I’m excited to share a new Google Cloud blog post that explores how Google approaches red teaming at scale: How Google does it: Red teaming at scale. It was a pleasure collaborating with the Google Cloud team to bring this piece to life, and I’m excited to share it with the wider community.
Some of you might have heard the episode of the Google Cloud Security Podcast I was a guest on back in 2022 (Episode 71: Attacking Google to Defend Google: How Google Does Red Team). That conversation, along with my earlier blog post, Meet the team responsible for hacking Google, laid the groundwork for this post, and I’m excited to see Google Cloud embracing our approach.
The new Google Cloud blog post showcases some of the concepts introduced in the podcast and my prior blog post. It delves into several key areas, including:
- The Scale of Google’s Operations: Some unique challenges and considerations that arise when conducting red team exercises within an organization as large and complex as Google. It touches on the breadth of services, infrastructure, and potential attack surfaces that need to be considered.
- Strategic Alignment: A core theme is how our red team operations are tightly integrated with Google’s overall security strategy. We don’t operate in a vacuum; instead, our activities are carefully aligned with the needs and priorities of the defensive teams (our defender counterparts). This collaborative approach ensures that our findings are actionable and contribute directly to improving Google’s security posture.
- Methodology and Tooling: We provide a glimpse into the methodologies and tooling used by Google’s red team. This isn’t a detailed playbook, for many reasons, but it offers insights into the approaches we take to simulate realistic, sophisticated attacks.
- Continuous Improvement: The post underscores Google’s commitment to continuous improvement in security. Red teaming isn’t a one-time event - it’s an ongoing process of testing, learning, and adapting to the ever-evolving threat landscape. Our findings drive enhancements to our defenses and contribute to a more resilient organization.
- Measuring the impact of the Red Team: The blog post briefly touches on measuring the impact of the Red Team’s findings, and providing meaningful metrics.
I’m incredibly proud of the work we do on Google’s red team, and I believe that sharing our approach (while maintaining necessary confidentiality) can benefit the broader security community. Check out the new Google Cloud blog post, the podcast episode, and my earlier blog post. I hope you find them insightful and thought-provoking and please do feel free to reach out and share any feedback or questions.