Primum non nocere?

The Latin phrase "primum non nocere", or "first, do no harm" in English, is most often associated with the Hippocratic Oath of the medical profession. The idea being that doctors should not risk doing more harm than good to their patients. As security professionals, it's a nice philosophy to follow - because we don't want to harm or weaken the security of our clients, right? We're here to help improve their security.

As with most things in life, it's not that simple. If doctors were to take this literally, nobody would ever have surgery, give blood, or receive any procedure that did any amount of harm to them. Clearly, some harm is worth enduring for the potential benefit.

In the context of red teaming, we have the option of carrying out harmful actions. Examples include disabling security controls, such as AV or host firewalls; adding users to privileged groups, like local or domain admins; and creating various administrative backdoors to systems. The reason these are dangerous is because once in-place, you cannot guarantee that they won't be abused by another party and you're therefore increasing the risk exposure of your client.

The flip side is that these types of tactics are frequently used by real adversaries, and aren't we meant to be emulating them? Yes - and this is where our judgement comes into play. Needless to say - nobody should set out to do something that will cause predictable and preventable harm. For instance, we would not actually ransomware an entire organisation just because that's what an adversary might do. If that was a scenario the client wanted to explore, it should be done in a safe and controlled fashion.

Just like a surgeon would not cut you open without due course or the appropriate consent; we should refrain from harmful actions without the consent of our client. Everybody's feeling for what is and is not appropriate will be different. When in doubt, seek advice from your team lead or client contact.