Those of us who conduct offensive security campaigns use all the tactics of cyberwarfare. We prepare, gather information, engage the enemy, attack and capture objectives, and celebrate victory. While there are technical specifications about best practices in offensive security methods, our industry is lacking on ethical guidance. Most available literature and discussion at best focus on the legal issues and rarely or never discuss the role of ethics in our profession.
We need to discuss the effects of red team tactics on internal company morale. What does it mean to lie, cheat, and steal when engaging in testing a company’s defenses, and is it smart to permit employees of a company to deceive others? Are there ways to avoid detrimental effects to the perceived integrity of the security professional? We will describe the conduct of an ethical red team engagement, and the parts best reserved for external and third-party engagements.