Draft: Adjust Red Team rules of engagement to include GitLab-managed laptops
Why is this change being made?
💡 Provide a detailed answer to the question on why this change is being proposed, in accordance with our value of Transparency.
As GitLab's security posture matures, we should look at increasing the scope of our Red Team stealth operations.
This MR adds specific attack techniques we may conduct against GitLab-managed laptops. We had previously exluded them from our scope. That exclusion evolved naturally from a time when team member laptops were unmanaged and did not contain specialized security monitoring software. It didn't make sense to emulate attacks on them when the tools to detect and respond were not in place.
Those tools have been in place for quite some time now (endpoint management, endpoint detection and response). It now makes sense to include laptops in future Red Team operations. This will allow us to emulate more realistic and relevant attacks against GitLab. It can also be used as a way to increase security awareness, encouraging team members to be vigilant and report suspicious activity when they see it.
It is important for the Red Team to emulate realistic attacks. Software supply chain attacks are on the rise, and developer's laptops (and the tools running on them) are a vital part of the software supply chain. Here are some specific examples of attacks where end-user laptops were the entry point:
- CircleCI: malware deployed to an engineer's laptop
- Lastpass: compromised software engineer's laptop
- Okta: compromised support engineer's laptop
- RSA: compromised staffer's laptop via targeted phish
Author and Reviewer Checklist
Please verify the check list and ensure to tick them off before the MR is merged.
-
Provided a concise title for this Merge Request (MR) -
Added a description to this MR explaining the reasons for the proposed change, per say why, not just what - Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
-
Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI) - If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
Maintained by
section on the page being edited - If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
- The when to get approval handbook section explains the workflow in more detail
- If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the
-
For transparency, share this MR with the audience that will be impacted. -
Team: For changes that affect your direct team, share in your group Slack channel -
Department: If the update affects your department, share the MR in your department Slack channel -
Company: If the update affects all (or the majority of) GitLab team members, post an update in #whats-happening-at-gitlab linking to this MR - For high-priority company-wide announcements work with the internal communications team to post the update in #company-fyi and align on a plan to circulate in additional channels like the "While You Were Iterating" Newsletter
-
-