Red Team Forecast Scenarios

27 Feb 2019

These are the forecast scenarios that I used internally at Atlassian to measure our security improvement over time. The inputs to concluding many of these forecasts come directly from the red team. This allows a quantifiable and measurable method of taking red team operation outputs and using them to show improvements in the security program. This demonstrates real value!

This is based on @magoo’s work on Risk Measurement.

Forecasters make predictions every quarter predicting the likelihood of the events occuring in the next 12 months. Whenever a forecast concludes by one of the outcomes becoming “true” we calculate the forecasters brier scores, inform them of the outcome of the scenario and present them their results and brier score.

Each scenario also implies that the scenario will only conclude if the red team attempts the action in question. Don’t score scenarios that were never attempted because it will affect brier scores. All of these are starter scenarios and shouldn’t be copypasta to your organization. You should adapt the questions and outcomes to the needs and goals that you are trying to achieve.

For each scenario there are several provided outcomes. Each outcome should be given a probability. The probabilities must add up to 100.

For additional reading on how to get started, this page is helpful.

Scenario 1- compromised computer

In the next 12 months, during the course of a red team operation, the red team:

Scenario 1 - Detection

In the next 12 months, an employee computer was compromised by the red team, and:

Scenario 2 - Employee Corporate Account Compromise

In the next 12 months, during the course of a red team operation, the red team

Scenario 2 - Detection

In the next 12 months, during the course of a red team operation, the red team gained control of one or more $COMPANY employees corporate accounts and

Scenario 3 - Customer Data Compromise

Given that an employee laptop is compromised: In the next 12 months, during the course of a red team operation, the red team

Scenario 3 - Detection

Given that an employee laptop is compromised: In the next 12 months, during the course of a red team operation, the red team accessed customer data stored in our products and

Scenario 4 - Cloud Infrastructure Compromise

Given that an employee laptop is compromised: In the next 12 months, during the course of a red team operation, the red team

Scenario 4 - Detection

Given that an employee laptop is compromised: In the next 12 months, during the course of a red team operation, the red team gained unauthorized access to AWS resources owned by $COMPANY and

Scenario 5 - Trust Boundary Violation

Given that an employee laptop is compromised: In the next 12 months, during the course of a red team operation, the red team

Scenario 5 - Detection

Given that an employee laptop is compromised: In the next 12 months, during the course of a red team operation, a compromise across significant trust boundaries*

Scenario 6 - Source Code Compromise

Given that an employee laptop is compromised: In the next 12 months, during the course of a red team operation, the red team

Scenario 6 - Detection

Given that an employee laptop is compromised: In the next 12 months, during the course of a red team operation, the red team accessed full source code of one or more $COMPANY products and

Scenario 7 - Confidential Information Stolen

Given that an employee laptop is compromised: In the next 12 months, during the course of a red team operation, the red team

Scenario 7 - Detection

Given that an employee laptop is compromised: In the next 12 months, during the course of a red team operation, the red team accessed information that could be greatly damaging to $COMPANY if released publicly and

Scenario 8 - Production Detection

Given a red team compromise on a randomized engineer laptop: The red team

Scenario 9 - Incident after source code compromise

Given all of an products source code is compromised:

Scenario 10 - AWS credential leak

Given an AWS role credential on a random public facing server is compromised:

Scenario 11 - Hunt Sev1/0

Given a specialized Splunk hunt investigates the last 30 days of all Splunk logs:

Scenario 12 - Hunt Sev1/0

Given a specialized CloudTrail hunt investigates the last 30 days of logs:

Scenario 12 - Hunt Sev1/0

In the next 12 months, an external communication*