Cyber security today is a moving target. Let’s face it, there’s never going to be a time when your organization is 100% secure.
Attackers are constantly developing and adapting their tactics to get around whatever new defenses are in place. Your organization may reach a point when it’s in pretty good shape, but then again, you should never get too confident.
It sounds pretty unnerving. Your enterprise has invested heavily in cyber security. Even the top brass has made it a priority. Yet even with that new SIEM or IDS in place, you still can’t rest. How do you know which tactic an attacker might take next? How can you know where to focus, where your weak spots are? How will you improve something that’s difficult to measure, or that you haven’t measured in the past? Do you know if your security investments are living up to their expectations?
These are not easy questions, but there are answers. And they can be found through red team testing.
In a red team exercise, ethical hackers will engage in an all-out attack on your organization to find a way in. The term comes from the military, where war games pit a red team (the attackers) against a blue team (the defenders). The idea is to challenge the blue team’s defenses when faced with a determined attacker’s mindset. In cyber security, red teaming is an important technique used to improve an organization’s overall security.
A major benefit of red teaming is that it enables a change in perspective. Your company, after all, is in the defender’s shoes and has a defender’s mindset. Using a red team will give your organization insight into the way an attacker thinks – and the tactics they might use to compromise not just any organization, but your organization specifically. The insight that is gained from a good red team analysis gives a holistic view of your company’s security posture.
And that means more than just electronic information security. Comprehensive cyber security is about physical space too – and the people in it. Cyber attackers can go pretty far leveraging the weaknesses in your physical space and your employees. Red teaming takes into account all aspects of organizational security – the aspects an attacker would similarly use to access their target.
Will the receptionist allow that nice looking guy in without a badge? Will your employees open that malicious attachment? Will they fall for that phishing email? What information is your organization freely sharing in the alleyway dumpsters? Are you using encryption on internal IT assets – for example, websites, e-mail servers, VoIP? Is your internal network “flat” and accessible to anyone in the office? Red teams will exploit the weaknesses that exist in your company – ones you’ve never even thought about – the way an attacker would.
Sometimes it might hurt. In results presentations, the most common responses from customers are “I thought we were better at this” or “We tested this ourselves and it was fine.” In more extreme reactions, our red team experts have even had people yell at them, throw stuff, walk out of the room and slam the door. No one likes to hear that something they thought was working, isn’t.
But you’ll learn, a lot. And perhaps one of the most important things you’ll learn is whether the security investments you’re making actually make sense. You’ll be able to measure to what extent your security controls are actually aligned with the assets they’re supposed to protect, so you can evaluate their price tag and value.
Nothing is actually completely secure, ever. But red teaming will help your company establish if the feeling of being secure is indeed justified, and where it might not be.