Red Team Handbook rewrite

Why is this change being made?

The Red Team handbook page is a bit outdated and requires a bit of a refresh. See https://gitlab.com/gitlab-com/gl-security/security-operations/redteam/redteam-internal/red-team-operations/-/issues/1371+ for details.

Proposed structure:

• Red Team (main page)
  • Stealth operations (subpage)
  • Purple team operations (subpage)
  • Opportunistic attacks (subpage)
    • Club Red
  • Research (subpage, if needed)
  • How we operate (subpage)
    • General operations
    • How we measure success
      • metrics
    • rules of engagement (separate page maybe? like it is now)
    • Red Team maturity model

I wanted to capture that the current page has a bit too much "how" on it and visitors (who we don't work with often) might want to drill down into each part separately.

Author and Reviewer Checklist

Please verify the check list and ensure to tick them off before the MR is merged.

• Provided a concise title for this Merge Request (MR)
• Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
  • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
• Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
  • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
  • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
  • The when to get approval handbook section explains the workflow in more detail
• For transparency, share this MR with the audience that will be impacted.
  • Team: For changes that affect your direct team, share in your group Slack channel
  • Department: If the update affects your department, share the MR in your department Slack channel
  • Division: If the update affects your division, share the MR in your division Slack channel
  • Company: If the update affects all (or the majority of) GitLab team members, post an update in #whats-happening-at-gitlab linking to this MR
    • For high-priority company-wide announcements work with the internal communications team to post the update in #company-fyi and align on a plan to circulate in additional channels like the "While You Were Iterating" Newsletter

Commits

• Red Team Handbook rewrite

---

content/handbook/security/security-operations/red-team/how-we-operate/_index.md

@@ -7,12 +7,14 @@ no_list: true
 
 We aim to safely and effectively conduct operations in order to emulate relevant adversaries to GitLab.
 
-- We work with Threat Intelligence to identify the most relevant threats and emulate them.
-- We conduct operations ethically and responsibly without causing harm to GitLab or its team members.
+- We work with the [Threat Intelligence team](../../threat-intelligence/) to identify the most relevant threats to emulate.
+- We conduct operations ethically and responsibly [without causing harm](rules-of-engagement.md/#general-safety-guidelines) to GitLab or its team members.
 - We maintain a **good trust relationship** with the rest of the Security division and the wider GitLab company.
 
 It's important to us to intentionally and enthusiastically collaborate with the rest of the company, to balance out the semi-private, sometimes hidden nature of our work.
 
+**Win together**: our goal is to improve security at GitLab, and that's the same goal our defensive teams have. We "win" when GitLab wins and security is improved - whether that's by us doing super 1337 hax or by SIRT stopping us in our tracks. We're not trying to establish "dominance" over defensive teams, we partner with them.
+
 ### 1. Initial access vector
 
 There are several ways we emulate initial access:
@@ -20,7 +22,7 @@ There are several ways we emulate initial access:
 - **Research**. We may conduct operations specifically looking for initial access vectors to exploit. These require substantial time and resources, so we ensure the investment is justified by the potential for security improvements and learning. For example, the [2024 Okta bypass](https://gitlab-com.gitlab.io/gl-security/security-tech-notes/red-team-tech-notes/okta-verify-bypass-sept-2024/) we researched and responsibly disclosed to Okta.
 - **Opportunistic**. Red Team members can also hunt for ways to "break in" to GitLab at any time in the context of an [Opportunistic Attack](../#opportunistic-attacks). This allows us to draw attention to any discoveries and GitLab can quickly remediate. Successful intrusions can then be re-used in future stealth operations as proof of a realistic initial access vector.
 - **Collaborative**. [Club Red](../opportunistic-attacks/#club-red) allows team members to collaborate with us to develop an initial access idea they have, and we can leverage their domain knowledge for a greater overall security result for GitLab.
-- **Assumed Breach**. Sometimes we create a scenario where we gain initial access to GitLab's systems through a trusted insider. This is done in a realistic manner, leaving indicators of compromise ([IoCs](https://en.wikipedia.org/wiki/Indicator_of_compromise)) that reflect an actual breach.  From there, we focus on post-exploitation tactics and techniques such as establishing persistence and elevating privileges.
+- **Assumed Breach**. Sometimes we create a scenario where we gain initial access to GitLab systems through a trusted insider. This is done in a realistic manner, leaving indicators of compromise ([IoCs](https://en.wikipedia.org/wiki/Indicator_of_compromise)) that reflect an actual breach. From there, we focus on post-exploitation tactics and techniques such as establishing persistence and elevating privileges.
 
 ### 2. Operation execution
 
@@ -98,7 +100,7 @@ An outcome label is added to the issue within one week of delivering the recomme
 
 ### MITRE ATT&CK Mapping
 
-[MITRE ATT&CK](https://attack.mitre.org) is a framework for classifying and describing cyber attacks. We use ATT&CK extensively, as it helps us to align our operations to realistic threats and to speak a common language across security groups.
+[MITRE ATT&CK](https://attack.mitre.org) is a framework for classifying and describing cyber attacks. We use ATT&CK extensively, because it helps us to align our operations to realistic threats and to speak a common language across security groups.
 
 We use a combination of GitLab CI pipelines and GitLab Pages to build and host two reporting tools from MITRE: