Red Teaming: thinking and acting like the enemy to stop them in their tracks

The term “red team” comes from the military. It refers to training exercises that aim to challenge the efficacy of operational processes and practices in order to uncover weaknesses and vulnerabilities before adversaries can do so.

In recent years, red teams have come into use by organisations for shoring up their security defences. According to Mike Fenton, CEO of managed detection and response (MDR) provider Redscan, red teaming enables an organisation to continuously challenge its ability to protect itself from, detect and respond to breaches, which is essential for reducing the risk of reputational and financial damage. This is echoed by Shay Nahari, head of red team services at CyberArk, who states that red team exercises can be defined as an adversarial simulation that allows organisations to detect and respond to targeted attacks.

Shoring up detection and response capabilities

The goal is to test how well an organisation’s detection and response capabilities work when under attack. Red team exercises can be a real eye opener. They help organisations to test how well their security programme performs in terms of protecting critical assets, including the data, systems and people that are of real importance to an organisation. They can show where the security programme is performing well, as well as highlighting gaps that have been overlooked.

The SANS Institute has identified red teaming as being one of its 20 critical security controls, enabling organisations to improve organisational readiness to the threats that they face, improve training for defenders and gauge current performance levels. They provide objective insights regarding the existence of vulnerabilities, and the efficacy of defences and mitigating controls, including those planned for future implementation. This allows organisations to better see where security budgets could best be spent, showing the value of investments in terms of business value.

Going on the offensive

Many organisations perform vulnerability assessments in an attempt to find weaknesses and vulnerabilities that could be exploited. Such assessments are performed using automated scans that can detect problems, such as unpatched systems, and outdated protocols, certificates and services.

Going a step further, penetration testing is used to identify as many vulnerabilities and configuration issues as possible, such as known, unpatched vulnerabilities, and looking to see if they can be exploited by an adversary to determine the severity and likelihood of a vulnerability leading to a security issue. Whilst automated tools are also used in such assessments, the quality of the results relies on the expertise of the person doing the pen testing.

Red teaming is in a class above. Such exercises are more targeted. Rather than looking for any vulnerability that could be exploited, they look to identify the weakest links in order to test detection and response capabilities. They look to emulate the activities of a malicious attacker and the tools, techniques and procedures that they deploy to avoid detection. And nothing is off limits to the red team. Any method of attack can be used, from advanced hacking techniques to physical subterfuge, such as posing as a contractor or business services provider to gain entry to a facility to look for human weaknesses that could be exploited, such as an unguarded laptop or credentials that have been written down.

According to Joseph Carson, chief security scientist for Thycotic, all organisations should understand hacker techniques. He likens it to a sports team and the efforts that they take to understand the tactics deployed by the opposition in order to stand a better chance of defeating them.

Help for beleaguered security teams

However, Menachem Shafran, VP for XM Cyber, highlights one of the problems that organisations face: offensive security experts are hard to find. Most security teams are over-stretched just dealing with everyday fixes, let alone trying to stay one step ahead of attackers. They need to understand all of the attack vectors that they face and the impact of security issues on the business. They aren’t looking to buy more security, but rather to use what they have more effectively. Shafran likens this to leading a healthy lifestyle, not trying to fix issues that could have been avoided.

As the security market continues to move from a focus on products to a shift towards services to help security teams deal with complex technology issues and an ever harder to defend against threat landscape, a variety of vendors have stepped up to offer specialised pen testing and red teaming services, whilst others are including them as part of their portfolio. This can be seen among the vendors mentioned in this article as well as many MDR service providers—especially those offering pure play, technology-agnostic services that span entire technology environments.

The use of pen testing and red teaming services will help any organisation to improve its overall security posture, identifying current vulnerabilities so that they can be effectively dealt with and helping them to defend themselves against evolving attacker techniques. By thinking like hackers, such services can help organisations to turn the tide against cyber criminals.