Sandia National Laboratories has been performing assessments using the IDART methodology since 1996 for a variety of stakeholders including government, military, and commercial industry. IDART is a rigorous, time-proven assessment process that draws on deep cyber expertise from across the Lab to perform adversary-based cybersecurity assessments. Our focus is risk-informed design assurance & vulnerability assessment for infrastructure, traditional cyber systems, and non-traditional cyber-physical systems.
The IDART methodology has been improved over time to help assess and understand risks presented by a spectrum of adversaries and our red team continues to perform assessments to help our stakeholders acquire an independent, objective view of their weaknesses from a range of adversaries’ perspectives. Sandia’s IDART is a NIST-recognized method in SP800-115 Technical Guide to Information Security Testing.
Red teaming has strong ties to both network vulnerability assessment and penetration testing. Many different groups perform red teaming and use differing terminology, techniques, and processes: commercial security firms, various military units and government agencies, and National Labs. Sandia National Laboratories’ IDART™ defines red teaming to be "authorized, adversary-based assessment for defensive purposes."
Adversary-based means that the activity is centered around what would one or more adversaries do if they were attacking the target. This means taking into account the adversaries’ knowledge, skills, commitment, resources, and culture.
Assessment means one is making a judgement or comparison, of the state of the target with respect to actions by the adversary.
Defensive purposes means helping the system owner make decisions about business, about security, about computer systems, about control systems to reduce the threat to their system.
Red team assessments can be performed throughout the system lifecycle, but often have the highest impact during the design and development phase where cooperative red team assessments cost less, and potential critical vulnerabilities can be uncovered and mitigated more easily. The IDART assessment methodology is a flexible tool that program managers and sponsors use to identify critical vulnerabilities, understand threat, deliver effective and secure components, systems, and plans, and consider alternative strategies and courses of action.
IDART utilizes a multi-disciplinary assessment team to improve the security of critical systems through systematic analysis from an adversary perspective. Sandia retains a wide range of security expertise in a variety of operational contexts that is integrated into IDART assessments to assist in the characterization and analysis of target systems. The IDART methodology, which includes a spectrum of viewpoints and adversary models, is applicable to components, devices, networks, infrastructures, and world-wide enterprises. The IDART Methodology is based on a cycle of data collection, characterization, and analysis supported by system engagements, often requiring more than one iteration to complete.
These focused assessments are performed in partnership with system stakeholders and include such tasks as:
- Identify nightmare consequences,
- Characterize target systems,
- Identify potential vulnerabilities whose exploitation will result in nightmare consequences, and
- Provide prioritized mitigation strategies so owners can make informed choices.
IDART’s red teaming methodology has been applied to a broad range of complex networks, systems, and applications utilizing a repeatable process with measurable and actionable results that can be used to make improvements and evaluate progress.
The IDART approach supports having the red team work cooperatively with system developers, owners, and operators through the entire process to allow for a more in-depth understanding of the system, to save time and resources, and to understand why the system is in its current state to help the red team put the identified risks in context. This approach allows the red team to find as many attack paths as possible and to prioritize attacks on difficulty and consequences.
The IDART methodology utilizes adversary models that include a spectrum of outsider and insider threats characterized by both measurable capabilities, such as knowledge, access, and resources as well as intangibles such as risk tolerance and motivation. These models are used to screen attack possibilities and assist in threat-based prioritization of protection strategies. The principal advantage of these models is an adversary perspective that yields a view of information systems different from that of defenders and yields critical insights into the security of critical systems.
Sandia’s IDART has developed multiple methods to both train its own red teams and help sponsors achieve better results with red teaming.
Red Teaming for Program Managers (RT4PM™)
Red Teaming for Program Managers (RT4PM™) serves as an introduction to red teaming and is useful for both sponsors of red teaming and red team members themselves. Read More...
IDART Methodology Training
The IDART Methodology training provides an introduction to the structured IDART process within which red teams can systematically, repeatedly, and creatively perform assessments. Read More...
Understanding the capabilities adversaries possess is necessary for building systems capable of withstanding cyber or kinetic attacks. With the number of threats continuing to increase and evolve rapidly, it is no longer feasible to enumerate the capabilities of all known threats and then build defenses based on specific threats. To reduce the complexity of analyzing threat, the complexity of the threat space must first be reduced. This is achieved by taking the continuous nature of that threat space and creating an abstraction that allows the entire space to be grouped, based on measurable capabilities, into a small number of distinctly different levels.
Threat profiles can be built from relative descriptors of a range of threats for the two families of threat attributes: Commitment and Resources. The Commitment threat attributes include Intensity, Stealth, and Time. The Resources threat attributes include Number of Technical Personnel; Knowledge — cyber, kinetic, or specialized; and, Access.
See our report “Categorizing Threat: Building and Using a Generic Threat Matrix” for more information.