An old military saying states that in a long-running conflict, the opposing parties eventually adopt similar tactics. Well, if there is a long-standing conflict in the digital world today, it is between the intrepid professionals who work to protect their organizations’ data against the ever-present threat of cybercrime — a phenomenon that has continued to evolve in terms of tactics and tools over the last decade.
In this context, there’s nothing more natural than for security teams to adopt the practices employed by cybercriminals to their own benefit. No, your security team will not become a group of digital vigilantes and go out looking for opportunities to attack potential enemies; but if your goal is to stay protected and remain law-abiding, a much more efficient approach is to use the same tools and tactics employed by your adversaries to understand the true level of resilience of your own defenses.
The concept is not new: For many years, we have done vulnerability assessments and intrusion testing. But in a world where new digital threats are constantly appearing, it is necessary to go further. And that’s exactly where the concept of Red Teaming comes in.
What Is Red Teaming?
As defined by Bryce G. Hoffman, author of one of the leading books on the subject: “Red Teaming is a revolutionary new way to make critical and contrarian thinking part of the planning process of any organization, allowing companies to stress-test their strategies, flush out hidden threats and missed opportunities and avoid being sandbagged by competitors.”
In the context of cybersecurity, Red Teaming is a complete simulation of the behavior of a real adversary such as a cybercriminal. This includes a multilayer approach to security testing that not only exploits vulnerabilities in technology, but also weaknesses in people and processes within the organization, allowing you to create an independent, unbiased view of the effectiveness of both security controls and the team responsible for detecting and responding to security incidents.
Red Teaming can be best understood as an advanced form of ethical hacking which is not limited to simply discovering and exploiting vulnerabilities, but also focus on emulating (with the highest level of precision possible) the behavior of an adversary. It is possible to argue that a traditional intrusion test performs similar work, but there is a distinct difference in approaches.
In terms of scope, the intrusion test has clearer boundaries and is much more restricted, while the Red Team — even though it still has goals and a scope — has much more flexibility and uses a “do everything possible” approach, just as a real attacker would do. But that’s not even the major difference! A key factor is the fact that intrusion tests are limited to a point in time, it can be considered a photograph of how information security performed at a specific time. Contrary to that, in a red teaming approach, the simulations are carried out continuously, making sure the blue team (the people protecting corporate data) is always alert against possible attacks, and this is one of the greatest benefits of this methodology.
Why Is Red Teaming So Important?
One of the most important points of a Red Team assessment is to demonstrate how an adversary could combine seemingly unrelated vulnerabilities to achieve their goals. This is to prove that, even with the best of protection technologies, an organization is never 100% protected against an advanced threat.
It is common for a Red Team to combine traditional techniques, such as exploiting technologically-related vulnerabilities, with tactics such as social engineering, that can be performed by email, telephone or even physically in the assessed environment. This will create a complete, real-world view of your information security effectiveness and help to prove how inefficient it is to rely on a single type of technology to protect corporate data, even if this technology is the most advanced available.
In the end, a Red Team assessment will demonstrate the value of adopting a layered approach to cybersecurity, that is defense-in-depth, by combining the best technology with reliable processes and people both aware and prepared to deal with any information security threat.
Of course, it is always important to remember that all of this is done continuously, enabling a steady improvement to security controls and teams.
Who Should Use Red Teaming?
A common mistake is believing that security testing should be restricted to large corporations that have huge volumes of valuable data. After all, cybercriminals would not be interested in small and medium-sized companies, correct? No! This sort of thinking could not be further from reality.
In the current cybersecurity threat context anyone can be a victim, from corporations to small businesses or even individuals. Attackers are not limited to stealing data, but they are also very interested into gaining access to all types of IT infrastructure, even small servers or mobile devices such as smartphones and tablets can be hacked, become part of a botnet and be the drones responsible for the next major Denial of Service attack.
In addition to that, there are a number of new/updated privacy laws and regulations around the world, such as the GDPR or California’s Consumer Privacy Act of 2018, and in most cases they apply to businesses of all types and sizes. In this case, a single incident that violates the security requirements of private information may result in fines so heavy that it could make a company go out of business.
Red Teaming is one of the best options to ensure that your organization will be prepared to deal with real adversaries whose lack of morals means they have no problem in destroying even a small business in order to achieve their goals.
What Are the Possible Outcomes from Not Using Red Teaming?
For a long time, vulnerability assessments and traditional penetration testing have been the most commonly used approaches to testing organizations’ security controls. Unfortunately, this is no longer enough to ensure adequate levels of protection.
Traditional tests are limited to identifying problems at a specific point in time, in addition to that, they also have limited scopes and often leave the emulation of an adversary’s behavior completely out of the picture. The result is an incomplete view of the threat landscape, which significantly reduces the security team’s ability to respond to a real attack.
To put it simply, we live in a world where cybersecurity threats are constantly evolving, new vulnerabilities, tools and techniques emerge every day. When the goal is to ensure adequate protection against real threats, new approaches like threat hunting and Red Teaming are key pieces to any strong cybersecurity strategy.
Since the era of the famous strategist Sun Tzu, the practice of knowing yourself as a way to defeat the enemy has been preached for millennia in military academies. It applies perfectly to the context of information security.
Not only the constant threat evolution but the development of security-related laws and regulations make it is essential to take an effective and continuous tactic to corporate data protection.
Adopting a Red Teaming approach means that you will be thinking and acting just like your worst enemy, allowing you not only to gain an understanding of the approach used by an adversary, but also ensuring that your security team will be prepared to create swift and decisive responses, even against the most complex attacks. That is an undeniable benefit to your business and will make sure your CISO can sleep peacefully.
Red Teaming, Bryce Hoffman
Pentesting and Red Teams, Gartner Blog Network