Legal Implications of PhySec Red Teaming: An Introduction
Committing Condoned Crimes: Avoiding legal liabilities while Red Teaming
Definitions
End User: The target of the red team assessment and recipient of the red team report. For a consultant, this is your client. For an in-house red team, this is your security team.
Overview
A red team emulates (copies) criminals, spies, and competitors who target your organization by committing crimes of fraud, breaking & entering, burglary, theft, cyber and computer crimes, counterfeiting, impersonation, destruction of property, forgery, theft of trade secrets, and more. So, what is the difference between these bad actors and a red team?
Authorization
A red team is authorized, by individuals who are in positions to provide authorization, to conduct tests of security. You cannot commit theft if you are authorized to take documents, and you cannot break and enter into a building that you have authorization to access. It is very possible to de-risk red teaming by paying attention to details, developing a safety and risk management plan, and ensuring all red teamers follow the scope and guiderails of the assessment.
First, let’s define the types of legal liabilities and involved parties.
There are three primary risk categories for red teamers to review:
Risk of Crime: The risk of committing a crime
Risk of Lawsuit: The risk of being sued
Regulatory Risk: The risk or violating regulatory requirements, or causing an incident that provokes regulatory action
There are multiple parties that may be affected by your actions. These include:
Law Enforcement: May arrest you for committing a crime, or if they perceive that you committed a crime.
Prosecutors: May chose to prosecute you (or not) for criminal activity based on authorization, motives, and actions.
Company Employees: May be victims of social engineering or theft of property.
Co-Tenant Employees: May be victims of social engineering or witnesses to breaking and entering attempts.
Vendors: May be victims of impersonation or social engineering.
Vendor Employees: May be victims of impersonation or social engineering.
The Public: May be witnesses of stressful situations, victims of impersonation or social engineering.
The Company: May be victim of a multitude of crimes if authorization is not addressed properly.
The Landlord: May be a victim of social engineering, impersonation, or property damage if the right precautions are not taken.
Equipment Owners: If you are targeting leased equipment, you must understand the lease language to know whether the owner or lessee can provide authorization for certain types of attacks.
Hiring Team: If a red team practices outside of its authorized scope, the hiring party may seek legal recourse for the actions taken.
De-risking your red team takes effort, expertise, and ethics.
We will dive into nuance and complexity in this article (and its part deux), but ultimately if you act ethically - with the best interest of your client, the law, and the public in mind - all other details will fall in line behind it. This stands in stark contrast to what we in the industry call “Cowboy Shit”, which involves red team operators going off the rails and outside the scope for ego, excitement, or adrenaline:
Ego: Doing something to stoke your ego, show off, or prove a personal point - instead of serving the client and their organization.
Excitement: Prioritizing exciting attacks, instead of realistic, probable, and accurate ones is selfish and can risk the outcome of your red team while trying to make one of the most interesting jobs in the world slightly more exciting.
Adrenaline: Red teaming creates adrenaline through detection apprehension, duper’s delight, or by other means. Thinking straight and sticking to the scope while in the midst of an adrenaline rush can be difficult but is necessary to ensure the end user gets the best results from your assessment.
Effectively de-risking the red team operation preemptively accounts and prepares for major risks, defines what is and is not within scope of the assessments, and creates the necessary guardrails around the operation that enable the red teamers to have fun while pursuing the mission… without the operation’s lead sprouting grey hairs due to the team seeking additional adrenaline - at the expense of the team cohesion and business mission. Stay tuned for an entire article on de-risking next week!