partners for operations and can be sought to provide ad hoc advice during ongoing operations
Relationships with Leadership (Security, IT, Engineering, Corporate)
Level 1
Inconsistent and occasional interaction, such as leadership not attending readouts consistently
Level 2
Segment and security leadership receive operational readouts scheduled by the Red Team; Red Team mission not fully understood
Level 3
Segment and security leadership receive operational readouts, scheduled in advance; Red Team mission understood; leadership reactively engages the Red Team for support based on existing interactions
Level 4
The Red Team has recurring, scheduled time with security and organizational leadership for topics outside of operation findings; leadership supports organization-wide efforts to enhance the value of testing; the Red Team seeks out and understands leadership's concerns to formulate operations
Level 5
The Red Team has consistently demonstrated value and impact resulting in leadership at segment or security levels actively engaging Red Team to influence organization decisions
Knowledge of Business and Technical Environment
Level 1
The Red Team knows which defensive tools are in place
Level 2
The Red Team has tribal knowledge gained over time of defensive tools, software, services, and business processes
Level 3
The Red Team has documented registers of software, services, and key personnel in the organization
Level 4
The Red Team receives notice of changes to in-scope assets or technology as changes are made
Level 5
The Red Team is included in meetings discussing major technology changes that affect the organization's security posture, such as changing EDR vendors or acquiring subsidiaries whose networks will be merged
Operational Capability
Level 1
Operations are a mix of third party and internal efforts due to operational knowledge deficiencies
Level 2
Red Team tactics applied without prioritization of Red Team OPSEC; internal capabilities limited to common TTPs
Level 3
The Red Team modifies common TTPs to address operation needs; the Red Team collectively has deep knowledge of common software / services / technologies, such as Active Directory or a CSP in use; the Red Team has identified specializations aligned to operation phases or needs
Level 4
Red Team operations often result in noteworthy findings based on operation objectives; the Red Team is well versed / highly skilled in defense evasion tactics; Red Team has expertise in less common technologies present in the environment; Red Team specialists are considered SMEs in their operational focuses
Level 5
The Red Team has resiliency to achieve operational goals despite setbacks; the Red Team can vary tradecraft and technology to match operational or Cyber Threat Intelligence requirements; the Red Team has the staffing, support, and resources necessary to continuously respond to offensive testing needs
Development Capability
Level 1
The Red Team employs basic scripting knowledge
Level 2
The Red Team creates some custom solutions beyond basic scripts with no formal development processes, such as source control or code style guides
Level 3
The Red Team develops new implementations of common TTPs to avoid signature detection; code adheres to basic tenets of development, source is controlled
Level 4
The Red Team creates custom solutions to address operation needs, such as stage 0s or implants; source code undergoes some automated checks for style or errors; code undergoes unit and functional testing
Level 5
The Red Team develops advanced tooling, including custom C2 frameworks, to address operational needs; the team has an automated CI (and CD, if needed) pipeline; the team has dedicated developers
Training + Skill Development
Level 1
Training or development opportunities are infrequently sought on a team or individual level; time for training or development is not consistently available
Level 2
Time is provided to fill immediate knowledge gaps or maintain existing certifications; the team has de facto team roles; seniority levels are generally understood
Level 3
General Red Team needs are identified at most semi-annually; funding and time set aside for selected courses or research opportunities; team roles and seniority levels are well defined
Level 4
Training and development plans are based on individual needs drawn from skills assessments (individual or team); team knowledge gaps addressed periodically
Level 5
Team members are encouraged and supported in identifying individual research opportunities to improve themselves and the team; internal Red Team training available for new or junior Red Team members
Program
Red Team Product Lines
Level 1
The Red Team is not fully distinguished from other offensive testing
Level 2
The Red Team conducts a consistent mix of overt and covert operations to address different needs
Level 3
In addition to operations, the Red Team provides predictive (adversarial) analysis to architecture reviews, table top exercises, or other defensive needs
Level 4
Prior Red Team operations or TTPs can be run on-demand by defensive teams
Level 5
The Red Team is responsive to business needs in developing unique and/or advanced service offerings
Strategy
Level 1
The Red Team understands immediate needs but not enough to drive long term planning; operational planning is done within the current month; key relationships not understood
Level 2
The Red Team has an established vision, mission, and/or charter and has taken steps to identify needs for the next operation in advance; the Red Team has points of contact for key stakeholders
Level 3
The Red Team has a documented roadmap extending at least two quarters that identifies, and plans to address, deficiencies related to technology, people, or processes; this roadmap is well understood by stakeholders and is aligned to business objectives
Level 4
The Red Team has short and long term objectives and tracks progress via identified and socialized metrics
Level 5
Red Team strategy influences greater organization decisions and objectives and overall security posture
Metrics
Level 1
The Red Team only anecdotally tracks basic information on operations, such as overall duration or number executed
Level 2
The Red Team tracks basic facts about work items, such as number of findings from operations
Level 3
The Red Team has defined KPI/KRIs that are evaluated quarterly; KPIs/KRIs are reported internally
Level 4
KPIs/KRIs tracked at the organization level; Red Team metrics and objectives relate to and inform blue team metrics
Level 5
Data sources tracking metrics are fed into an automated business intelligence platform
Knowledge Sharing
Level 1
The Red Team shares operational knowledge within the Red Team and occasionally with blue team partners on high severity issues
Level 2
The Red Team occasionally shares operational knowledge with the broader organization (other segments or the greater security population) on a periodic basis
Level 3
The Red Team routinely shares operational knowledge at different levels of the organization; the Red Team contributes to operationally relevant open source projects
Level 4
The Red Team pursues and obtains public speaking engagements; the Red Team has continuous industry engagement
Level 5
The Red Team is recognized as industry contributors and regularly features at security conferences and/or has publicly shared a tool / a TTP / knowledge that is widely adopted