Security is hard. The security world is full of things that are hard to control. Attacks can occur at any time and place, most of the time in places not of our choosing, and when the time is worst. These attacks usually involve adversaries of unknown size and capabilities, making it harder to have a fixed and solid plan to deal with them. These adversaries, during an active attack, can and will pivot from their initial point of entry or discovery, usually having more than one point of persistence.
Security is hard.
Though there are things that fall under our control, such as the ability to have multiple teams monitoring and engaging (hopefully) these attackers, the reality is that unless you have been put through the ringer of an active incident, or a breach, you don't know what will work and what will fall flat on its ass.
Yes, the adversary usually has the upper hand.
How, then, do we solve this problem? We Red Team it. We inject stress, we do the unexpected, we bring the adversary to you.
Red Teaming is the simulation and emulation of your adversaries, both in their tactics and way of thinking.
By performing Red Teaming exercises, you can begin to stress test your program, your procedures, your standards. From policies to the security teams, a good Red Team can bring stress inoculation to your organization. But, this is not all. Red Teaming engagements will certainly help, but you need to go deeper and change your mindset and culture. Change how you see and approach security, and respond to problems. You have to begin to think like the adversary you are tying to defend against. They don't play by any rules and they don't follow your procedures.
Only when you can apply the adversarial mindset to everything, you will be able to go beyond the known and into the realm of the "what if". By applying the bad-guy-mindset to policies, plans, the teams SOP (standard operating procedures), and educating your people, you can build resiliency, be proactive (and not only reactive), and put in place plans that can adapt to different situations and attackers. You can be both proactive and reactive, giving yourself the best chance to win.
We can help. Start with your organization's top leaders, let us have a two hour conversation with you, and let us set you in the path towards a more robust way of doing security.
note: originally posted on ACG.