> we redirected the efforts of a large part of the Cloudflare technical staff (inside and outside the security team) to work on a single project dubbed “Code Red”.
Code red is a standard term in emergency response that means smoke/fire. In general, in order to “redirect” that much effort one must do some paperwork to prove the urgency and immediacy of the threat.
The MO screams China to me but I wouldn’t read anything into the name “code red” which would have been selected before they identified the specific threat actor anyway.
The name has nothing to do with where we believe the attacker came from. We borrowed it from Google. At Google they have a procedure where, in an emergency, they can declare a Code Yellow or Code Red — depending on the severity. When it happens, it becomes the top engineering priority and whoever is leading it can pull any engineer off to work on the emergency. Those may not be the exact details of Google's system but it's the gist that we ran with. We'd had an outage of some of our services earlier in the Fall that prompted us to first borrow Google's idea. Since our logo is orange, we created "Code Orange" to mitigate the mistakes we'd made that led to that outage. Then this happened and we realized we needed something that was a higher level of emergency than Code Orange, so we created Code Red. At some point we'll write up how we thought of the rules and exit criteria around these, but I think they'll become a part of how we deal with emergencies that come up going forward.
Ha, I almost mentioned Google, having been through a code red myself, but it felt like a reach so I went elsewise with my comment! I believe it’s safe to assume google pulled it from emergency response given that their approach to incident management inherits heavily from ICS.
Yeah, that's a pretty accurate description of the color code system. There's some additional nuance to it, but a code red is an immediate existential threat to the business.
Code red is a standard term in emergency response that means smoke/fire. In general, in order to “redirect” that much effort one must do some paperwork to prove the urgency and immediacy of the threat.
The MO screams China to me but I wouldn’t read anything into the name “code red” which would have been selected before they identified the specific threat actor anyway.