Red-teaming must be about more than ‘gotcha’: Atlassian team lead

Credit: CSO photographer

Red-teaming is “one of the best jobs in security” but it carries the weight of responsibility in engaging productively with unknowing victims, the head of Atlassian’s red-teaming efforts has warned while highlighting the importance of ‘consent-based hacking’.

Speaking at this month’s inaugural Women in Security Conference and Awards, Atlassian Red Team lead Brianna Malcolmson joined a roster of dynamic speakers in sharing her experiences running red-teaming in one of the most successful, fastest-growing companies in technology today.

Diversity in the red team had proven crucial in designing innovative attack campaigns, she told CSO Australia. “Whether you’re a defender or an attacker, it’s important to have a diverse team because you are going to come up with a lot of different ideas,” she explained.

People are often surprised by her “really creative and very tricky social-media campaigns” to manipulate and ensnare targets, she said. “I don’t know if that’s about my being a woman or not, but I do know that if everyone is speaking the same way, you’re going to miss a lot of that perspective.”

Although red-teaming does require a certain veritas to effectively test organisational security responses, getting consent before a red-teaming exercise – from the highest-level stakeholder of the area that the operations are targeting – is crucial to avoid unpleasant surprises afterwards.