Data breaches are costly, affecting both your finances and reputation. To maximize your ability to resist data breaches, you need to make sure that an expert has looked at your systems in the same way an attacker would. In short, you need to conduct regular red teaming exercises.
What Is a Red Team Exercise?
Over the last few years, the term “Red Team” has become a buzzword in the information security community. The varied uses of the term within the industry can be confusing. Some organizations call their internal offensive security teams “Red Teams,” with responsibilities ranging from web application penetration testing to full-blown red-team operations. For the sake of this discussion, we will define a Red Team engagement using a common definition that appears outside of military contexts:
Red Teaming is a full-scope, goals-based adversarial simulation exercise that covers physical, electronic, and social attacks. This type of testing should not only test electronic attacks by targeting web applications and network infrastructure but should include social and physical attacks that test staff, their adherence to policies, and building security measures in place.
In a red team exercise, a group of cybersecurity pros plays the role of attacker to test the effectiveness of your security program.
Why Conduct a Red Team Exercise?
Red Team exercises can be used to hone detective and protective controls as well as a security staff’s response skills. Your internal security team is the blue team, and is tasked with stopping adversary emulation of the red teamers in a simulated attack.
The “Cost of a Data Breach report 2020” from IBM provides detailed quantitative data that shows that businesses who conduct Red Team exercises have reduced costs when a data breach occurs. The following year’s report lays out an updated list of the root causes of data breaches—all of which can be tested for and improved as part of a Red Team engagement—and identifies core test cases covered in a Red Team assessment.
Data showing that IR testing, Red Team testing, and employee training reduces the cost of data breaches. Source: “Cost of a Data Breach report 2020” from IBM page 42, figure 26.
Root causes of data breaches by threat vector. Source: “Cost of a Databreach report 2020” from IBM page 36, figure 21.
Focusing on maturing your prevention, detection, and response controls to protect against the most prevalent adversary tactic is an obviously wise decision. Red team exercises are a core element of increasing that maturity.
What Should a Red Team Exercise Provide?
At its base, make sure that red team techniques are modeled after real-life threats to your industry. You are having the assessment to test your ability to prevent, detect, and respond to real-world attacks. And, in the end, you need the assessment to provide tangible data for speaking to executives about your abilities to detect and eradicate a particular threat that concerns your business. You should know at which points in the attack chain your detective and preventive controls enable you to identify the threat, how long your team takes to eradicate the threat, and what blind spots need to be addressed going forward.
A well executed Red Team engagement is about more than just an attack simulation. The report after the assessment should be actionable, and provide data and metrics that are designed to inform executive decision making about future security spend. Along with a complete list of findings and remediation advice, a Red Team report should contain the following metrics:
- A “heat map” of your organization’s detection and protection maturity, mapped to individual attacker tactics, techniques, and procedures (TTPs)
- An analysis of which tools your organization uses, which TTPs each tool should catch, and any identified execution or coverage gaps
- Mean Time to Detection
- Mean Time to Remediation
- The eradication success rate
These metrics can help you decide whether it’s best to buy new products, invest in fine-tuning the products that you already have to improve their performance or invest in hiring or training for your team.
Am I Ready for Red Team Exercises?
In order to get the most value out of a Red Team exercise, your organization should meet a certain minimum level of maturity. You should have alerting, logging, and monitoring in place—either in-house or through an MSSP. You should have some idea of the TTPs that you should be able to detect in your environment. Vulnerability management and patching programs should also be in place. Full-scope Red Team engagements tend to be longer than traditional penetration testing engagements because of the different domains that are targeted, so budget may also be an important factor.
Let’s expand on this topic by using a boxing analogy. A Red Team exercise is intended to be a sort of sparring exercise between the Blue Team and the Red Team, whereas a live incident would be more like an actual fight. The purpose of sparring (Red Teams) is to practice and drill for the real event, to do so repeatedly and develop “muscle memory” so that dealing with a real threat becomes second nature. That said, when a novice walks into a gym and says they’d like to learn how to box, they don’t get thrown in the ring to spar with a champ on the first day. It’s important that they learn the basics first: conditioning and knowing how to punch, block, and move. A mastery of the basics is required to be successful in the ring, and Red Teaming is no different.
What Can I Do if I Don’t Think I’m Ready Yet, or if I Don’t Have the Budget for a Full-Scope Red Team Engagement?
A Red Team exercise is simply one type of adversarial simulation exercise, and it certainly isn’t the only thing you can do to improve your organization’s security posture. Any phase of a Red Team exercise can be broken out and conducted on its own.
Collaborative adversarial simulation exercises (sometimes referred to as Purple Team exercises) can fill many of these gaps. These exercises can be as simple as agreeing on a set of TTPs to be tested and having a team execute attack scenarios around each TTP as a unit test.
In these instances, Red Teams often work alongside Blue Teams and explain each attack, how it works, and what the implications are before execution. Notes about whether the Blue Team has detected or prevented the scenarios can be turned into a heat-map that outlines the organization’s detection and protection maturity, mapped to a standard framework such as MITRE ATT&CK, to give a quick visual representation of the current state of the program.
These tests are highly repeatable, can be executed quickly, and can provide immediate feedback to improve an organization’s detection and protection posture.
Similarly, if you have concerns about having a team attempt to break into your facilities, you can scope a physical assessment that instead consists of a walk-through and evaluation of the physical security controls and policies that are in place.
If your intention is to baseline your exposure to help focus future efforts, an external and/or internal network penetration test will give you an asset inventory and actionable steps that will immediately decrease your areas of highest risk.
The key is that you should never feel forced to choose a full-scope Red Team engagement just because it maps neatly to a specific offering from your vendor. Your vendors should adapt and work with you to provide value to your organization that fits with both your current security program’s maturity and your budget.