
Red Teaming for Program Managers (RT4PM™)
Red Teaming for Program Managers (RT4PM™) serves as an introduction to red teaming and is useful for both sponsors of red teaming and red team members themselves. Read More...
Sandia National Laboratories has been performing assessments using the IDART methodology since 1996 for a variety of stakeholders including government, military, and commercial industry. IDART is a rigorous, time-proven assessment process that draws on deep cyber expertise from across the Lab to perform adversary-based cybersecurity assessments. Our focus is risk-informed design assurance & vulnerability assessment for infrastructure, traditional cyber systems, and non-traditional cyber-physical systems.
The IDART methodology has been improved over time to help assess and understand risks presented by a spectrum of adversaries and our red team continues to perform assessments to help our stakeholders acquire an independent, objective view of their weaknesses from a range of adversaries’ perspectives. Sandia’s IDART is a NIST-recognized method in SP800-115 Technical Guide to Information Security Testing.
Red teaming has strong ties to both network vulnerability assessment and penetration testing. Many different groups perform red teaming and use differing terminology, techniques, and processes: commercial security firms, various military units and government agencies, and National Labs. Sandia National Laboratories’ IDART™ defines red teaming to be "authorized, adversary-based assessment for defensive purposes."
Authorized means someone with legal control of the facility, system, or entity to be red teamed has agreed to the process.
Adversary-based means that the activity is centered around what would one or more adversaries do if they were attacking the target. This means taking into account the adversaries’ knowledge, skills, commitment, resources, and culture.
Assessment means one is making a judgement or comparison, of the state of the target with respect to actions by the adversary.
Defensive purposes means helping the system owner make decisions about business, about security, about computer systems, about control systems to reduce the threat to their system.
Red team assessments can be performed throughout the system lifecycle, but often have the highest impact during the design and development phase where cooperative red team assessments cost less, and potential critical vulnerabilities can be uncovered and mitigated more easily. The IDART assessment methodology is a flexible tool that program managers and sponsors use to identify critical vulnerabilities, understand threat, deliver effective and secure components, systems, and plans, and consider alternative strategies and courses of action.
IDART utilizes a multi-disciplinary assessment team to improve the security of critical systems through systematic analysis from an adversary perspective. Sandia retains a wide range of security expertise in a variety of operational contexts that is integrated into IDART assessments to assist in the characterization and analysis of target systems. The IDART methodology, which includes a spectrum of viewpoints and adversary models, is applicable to components, devices, networks, infrastructures, and world-wide enterprises. The IDART Methodology is based on a cycle of data collection, characterization, and analysis supported by system engagements, often requiring more than one iteration to complete.
These focused assessments are performed in partnership with system stakeholders and include such tasks as:
IDART’s red teaming methodology has been applied to a broad range of complex networks, systems, and applications utilizing a repeatable process with measurable and actionable results that can be used to make improvements and evaluate progress.
The IDART approach supports having the red team work cooperatively with system developers, owners, and operators through the entire process to allow for a more in-depth understanding of the system, to save time and resources, and to understand why the system is in its current state to help the red team put the identified risks in context. This approach allows the red team to find as many attack paths as possible and to prioritize attacks on difficulty and consequences.
The IDART methodology utilizes adversary models that include a spectrum of outsider and insider threats characterized by both measurable capabilities, such as knowledge, access, and resources as well as intangibles such as risk tolerance and motivation. These models are used to screen attack possibilities and assist in threat-based prioritization of protection strategies. The principal advantage of these models is an adversary perspective that yields a view of information systems different from that of defenders and yields critical insights into the security of critical systems.
Sandia’s IDART has developed multiple methods to both train its own red teams and help sponsors achieve better results with red teaming.
Red Teaming for Program Managers (RT4PM™) serves as an introduction to red teaming and is useful for both sponsors of red teaming and red team members themselves. Read More...
The IDART Methodology training provides an introduction to the structured IDART process within which red teams can systematically, repeatedly, and creatively perform assessments. Read More...
Understanding the capabilities adversaries possess is necessary for building systems capable of withstanding cyber or kinetic attacks. With the number of threats continuing to increase and evolve rapidly, it is no longer feasible to enumerate the capabilities of all known threats and then build defenses based on specific threats. To reduce the complexity of analyzing threat, the complexity of the threat space must first be reduced. This is achieved by taking the continuous nature of that threat space and creating an abstraction that allows the entire space to be grouped, based on measurable capabilities, into a small number of distinctly different levels.
Threat profiles can be built from relative descriptors of a range of threats for the two families of threat attributes: Commitment and Resources. The Commitment threat attributes include Intensity, Stealth, and Time. The Resources threat attributes include Number of Technical Personnel; Knowledge — cyber, kinetic, or specialized; and, Access.
See our report “Categorizing Threat: Building and Using a Generic Threat Matrix” for more information.
The priority of the IDART team is to help our stakeholders assess their current level of risk through conducting authorized, adversary-based assessments focusing on their nightmare scenarios and their adversaries of concern. IDART can provide an independent, objective analysis of systems to help answer the question: Secure from whom and with what motivation, goals, knowledge, skills, means, and tools?
The first step in engaging with our team is to review the RT4PM quick reference sheet available on our main page. This will guide you through four basic questions: What is my need for red teaming? What should the red team do? Who is the right red team? How am I going to use the deliverables?
Since Sandia is a National Laboratory, the second step in engaging with IDART is to determine if your operational environment is appropriate for our team. As an FFRDC, Sandia focuses on areas contributing to our national security and operation of critical infrastructure. If you aren’t sure you fall into these categories, reach out to us, with a description of your operational environment.
To contact us, please send a brief description of your organization, your general security needs, and any other questions you might have about how to partner with Sandia and IDART: IDART@sandia.gov
Authorized means someone with legal control of the facility, system, or entity to be red teamed has agreed to the process.
Adversary-based means that the activity is centered around what would one or more adversaries do if they were attacking the target. This means taking into account the adversaries’ knowledge, skills, commitment, resources, and culture.
Assessment means one is making a judgement or comparison, of the state of the target with respect to actions by the adversary.
Defensive purposes means helping the system owner make decisions about business, about security, about computer systems, about control systems to reduce the threat to their system.
This course is designed to help attendees improve the defensive posture of their systems by assessing them from an adversarial perspective.
Using sample hands-on team exercises, this course teaches participants the fundamentals of the IDART methodology and prepares them to apply this process to red team assessments. Individuals attending this course will have a better understanding of how an adversary perceives and approaches attacks against an information system. The course is designed for red team practitioners and cyber defenders.
It provides a foundation to support effective dialogue between red teams and their sponsors, helps establish a reasonable assessment structure to support sponsor interests, and helps identify what deliverables would be expected.
RT4PM introduces program managers, analysts, and decision makers to a four-step approach designed to help focus effort, save time and energy, and avoid common difficulties in using adversary-based assessments. Defining why the assessment is needed, what the red team must deliver, who performs the assessment, and how the deliverables will be used to satisfy the assessment goals is critical to successful red team execution. RT4PM will also alert participants to common difficulties in specifying and ensuring a successful assessment such difficulties as drafting effective rules of engagement or mitigating schedule impact due to assessment activities.