In our last post we discussed cyber red teaming: what it is, what it isn’t and what it can do to mitigate targeted cyber-attacks.
Red teaming isn’t new. Cyber red teaming isn’t particularly new either, but few organisations currently do it. Why so?
Many reasons are cited. They vary from:
We doubt you’ll get in. Even if you did we’d detect you. We’re not going to waste money proving it.
Suppose you get in - what would it prove?
There’s no point – you could drive a coach and horses through our networks…We know we’re already knackered. Why confirm what we already know?
Then there’s the yes-just-not-right-now camp:
The business isn’t ready for it yet. We’ve only just hired a CISO.
We’ve come a long way and by the end of next year we’ll be ready to red team.
In our experience, after a red teaming exercise, these quickly turn to:
How did you get in? How come we didn’t detect you?
In one case it was:
Please don’t send us a copy of your report.
The real reason why we’re often not prepared to act relates to personal motivations and fears. We are, after all, human beings with careers, reputations and mortgages to pay. Red teaming can feel threatening to all three, because it will almost certainly identify some awkward findings:
Half the company clicking on a phishing email; sensitive data being discovered on the Internet; cloned security passes for a new (expensive) access control system; intruders gaining physical access to your facilities; next generation firewalls failing to detect malware; SIEM solutions and the latest big data analytics failing to detect even basic anomalies; devices being placed onto network ports; undetected ownership of / persistence on your network; exfiltration of data. The list goes on…
The thought of paying money to highlight just how easy it would be to bring about your own proverbial bad day at the office may sound to some like an unwise career move. But this need not be the case. The solution lies in strong leadership: in this case backed up by effective communications and expectation setting up and down the organisation.
CEOs are now well briefed on the cyber threat. Forward thinking CEOs understand that their organisations learn most when they fail. They appreciate that investing in defences is a waste of money unless they are meaningfully tested.
Staff also need to be re-assured that the exercise is about learning lessons, rather than causing embarrassment. Despite being commissioned in secrecy, we typically find that everyone from receptionists to SOC managers are on [artificially] high alert that a red team is at large, such is the fear of falling victim to an attack.
Anyone commissioning red teaming needs to consider the politics of such an endeavour, and should prepare their arguments in advance, because people above and below you will fear its findings. It helps to advertise an assumption that we will get in. And that there’s a fairly good chance you will not detect anything. Fear can be assuaged by explaining to staff that although the findings of the red team can make for difficult reading, the medicine will help.
Often the recommendations are not as draconian as you might expect. It’s not all about re-architecting global networks… For example an organisation may have bought a patch management system but isn’t using it properly. Or their SIEM works and the SOC staff are competent, but its sensors aren’t sited correctly. Both are relatively easy to fix. Neither would be detected by an audit. Left un-remedied, both will undermine significant investments and make the organisation unnecessarily vulnerable.
It really doesn’t matter where you are on the cyber maturity curve, red teaming will add value by offering you ground truth: a view of yourself in the eyes of your threat actors at a given moment in time. Whether you have invested millions in cyber security and want to know if it all works, or are considering where to spend a more modest amount, a red team will offer you a datum, and a host of measures you can take right away to become more resilient.
By setting expectations that red teaming is a means of improvement, barriers to red teaming can be removed. If I were CEO of your business (or if my pension had invested in it) I would rather the organisation learned some tough lessons in a safe environment before they were learned from someone with a more malign intent.
If your organisation has any red teaming or red team training questions, please contact us at [email protected]