As with any security assessment, risk is what moves an organization to act. Operational Impacts are a Red Team’s tool to demonstrate risks. This is one of the most effective methods of show risk to an organization’s senior leadership.
Operational Impacts are actions or effects performed against a target designed to demonstrate physical, informational and operational weaknesses in security. What does this mean? Operational impacts can be thought of actions taken against an organization that impacts how it operates. These impacts can be as general as performing a denial of service attack or more specific such as using high-jacked ICS equipment to control a city’s power grid.
Operational Impacts are a key distinguisher for Red Teaming engagements vs. others. Impacts are typically performed at the end of an engagement. A Red Team will use the access and capabilities gained to execute the impact. It is best to plan the desired impacts early. Early planning allows a Red Team to compromise systems and establish capabilities throughout the engagement’s execution to best position themselves for impact execution.
Operational Impacts can be very effective in demonstrating realistic impacts against a target. The level of depth and of the impact can be as ‘painful’ as an organization is willing to explore. These impacts are typically performed against live production systems to have the highest level of fidelity, but can be executed on test and development environments if they are representative systems. If a test system is used, be aware that these rarely model production to the level where operational impacts are felt. Technology may match, but people and processes typically do not. This can lead to an unrealistic view of how the impact affects an organization.
Buy-in from management for permission to perform operational impacts can be very difficult. If an organization is risk adverse, these impacts may seem too dangerous or not worth the trouble.
Organizations who allow the experience of a full-scale attack that includes operational impacts definitely feel the pain, but when a responsible and professional team executes, the lessons learned are extremely valuable. Many organizations only gain experience to critical impacts when an actual attack in underway. This is not the time to learn how your organization responds to a severe attack.
Examples of Operational Impacts
An operational impact can be anything that affects an organization’s core existence. Organizations exist for a reason. Being secure is not one of those reasons. We, in the information security industry, sometimes forget there is more than security.
- Denial of Service (Network-based, Account Lockout, malicious traffic, etc.)
- Exfiltration of critical’ data (PIT, Financial records, proprietary data, etc.)
- Hacktivist demanding or announcing its presence
- Ransomware working its way through a network after demands have been made
Secure Your Organization’s Mind with Securemind.se