You are a red team professional and as part of an engagement you need to send someone a threatening phishing mail or maybe plant something on a user’s machine that can then be used as a leverage during the assessment, would you do that? How far are you willing to go to play the devil’s advocate?

In this post, I’d like to talk about a less discussed topic within the offensive security community, ethics. More specifically, I want to start a discussion on why offensive security professionals need to operate within ethics and who decides what those ethics are?

As red team professionals, it is our job to simulate or emulate an adversary. Now, we all know that real adversaries don’t have a rule-book or an ethical framework to operate within. So does this mean that red team professionals should also not operate within an ethical framework? If they don’t operate within an ethical framework, then what would be the difference between them and the real adversary? If they do operate within an ethical framework, then they won’t be able to emulate an adversary in a true sense and the assessment might not yield the required outcome.

On to the next question, if the red team operates within an ethical framework, whose ethical framework should they follow? Their own or their client’s (here client refers to both external and internal organizations)?

Consider this, in lieu of a recent event (such as COVID-19) an organization sees an increase in the number of phishing emails using that event as a pretext. In order to counter this, it commissions a red team engagement with the objective to see if it can be used as an attack path to infiltrate the organisation’s network.

As a red team operator on this engagement would you be okay in sending out this phishing campaign, knowing that you’ll most likely be exploiting people’s feelings and emotions? Let’s say your ethics don’t allow it, but given the objective, the organization’s ethical framework does allow it. Who then decides which ethical framework the red team operator will work within?

Red Team Notes
- When we talk about ethics in red teaming or offensive security, in general, we need to address the following questions:
   - why offensive security professionals need to operate within ethics?
   - who decides what those ethics are?
- The objective is to figure out the right balance between being ethical and truly emulating an adversary. 

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

In his course, Responsible Red Teaming, Matt Kiely has described three ethical frameworks that red team professionals may choose to operate within. These are:

• Consequentialism - Everything is justified for the greatest good for the greatest number.

• Deontology - What is wrong is wrong. It can never be right under any circumstance.

• Ethics of Care - Focus on people. Don’t do any thing to cause harm even if it means compromising on the quality of the work.

In this lecture, he places the red team operator in each of these ethical frameworks and then demonstrates the choice made by the operator. I recommend that you go through the lecture (it’s free, although you can pay if you want to), understand each of these ethical frameworks and then decide had you been in this operator’s shoes what would you have done?

Another study on red team ethics that I’d like to quote here is the working paper, What We Do Unto Others: Red Team Engagements, Hurt Feels, And Ethical Penetration Testing, by Roy Iversen & Tarah Wheeler. As part of the research conducted for this paper, the authors surveyed more than 600 offensive security professionals on ethical considerations of various tactics used in a penetration test or a red team engagement.

What intrigued me most in this paper was the observation that most red team professionals were comfortable in using certain tactics on others but objected when the same tactics were being used on them. This is the reason why the offensive security community, in general, need to start discussions on ethics. We need healthy debates to figure out the right balance between being ethical and truly emulating an adversary.