The Proposal: Will you Red Team Me?

What is a proposal and why write one? Learn how to proactively address detractors, gather buy-in, ensure safety, and get CYA approvals.

Perspective: This post is written from the perspective of in-house red teams; however, consultants can use this information to:

• Enhance your business proposals.

• Assist the team who hired you with selling the assessment to your leadership and peers.

What is a Red Team Proposal

The Red Team Proposal (“proposal”) is a document that sets the foundations, context, goals, and safeguards for conducting an effective red team. It should be viewed by a select few leaders and security peers who are read-in to the operation, along with the entire team of operators and analysts who will be involved with the test. For those who have worked in the Project Management field, think of this as a Project Management Plan – heavily modified to meet the needs of a red team and the security organization. In fact, if the red team wants to take a more authoritative approach, the proposal may be called a “plan” if approvals of others are not required to proceed.

Pondering whether to Prepare a Proposal?

Proposals are important for red teams to:

• Gain Buy In: Get leadership and peer buy-in as to the tactics, context, importance, planning, and safeguards in place for you to conduct this assessment.

• Be on the Same Page: The entire team involved in the assessment should aid in preparation of or at least thoroughly read and sign-off on the red team proposal.

• Cover Your A$$: If something were to go awry during the assessment, you have early documentation that showcases your planning and safeguards. If you send the document to leadership and peers, and especially if you get their approval to proceed, you have top cover of approvals and notifications outside of your team.

• Legal Safeguards: If your legal team is involved in your review or approval process, they can review and provide feedback on the proposal. The proposal should include a specific section that identifies legal risks associated with the operation and the steps the team will take to address those risks. The legal team can be a great partner to help draft or review this section.

• Get Approval: This is the best opportunity to get approval from leadership or legal teams: you have a professional document that includes the context, safeguards, and all relevant details for the assessment. You show leadership that this is thoroughly planned, well thought through, and will be expertly executed – increasing your likelihood for approval.

• Showcase Professionalism: Having worked in and consulted across a wide array of security environments, I am confident that a well-prepared red team proposal will put you ahead of nearly all your peer security teams in terms of forethought, documentation, planning, risk management, and strategic thinking. This is an excellent opportunity to showcase your individual and team professionalism to your leadership.

What’s in a Proposal?

Each proposal should contain the following components:

• Introduction: A paragraph description of who the red team is, what your goals are and, most importantly, how your team supports the wider goals of your security organization and the business.

• Prioritization: Why conduct this assessment, against these assets, and why now?

• Context: Further details about the origin of this proposal and any contributing factors – within the industry, intelligence relating to it, or the company.

• Intelligence & Analysis: Operationalized, tactical analysis of intelligence surrounding the business, the assets, or the industry – from threat intelligence to geopolitical risk assessments to OSINT: intelligence makes the red team world go round.

  • If this assessment stems from a threat model or a Poison Circle, relevant pieces would be included in this section. (Hint: if it does not stem from one of the above, well, it should.)

• Target (including floors and sites in and out of scope): This is particularly relevant for multi-tenant and shared spaces where other parties are not part of or subject to the red team.

• Timeline (dates, reporting, etc.): Breaking down the phases of a red team – Planning, Intelligence-Gathering, Rehearsal, Execution, Reporting – helps properly allocate resources in a timely manner and set proper expectations with the in-the-know parties and leadership.

• Expected Tools, Tactics, Procedures (TTPs): The intelligence section of the proposal will indicate the likely threat actor, and this section will detail how the red team intends to emulate their tactics. Often this section will outline both the tools and the ethics of the methods the team intends to test in the field.

• List of Participating Red Team Members: In-field operators are required to carry a valid government-issued ID on them – ensure the name on the ID matches the name on the proposal (and the get-out-of-jail-free letter).

• List of Individuals Read-In to the Operation: For the authenticity of the red team findings, this should be a very small group of higher-level leadership, and these stakeholders should be documented in writing.

• Communication Plan: Who knows about the operation and how much? Who will be receiving live action updates, and who invited to the post-op debrief? How is the communication conducted: between team leadership and operators, team leadership and peers, team leadership and their superiors? Are radios being used or Signal? Who is responsible for sending STARTOP and STOPOP notifications? What happens if a situation in the field escalates? The detailed answers to these questions are contained within this section of the proposal.

• Safety Plan (EHS, Armed Personnel, Law Enforcement, Legal, Privacy, Public Awareness [will the public notice?], Reputational, etc.): This one is pretty straightforward for those of us who have been in the field – things will go wrong, and no one likes a bad surprise. Key here is to brainstorm and prepare, make a plan, check your assumptions, and train the whole red team to said plan. Certain things might become leadership calls if situation does not go as planned, but if, as a team, you prepare for the worst and account for Lessons Learned from previous assessments, the number of those calls will diminish significantly.

This may feel like a significant amount of work – and the first time likely will be. However, each time will get easier and, with time, it is significantly easier to update specific sections, with a typical proposal requiring only 50% update of the whole document. The immeasurable benefit of this upfront work is that completing the proposal process often results in a much more robust red team and more risks being proactively addressed.

In Summary

Only you can determine the best approach for your red team. If you want to set a new high bar for professionalism and safeguard the sanctity of the red team (jobs, reputation, and even lives) then preparing a proposal will serve you well.