Équipe Rouge: The Ethics of Prosecuting An Offensive Security Campaign

ShmooCon XV - 2019

Presented by: Roy Iversen, Tarah Wheeler
Date: Friday January 18, 2019
Time: 19:50 - 20:05
Location: Main Room
Track: FireTalks

Those of us who conduct offensive security campaigns use all the tactics of cyberwarfare. We prepare, gather information, engage the enemy, attack and capture objectives, and celebrate victory. While there are technical specifications about best practices in offensive security methods, our industry is lacking on ethical guidance. Most available literature and discussion at best focus on the legal issues and rarely or never discuss the role of ethics in our profession.

We need to discuss the effects of red team tactics on internal company morale. What does it mean to lie, cheat, and steal when engaging in testing a company’s defenses, and is it smart to permit employees of a company to deceive others? Are there ways to avoid detrimental effects to the perceived integrity of the security professional? We will describe the conduct of an ethical red team engagement, and the parts best reserved for external and third-party engagements.

Tarah Wheeler

Tarah Wheeler (@tarah) is an information security researcher, political scientist in the area of international conflict, author, and poker player. She is Senior Director, Data Trust & Threat and Vulnerability Management at Splunk, as well as Cybersecurity Policy Fellow at New America. She is a cybersecurity expert for the Washington Post and a Foreign Policy contributor on cyber warfare.

Roy Iversen

Roy Iversen is Director of Security Engineering & Operations at Fortalice Solutions where he leads a team of security engineers. Prior to joining Fortalice, Mr. Iversen served under the CISO as Director of Security Operations Division at the U.S. General Services Administration (GSA).


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats