Red teaming is an essential activity in any security program, but it only provides value if done right.
Red teams put an organization’s security controls, policies, response and training to the test using the tactics, techniques and procedures (TTPs) of real-world adversaries. It differs from penetration testing as it aims to achieve a specific goal or target. For example, a red teaming operation may target intellectual property, infiltrate a critical business process, or exfiltrate sensitive data from a particular application. However, the real value lies in better understanding critical business processes and the level of effort and sophistication required by an attack to exploit those processes to achieve the desired outcome.
The best red teams have the tools, training and mindset to simulate a variety of real-world attacks that their organization may face. If you do not have the right mindset, people, tools and reporting in place, it’s likely your organization is missing out on the full value of a red team.
To ensure you are optimizing your red team operations, here are four questions to ask.
Does the C-suite leadership understand the importance of offensive security?
From my experience, it is easier to justify an investment in a defensive tool to the leadership team than it is to justify offensive investments. Defensive security often supports compliance requirements from auditors or are a part of a best practice framework.
It is imperative to remember that you are not defending against an auditor or a checklist. You are defending against a living, breathing, intelligent adversary that knows how to stealthily penetrate and pivot through a network undetected. According to a recent Exabeam survey, 68% of organizations surveyed agree that red team exercises have proved more effective than blue teams. In other words, the majority found more value in an offensive security activity versus a defensive activity.
Notorious football coach Vince Lombardi once said, “Practice does not make perfect. Only perfect practice makes perfect.” Offensive testing must reflect the types of real-world threats your organization faces each day. If not, how can you expect to detect those attacks when they actually occur?
Have you hired the right people?
When building a red team, look for people that want to have an intimate knowledge of how things work. At the core, this is what drives hackers. Curiosity is not a technical skill, but a skill that will take your red teams to the next level.
Another skill successful red teamers have is the ability to communicate and work well with others. They should be willing to collaborate with IT teams, the SOC, and blue teams to resolve significant detection gaps to further mature the security program. It is not a “we win, you lose” mentality, it’s a “we win together” mentality. There is no room for ego in cybersecurity.
Are you equipped with the most sophisticated red team tools?
Think of a chef. A successful chef does not use a single knife to prepare all menu items. A chef has multiple knives with various purposes. Paring knives are used for intricate work and greater control. Carving knives are used to separate meat from bone.
It’s the same idea with red teaming. Successful red teams require a suite of tools that cover a variety of defensive evasion techniques, such as leveraging syscalls (system calls) for more stealthy code injection, in-memory payload obfuscation, and logging bypasses (AMSI, ETW, PowerShell, etc.). A red team that relies on a single tool for all operations is like a chef that uses a butcher knife to cut a slice of bread.
When evaluating which tools to invest in, key questions to ask include:
- Does it have exceptional out-of-the-box OpSec capabilities?
- How often is it updated to address the latest attacker TTPs?
- Does the tool enable my red team to better simulate a sophisticated attacker?
Can you effectively translate technical findings to explain business impact?
For a red team to be successful, teams need to be able to translate the technical impact to the business impact. If you can’t, then all you’re doing is hacking.
The goal of a red team is to increase the defensive maturity and capability of an organization. To do this, business context is necessary. The results of a red team must describe how each technical finding or vulnerability can impact business operations.
Red teams need to be empowered by the business to detect and understand the threats the organization faces. If the business doesn't support the red team in this capacity, then the red team will not provide much value.
Once red teams are empowered to provide the level of sophistication required for an operation, they then need to translate the technical impact back into business logic and language. The report stemming from a red team should show how the business can make the necessary adjustments to mature their program and ensure that they are better equipped and enabled to take on the threats that the red team is simulating.
Like any successful relationship, it is a two-way street. Security leaders that invest in people, tools and methodology will reap the invaluable benefits of a red team in return: a mature security program and peace of mind that your detective security controls are working as they are intended to.