Those of us who conduct offensive security campaigns use all the tactics of cyberwarfare. We prepare, gather information, engage the enemy, attack and capture objectives, and celebrate victory. While there are technical specifications about best practices in offensive security methods, our industry is lacking on ethical guidance. Most available literature and discussion at best focus on the legal issues and rarely or never discuss the role of ethics in our profession.
We need to discuss the effects of red team tactics on internal company morale. What does it mean to lie, cheat, and steal when engaging in testing a company’s defenses, and is it smart to permit employees of a company to deceive others? Are there ways to avoid detrimental effects to the perceived integrity of the security professional? We will describe the conduct of an ethical red team engagement, and the parts best reserved for external and third-party engagements.
Tarah Wheeler (@tarah) is an information security researcher, political scientist in the area of international conflict, author, and poker player. She is Senior Director, Data Trust & Threat and Vulnerability Management at Splunk, as well as Cybersecurity Policy Fellow at New America. She is a cybersecurity expert for the Washington Post and a Foreign Policy contributor on cyber warfare.
Roy Iversen is Director of Security Engineering & Operations at Fortalice Solutions where he leads a team of security engineers. Prior to joining Fortalice, Mr. Iversen served under the CISO as Director of Security Operations Division at the U.S. General Services Administration (GSA).