The Importance of Red Teams

We have a unique opportunity now. We are seeing a change in the mindset of the security experts. The digital security experts are talking about security intelligence, about being more proactive and not just react when an attack happens. This is good news.

It’s time now for the same security experts, both in the digital and physical worlds, to begin including red teams in their security planning.

Red teams challenge the current security policies. They test the readiness of the quick reaction teams, CSIRT and CERT, of the security departments and of the security engineers in the digital world. They also test the readiness of national infrastructures security teams, something I think is of vital importance nowadays.
Red teams think outside the box, like an attacker, like an adversary, and go beyond a simple penetration test or security audit. Like the folks at the Red Team Journal explained:

Red teaming is the art of challenging assumptions and exploring the possible.

Red teams plan the strategy for the different attacks, they collect intelligence on the target, analyze the possibilities and then they execute based on what they’ve learned. Once this is done, a good red team then performs a full analysis of the attack and provides mitigation and prevention measures. But more importantly, they make sure the defending team is ready.

As a defensive measure, red teams help plan and test the defensive strategy. How to better be resistant to attacks. The red team can also help collect information about possible adversaries and prepare a more proactive course of action. Finally, a better defensive posture can be prepared based on the execution and analysis of what those adversaries can do.

Overall, having an understanding of who the adversary is and how it might exploit the security holes will make the organization better. Reacting to a security breach is a must, but it’s not the ideal security posture. Instead be proactive, try to think what an attacker can exploit, try to go two or three moves ahead of him. Prepare for it. Place detection and deception measures. Make a future attack harder.
Red teams can help predict what might happen. If you have enough visibility into what an adversary might do, their TTPs, will help built a much better overall security defense posture.

If by having a red team exercise we can learn where the entry points are, what the weak links are, where we can improve and where the system is lacking, we can address the problems better, and when the next attack happen, and it will happen, we can better be prepared for it. We can start seeing the signs and markers earlier, we can have better deceptions placed in the network, we can make it harder for the attackers.
If an attacker needs to spend three or more months trying to get through our defenses and deceptions, use several 0day exploits and really spend a lot of money and resources only to find out that all they are getting is encrypted data or false data, then it’s worth it. They’ll think twice before trying again. Even more so if you are assuming a proactive posture instead of the normal reactive one. Proactive defense or sometimes offense, can help deter a lot of the less focused adversaries. And those that still insist in attacking might need to change their plans due to your proactive approach. This can throw an attacker out of balance and provide more information to you and your security staff. An attacker might be forced to use tools or techniques he wasn’t thinking about using and, in doing so, he might be careless, providing crucial information to you. You begin to see their TTPs more clearly.

A friend in the US Navy SEALs always speaks of:

Surprise, speed and violence of action.

This can be applied here as well.

Red teams are a fantastic tool in the security world. The next few years will prove this point. We are at a crossroad and if we tackle the problem from an attacker’s perspective we can win.