Your organization may have invested significant time and resources in cybersecurity. However, no matter how much you have prepared, you might still wonder how your network would hold up against a real attack from actual threat actors.
That’s why many companies hire consultants to perform red team tests on their systems and applications. These are engagements where a “red team” of experts attempts to attack the client’s assets without being detected and then exploit that system, using a wide array of tactics. That can include digital infiltration, social engineering, or evading the client’s physical security to gain digital access.
The test is designed to simulate a real-world attack as closely as possible. The company’s IT staff — aka the “blue team” — is typically not warned that an attack is coming, so company leadership can see how they perform in almost real-world conditions.
“They can learn quite a bit,” said Victor Teissler, Director of Offensive Security for Digital Silence, a world-class cybersecurity firm. “What a red team engagement gives you is more visibility into the efficacy of your monitoring and detection controls.”
While red team tests are a powerful test of preparedness, they may not make sense for every company. Teissler outlined a few indicators that an organization is ready for this type of assessment.
Lay the groundwork first.
A red team engagement is one of the most sophisticated tests of an organization’s cybersecurity. Before starting one, it’s better to implement other, more foundational measures first.
“If we’re talking to a company that has never, never really focused on security,” Teissler said, “they’ve never had a patching policy or any system hardening, or any separation of duties or network segmentation, they wouldn’t benefit so much from a report that’s just a sea of vulnerabilities that stem from these lack of organizational controls.”
Instead, companies should first conduct an annual security review of their systems and develop specific recommendations for shoring up defenses and eliminating potential threats.
After establishing a baseline of security, companies should try penetration tests, where a contractor tries to find flaws in its security and identify the data and other assets at risk. Once an organization completes penetration testing a few times a year with little to no findings, it’s usually mature enough to benefit from the insights a red team test can cover.
The cost of compromised data is too high.
The decision to perform red team testing also depends on an organization’s risk tolerance, which can vary by industry.
Generally speaking, the bigger the potential risk, the greater the need for red team testing.
For example, a company in the finance or healthcare sector — which may be responsible for collecting and holding sensitive customer information — might elect to run multiple tests each year.
Red team engagements are also popular among media and entertainment companies because they want to protect their unreleased material from being stolen and leaked or because they need to ensure high security for on-site performers.
Meanwhile, a marketing agency with little or no sensitive data could get by with a less aggressive test because, if there were a breach, “the reputational risk would be much lower, and therefore it’s not going to shut their doors,” said JT Gaietto, principal, and CSO at Digital Silence.
Make sure you have the right consultants.
When hiring a firm to conduct red team testing, organizations should remember the following things.
For starters, senior staffers must be integral to conducting the test. They shouldn’t just oversee a team of junior and midlevel testers. Experience is key; know that a focused threat actor would have well-trained individuals who are good at what they do and how to utilize their tools.
Communication should also be a vital part of the experience offered by the firm. If the testers uncover a critical vulnerability, they should alert the client and explain how it can be fixed.
“We will deliver a flash report, something that just brings it to their attention in advance of the full report that we’re still delivering at the end of the engagement,” Teissler said. This is important because the goal is to ensure a threat actor isn’t already leveraging the same vulnerability.
Some security firms — including Digital Silence – will offer purple team testing, which we call Heliotrope. Those engagements start as red team engagements as the consultants do their best to infiltrate the client’s network without being caught. But once caught, the consultants will start communicating with the client’s staff to conduct a more in-depth test faster.
“We’ll do that first, and then we’ll transition it to kind of a classical (penetration) test where it’s loud and kind of more collaborative,” Teissler said. “So, you get the best of both worlds.”
Ideally, the testers should also embrace a learning mindset. A red team test sharpens the invaders just as much as it does the defenders.
“What I like is hearing how we get caught, so we can continue to improve our techniques to really tailor our testing to the sorts of technologies that the customer has,” said Teissler.