Why we believe in Red Teaming?
Modern organizations are too complex to really consider themselves “secure”. Breaches can and will occur, it’s a matter of when, not if-it is more likely that an organization has already been compromised, but just hasn’t discovered it yet. It is critical to assume this is true, and preparing for this will greatly enhance your chances of continuing business when a breach happens. One of the best things an organization can perform to be better prepare for the impact of current and future threats, is simulating real-world attacks, and bringing to bear tactics, techniques and procedures (TTPs) that a determined and persistent adversary uses during breaches. The information gained from Red Teaming and live site assessment exercises helps to significantly strengthen defenses, pointing what works and what doesn’t, holes in plans, improving response strategies, train defenders, and drive greater effectiveness of the entire security program.
Start with the assumption that you have been breached!
In the current world, a prevention-only program is not enough to address determined and persistent adversaries. You have to be proactive and address the what, where and how.
Red Teaming also plays a big role when planning your business continuity strategy. Traditional security methodologies have largely been focused on prevention. Prevention is a defensive strategy that, while a vital part of any good security program, doesn’t address post-breach or emergency planning. Red Teaming can steer decision makers in the right direction, helping the teams create preventive plans, as well as TTPs to be use during an incident and immediately post-incident.
The ever-changing perimeter
With the evolution of networking, and adoption of the cloud paradigm, the boundaries or perimeter of the organization can no longer be defined by a network perimeter managed physically or virtually through firewalls and network devices. Corporate data, including sensitive data and source code, can be found spread everywhere: on-prem, in datacenters (co-located or fully owned), in the cloud, with partners, with vendors and services providers, and on a variety of user devices. All of which require a different security strategies that most companies haven’t even began to address. This is why factoring Red Teaming on a security program will help look at all the different corners of the organization, allowing the decision makers to address issues that were unknown until then. The role of a Red Team is to attack and penetrate environments using the same steps and TTPs as an adversary, and often creating new attack methodologies made specifically for the organization. Red Teaming verifies that protection, detection and response mechanisms are implemented properly.
The “social” aspects
Last but not least, there is one very important aspect that security plans often overlook: people and social media / the internet. A capable adversary will often begin reconnoissance of a target by looking at the employees and service providers of an organization. There is a lot to learn from what people comment on social media sites, the pictures they post (often with pictures taken inside the office and other locations of interest). A good security plan should account for this, but often this last bit is neglected. Red Teaming looks at this as well. A good Red Team spends time learning the target, combing the internet for any publicly available piece of data. Most of the time, the people supply all this information for free. Open for the taking. Don’t forget the people. Act, don’t react. Actively looking at the threat footprint of an organization is one of the first steps towards making the organization more secure and resilient to attacks. Look at the people.
An overall look
At the end of a Red Team assessment, a very thorough report and review is presented to all interested parties. This report describes every failure and success, the response by the defenders, and things that need to be addressed immediately, from controls to planning to better TTPs. Lessons learned is the name of the game. A Red Team engagement will provide solutions and enhance decision making. Organizations open to this, allowing Red Teaming as part of their security strategy, will remain the top players, even if a breach occurs.
When in doubt, Red Team it.