Red Teaming: 4 Ways to Get the Best Value While Improving Your Security

What is Red Teaming?

Red Teaming will always have similar concepts and strategies, but no Red Team endeavour is the same, and the meaning may change from one organization to another. Simply stated, Red Teaming is acting as an adversary within your own network to achieve a scenario or objective that a potential attacker can leverage or has value. A true Red Team objective should not be to achieve the goals as quickly as possible. A Red Team operation requires a dedicated team, the right tools, and patience.

4 Ways to Achieve Value and Improve Your Security

Make it Affordable

The first thing to know is the amount of overhead that comes with forming the team. If your organization cannot afford to hire a full-time staff, then qualified consultants are an available option.

An experienced consultant company brings three immediate benefits: They work on a contractual basis, so the start and end dates can be solidified in the terms of the contract. They also have more exposure to many different scenarios from their experience with their various clients, so they bring knowledge that may not be readily available to an in-house team. The use of a consulting organization also removes a lot of the implicit bias that can occur when an internal staff member has to report any unpleasant findings from the exercise to the corporate managers.

Maturity Matters

If the organization does not have a fully mature security program, a Red Team exercise would not be advised; it should be one of the final initiatives for an organization with a fully realized cybersecurity program. This is the next consideration for any organization contemplating a Red Team operation. A thorough audit of the organization’s maturity level is essential. Proper security requires a layered approach, as well as following one of the many industry-recognized models, such as those freely available from the National Institute of Standards and Technology (NIST), the Cybersecurity & Infrastructure Security Agency (CISA), and the National Cyber Security Centre (NCSC).  Sometimes, it makes sense to use a model that may not specifically pertain to your industry, such as the Payment Card Industry Data Security Standard (PCI DSS). If your organization’s security lacks a strong foundation, it would be wise and prudent to seek as many authoritative sources to address that before engaging a Red Team exercise.

Patience is Important

While the name “Red Team” may evoke a sense of urgency, a Red Team exercise can take time, depending on the objectives. Since real threat actors have been known to operate with carefully calculated caution to compromise an organization, a Red Team will also mimic the same deceptive tactics.  

A Red Team exercise is different from other exploitation activities, such as a penetration test.  A penetration test can be conducted by running a vulnerability scan, and then exploiting those vulnerabilities.  The goal of the Red Team is to simulate how a true adversary would operate, ultimately obtaining the data that could ruin an organization. This can involve many different techniques, such as social engineering, sending malware payloads, and leveraging different ports and processes to compromise a system. The goal of the Organization should be to capture or detect the Red Team operations occurring on their network.

After the Exercise

Once the Red Team exercise has concluded, and the final report is delivered, make an action plan to improve your security and internal detection on cybersecurity events. If the compromises were the result of misconfigurations, an automated tool can remedy those problems. The results of Red Team compromises should produce policy change, tool changes, updates to systems, better understanding of inventory, and more layers of defense.  The primary object of the Red Team exercise is to learn, and to aim for improvement.