When is the right time to red team?
“It takes a thief to catch a thief.” Despite being hundreds of years old, this idiom holds perfectly true for that most modern of thieves, the cybercriminal. With adversaries consistently evolving their tools and techniques to overcome defensive solutions, foiling their attacks requires ethical hackers who are able to think in the same way and spot the same potential attack pathways.
Red teaming is the epitome of this approach to security, involving a team of highly experienced security professionals taking on the mantle of the cyber attacker and doing everything in their power to breach the organization’s systems.
Thinking like a cybercriminal
While it is often conflated with penetration testing and does involve similar processes, red teaming is actually a very different activity. Whereas a standard pen test will focus on a tightly defined scope and focus on the technical aspects of the business and aim to find as many potential vulnerabilities as possible, red teaming will see the team take advantage of people and processes as well as technology. It’s a no-holds-barred engagement, with the team stopping at nothing to execute a successful attack, just like a real threat actor.
As well as testing the technical side of security, red teaming will test a firm’s personnel as well. The internal “blue team” will be tasked with trying to spot the red team intruders and doing their best to stop and remove them from their networks.
Red teaming has become increasingly popular in recent years as firms become more aware of the threats they are facing. However, because it is often thought of as an extension of pen testing, we often find that businesses are keen to jump straight into red teaming before they are ready for it.
Realizing the value of red teaming
A successful red teaming exercise can be incredibly effective in exposing potential weaknesses that normal penetration and vulnerability testing activity will miss. However, these results can only be realized if the organization has a mature security program.
Before letting a team of ethical hackers loose on its system, a firm must already be carrying out automated activity such as asset investigation and vulnerability analysis. The organization should also be combining automated technology with human intelligence by implementing robust, regular penetration testing.
Only once a business has completed several cycles of vulnerability and penetration testing should it start to elevate its activity with red teaming. This will help it to establish a stronger security strategy that looks at the big picture of people, processes and technology. This is absolutely essential for any firm hoping to hold off advanced threat actors, who will target multiple areas of the business in order to compromise the network.
However, attempting to bring in red teaming before getting a good handle on the basics will produce very little value. The ethical hacking team will likely be able to compromise the environment so swiftly and easily that there will be little to learn. To be truly effective, the insights produced by the red team need to be given context by previous penetration testing and vulnerability assessment activity.
Improving security maturity
Every red teaming exercise I have been involved with has delivered actionable insights, and there is always an element of the blue team reading the report and going “Ah, we should have stopped that!”.
Carrying out a red teaming exercise is only half the battle. As with more traditional pen testing and vulnerability assessments, the true value of red teaming is what the company does with the insights that are uncovered.
Organizations need to ensure that any red teaming exercises are properly married into existing risk assessment processes so that potential threats can be closed or mitigated in line with the company’s risk appetite.
As with most other aspects of security, red teaming is never a matter of “one and done” – it needs to be a regular, continual process in order to be effective. How regularly this happens is again down to the company’s particular risk appetite, but introducing annual red teaming is a good place to start. It can also be useful to carry out ad hoc testing when there are significant changes to the environment, such as M&A activity, the introduction of new software, or the discovery of a new malware or attack technique that may threaten the business.
Once the organization settles into a routine, red teaming can help it make serious progress in improving its security maturity. One of the most important steps is understanding that security vulnerabilities are universal across the business. It’s common to find that one department will discover and mitigate an issue, but it will be left open in other areas of the organization. Just like a genuine attacker, ethical hackers will quickly identify these gaps and exploit them for maximum impact, which can be a very effective way of forcing the business to start breaking down silos.
Managing red teaming for optimal results
To accurately emulate a real threat actor, a red team needs to be equipped with a depth and breadth of experience and skills that will enable them to match what genuine black hats can muster. More importantly, an ethnical hacker needs to be able to step into an adversary’s head and be as creative and persistent as a real criminal hunting for a huge payday.
Accessing this kind of capability is a challenge at the best of times, and doubly so thanks to the on-going skills gap. With this in mind, all but the largest organizations will need to engage external third parties to carry out red teaming. Because it should be a regular and on-going process, it can also be beneficial to form a long-term partnership with a managed security service provider (MSSP). Using the same partner for red teaming, penetration testing, and other essential activity can also make it easier to assemble various jigsaw pieces of intelligence into a single coherent picture.
However, firms that try and jump straight into red teaming without doing the groundwork first will find themselves with a handful of pieces and no puzzle to put them into.