Penetration (pen) tests have been a weapon in the security arsenal for nearly 50 years.
Unfortunately they are often now used as a way of appeasing an auditor or demonstrating compliance with an alphabet-soup regulation (GLBA, HIPAA, PCI-DSS, FISMA, NIST). At their very best, they will provide a proactive test of an application, system, or specific piece of infrastructure.
Five decades on, and we are in a very different place to that envisaged by the US DoD in 1967. Networks are more interconnected, and practically everyone within an organisation has access to data and systems, from the CEO to the air conditioning engineer. A skilled adversary will not be looking to exploit a single application or piece of infrastructure; they will be attempting to penetrate the organisation in whatever form possible. A red team exercise mimics this by looking to exploit weaknesses in not just electronic attacks, but also physical and social exploits too.
The term “red team” can sound a bit alien, but like many things in security its origins are from the military world where “red” is the colour of attacking forces, and “blue” used to denote those defending. The Defence College of Intelligence describes a red team as:
“a team that is formed with the objective of subjecting an organisation’s plans, programmes, ideas and assumptions to rigorous analysis and challenge. Red teaming is the work performed by the red team in identifying and assessing, inter alia, assumptions, alternative options, vulnerabilities, limitations and risks for that organisation.”
…and that’s exactly what cyber red teaming exercises are designed to do. By emulating real-world attackers they help organisations to understand how they would fare against their own threat actors, be that organised criminality, government agencies and their proxies, disgruntled employees or activists.
The aim of red teaming is not, as is sometimes mistakenly assumed, to gain access to an organisation’s networks. Little business value lies therein. Although a red teaming exercise will demonstrate how access might be gained to an organisation, it is more interested in what happens afterwards.
The real business value offered is the opportunity to build greater resilience. To learn hard lessons in a training environment and to prevent their recurrence in the real world. To ensure that an organisation fails incrementally, in layers, with opportunities to intervene along the way. To test the effectiveness of security measures and examine whether you’re getting returns from your technology investments. To avoid wasting money on technologies and services that offer no value. To avoid restricting normal business with security measures that offer little protection.
Above all, an organisation informed by red teaming can make it as difficult as possible for a threat actor to bring about specific risk scenarios.
Red teaming takes a team with a diverse set of skills, from social engineering and gaining physical access right through to being able to compromise IT systems and steal data without being detected.
Over the coming posts we’ll be discussing what it takes to red team effectively, whether you choose to do so using external providers or prefer to train your own red team. We’ll examine the value that can be generated for your business, and how to demonstrate returns.
In the meantime, if your organisation has any red teaming or red team training questions, please contact us at [email protected]