A smart way I’ve seen CISOs structure their red teams where they need to assess initial access vectors is to cede access to a system so that a portion of the team can begin the path finding portion of the engagement while another contingent can perform the initial access component, rejoining the group when/if they complete that stage. I’ve seen more mature organizations break these engagements out into entirely separate projects, sometimes chaining them together to tell a story. One of my favorite examples of this was a financial organization that ran two initial access projects — phishing and external attack surface exploitation — concurrently for eight weeks. The results from these engagements, which included the users who detonated the phishing payload and the external systems on which the team had gotten code execution, became the beachheads onto which access for the red team was ceded.
Keep egos out
The debrief at completion of a red team engagement can often be very tense. The red team has likely revealed serious failures along their attack path and you have all responsible parties sitting around a table, or on a call hearing about them, often for the first time. Why didn’t your SOC detect their lateral movement? Why did your identity team turn MFA off for your enterprise admins? Why did your security engineering team fail to deploy your EDR onto all hosts in the environment? It becomes all too easy to begin pointing fingers and assigning blame, leaving everyone upset, flustered, and embarrassed.
Remember, however, that a friendly team just found serious flaws before an adversary did and you get the opportunity to fix it. Focus on creating an environment of honesty, humility and empathy. This isn’t to say that people won’t still feel negative emotions, but the tone of the conversation from the outset will significantly improve the quality of the discussion.