In this follow-up interview (which will be broken into a few parts), we talk through a red team engagement from start to finish. Today we cover questions like:
Who should have a red team exercise conducted? Who NEEDS one?
How do you choose an objective that makes sense?
What do you do about push-back from management and/or scope manipulation? (“Don’t phish our CEO! She’ll click stuff! Attack our servers, just not the production environment!!!”). Spoiler alert: your clients need to have intestinal fortitude!
What’s better - a “zero knowledge” red team engagement or a collaborative exercise between testers and their clients?
How do you attack a high-security bunker?!
How do you conduct a red team exercise without ending up in jail? What does your “get out of jail” card get you - and NOT get you?