Ongoing Process

This was sent by OSCAR. He is a retired Army MP now working as a Security Director for a large corporation. He runs their Blue and Red Teams, as well their CERT.

One of the first things I did when I was told we were hiring you to redteam us, was to create a red team of our own and embed it with you. The idea, as you know, was that we wanted to have a team of that could continuously red team the company, from simple and random social engineering attacks, to more complex, all-in penetration attempts. It took me a while to convince my boss, the CISO, but we did it. On that first engagement with you, the small red team we put together learned a lot. This is what we did a few months after you guys tested us.

Like I mentioned, we wanted to have our red team engage us constantly, testing not only the current security plans/measures but also see the reactions of the blue team and our group of capable CERT.
During the mid-year company assessment, where we review earnings, product stock, new customer needs and other things, I asked the red team to begin analyzing how we handle the customer support. This is a crucial part of the public face of our company and we wanted to be sure that no "bad guy" could hit us there. The team spent several days going over the different procedures: things like how to authenticate an actual customer, or what information can be disclosed over the phone and what's off limits. They reviewed every little procedure and they learned to be customer support representatives. And then it began.

Over the period of 4 months, and at random intervals, the team would pretend to be an old or new customer. Their target was to extract personal information about "themselves" from the customer support representative. They played all the weaknesses they found on the procedures and, without going into details, they successfully extrated personal information about our customers in over 75% of the tests. it was magnificent to see this!

Needless to say, these on-going tests, still being performed today, helped us pinpoint the weaknesses in our procedures and we had now fixed them.