Red teaming: Why a forward offense is the best defense

Companies are under constant threat. Opportunistic attackers scan the internet for weak points, motivated attackers target specific organizations for susceptibility to a scam or digital exploit, and persistent attackers don’t give up until they get what they’re after. Unless you understand the threats your company faces and how attacks would succeed against your specific environment, you can’t stop them.

New data breaches seem to make headlines every day, making you doubt your security posture and wonder what you’d do if it was your name in the news. If you’ve only planned out how you’ll react, the best you can hope for is to stop the bleeding when it inevitably happens.

Before you take that damage, you can learn to avoid getting hit in the first place. Simulating real-world attacks (AKA a forward offense) can be a valuable test of a mature incident response program. Training to battle the adversary is what red teaming is for.

To get the most out of red teaming, companies should first assess the maturity of their security program before pursuing a red team assessment. Without internal resources in place, red teaming may provide information on areas of improvement that your company will not have the capabilities to address.

Once you’ve got an incident response team in place to handle security events in real time, and a systemic way to remediate the issues that a red team may discover, it’s time to really test the system and learn the consequences of your worst-case scenarios:

• Could attackers get to and manipulate your most valuable data?
• Could they leak sensitive information and destroy your reputation?
• Could they take over the whole environment and delete it?

Determining baseline assets and priorities before beginning the assessment will guarantee that the test captures what you really wanted to know. One of best ways to leverage a red team is to evaluate the capabilities of your own blue team: the defenders. Consider it a live fire training exercise that allows them to practice for a real-world attack.

Adversarial simulations enable organizations to both understand their true security posture and improve defensive capabilities against real-world threats.

What does red teaming entail?

Before a red teaming engagement, you’ll need to decide with your team what your priorities are. Red teams are often aimed at a specific trophy target, like credit card information or gaining access to critical server infrastructure. That means these tests can be customized and tailored to your unique security concerns, and be designed to encompass both digital and physical vectors. So there are choices to make.

What is your most valuable target? What part of your environment would you like to know more about? You can supply the testers with starting information, or just have them approach as zero-knowledge outsiders and have them gather information on their own. Who will be the stakeholders and how much will they know about the attack? How much time should be spent on each activity? Determine the “What if” scenarios that should be simulated. And make sure to understand what would define success on the red team attacker’s terms. What are their goals?

With the scope and parameters of the test agreed on, your hired guns will then attempt to exploit your systems through whatever vectors they can think of with all tools and knowledge they have – mimicking a real-world attack.

During testing, you can either prepare your internal teams to meet the enemy, or you can keep them in the dark to test their response time in shutting down the footholds of an attacker in real time. Red teaming lets you evaluate the same tools, techniques, and procedures that the attackers use and shows how well prepared your defenders are to identify, contain, eradicate, and recover from each of those attack scenarios.

After the time-boxed assessment is complete, your would-be attackers share the details of your system’s weaknesses and how your environment looked to their thieving eyes. It’s like a burglar breaking into your house and then telling you how they got in and out with your valuables.

Your entry point may have been easily guessed passwords, outdated software, employees who freely give out information in social engineering scenarios, or a lack of segmentation between networks. It may be a combination of these common vectors, or one major missing element that broke the environment wide open for them. In any case, the feedback the red team not only informs you as to your current vulnerabilities today, but patterns and issues that are likely to crop up in the future, should you modify your environment or the type of information stored inside of it.

The best way to defend against attacks is to shift from a victim mentality of reacting to incidents to a proactive one that favors realistic simulations as a form of training to improve your defensive capabilities. The strength of red teaming is that it shows you exactly what real-world attackers will do – they’ll combine several vulnerabilities into a working attack chain that ultimately compromises your data.

Make sure your security is up on its feet before starting a fight simulation. Get to know your environment well and then test your work against a group of professionals. Afterwards, gain detailed insight about how your testers evaded controls. They’ll provide feedback on your big picture operations, not just give you a list of vulnerable tools.

Red teaming may seem unnecessarily intense for your company, but without deep investigation of your assets and environments now, you may end up paying a different price later – the consequences of a real-world attack.