As cyber threats continue to evolve, more organizations are turning to Red Teaming to pressure-test their defenses in realistic, adversary-simulated scenarios. But red teaming is not for everyone or for every organization. Before engaging in a full-scope exercise, it’s important to assess whether your program, people and processes are truly ready. In a previous column, we outlined the process and path an organization should take to build and advance a mature offensive security program. That column looked at internal organizational dynamics, processes and established activities, and the indicators that would demonstrate readiness to evaluate a move to the next program level. The final stage of advancement is full adversarial emulation, Which includes approaches such as Red and Purple Teaming. This article picks up the last left off to examine how you optimally engage a Red Team when you’re ready to take your organizational situation to the next level.
Red teaming is a discipline focused on testing assumptions, processes, and human decision-making across the organization, often through the lens of realistic adversarial behavior. A Red Team engagement requires a significant commitment of time, money and resources. As much as the technical aspects are important, the partnership you establish with your Red Team provider is equally important. Like any relationship, openness, transparency, and honesty are critical to making sure that you’re ready to get serious and establish long-term success. Without proper strategic alignment and planning, Red Team engagements can erode trust and fail to produce adequate value.
Signs Your Org is Red Team Ready
To start, it bears revisiting the previous column’s message that to find true, actionable success with a Red Team engagement, you need to have established a grown-up security culture and have a mature organizational outlook.
You first need to demonstrate accountability, responsibility and commitment. From the last discussion this is represented by:
A strong culture that prioritizes and enforces security and risk-management
An established, programmatic approach to identifying and addressing flaws in assets and infrastructure, and be at the ready to respond should a flaw be exploited
A discipline that drives ongoing communication and improvement
The final step, is to assess your organization’s “emotional intelligence.” Checking procedural boxes is one thing, but what have you learned about yourself, and how can you apply it to this next endeavor? Advancement often takes more steps and/or time as you get to higher levels. This is most certainly true in being able to optimize a Red Team engagement. You should have a history from which you can draw on experiences and learnings, in this case on multiple testing and assessments over a number of years. This history, and the resulting successes and failures, are what will inform your ability to know and ask the right questions of your new partner, questions most pertinent to your organization.
Start with common goals
While every partnership encounters differences in opinions, preferences, etc., the strongest ones are formed by being up front about, and in agreement on, the goals you want to achieve together.
This first step is critical to understand, because while the goal of the exercise will be singular, the objectives and activities that will lead to that goal will likely be numerous and potentially widely varied. The two areas of focus in goal setting are the overall result you’re seeking at the end of the engagement, and the preferred scenarios that get you there.
Overall engagement goals can be that you’d like to test the efficacy of your enterprise defenses overall and their ability to withstand all manner of onslaught. The goal could also be to gain a “ground truth” about your business resiliency, or the integrity of your technology.
The next step is what you want to learn about the integrity or vulnerability of those goals. Here you’ll work with your partner to identify the attack objectives, or the scenarios that will play out in pursuit of the goal. Are you concerned about a specific threat actor or type of attack? Is your primary concern a singular or group of trophy assets? Or even, are you worried most about internal systems, or external systems?
While this is the foundation of your Red Team engagement and it is beneficial to be as clear and focused as possible in choosing these goals and objectives, it’s also important not to paint yourself into a corner. Malicious attackers are flexible and adaptable, so in pursuing your stated goals, organizations must be flexible and ready to adapt objectives as new findings emerge during the engagement.
Shared paths and experiences
Compromise and common ground are critical to maintain a healthy and productive engagement. For this, a carefully crafted and detailed Red Team scope and rules of engagement are critical to keep things on track and literally keep-the-peace. While this is not a process attackers undertake, this could not be more important in this process to ensure you, and your testing partner “do no harm.”
Red teaming challenges assumptions, Additionally, as it also comprises testing the vulnerability of not just technical systems, but also people and process, a carefully crafted scope ensures focus on the areas importance to an organization and an effective engagement experience, while minimizing the chances of unintended collateral damage. For example, misaligned testing rules can cause real and impactful business disruption. Overly aggressive or insensitive Social Engineering tests can damage morale and trust in leadership. As such, a comprehensive scope should include:
Timeframes – what are the windows of testing (i.e. inside or outside of business hours) and the duration of the overall engagement?
Milestones – How long should tests continue before determining sufficient evidence, and what are the thresholds for advancement through key stages?
Attack surface – Will the test involve social engineering, physical intrusions and/or technical incursions? Will certain people, areas or assets be excluded? Is it an end-to-end attack or an “assumed breach” model where initial compromise is ceded
De-Escalation – If testing prompts an organizational reaction/response, what are the triggers for detection and deconflicton?
Communication – How often and by what channels will testers communicate with the primary stakeholders?
Pick the right Partner
Lastly, some threats to a relationship are not fiery conflicts, but the more subtle risks of complacency, secrecy or overcompensation. To avoid this, realize this is a team effort and you need that full team behind you to accurately assess the strength of what you have. However, you need to carefully determine which team members should be involved, and what role they will play in scoping and/or responding.
First is about who is read-into the engagement and who is NOT being read into it. For example, certain levels of management may be kept in the dark to truly test the adherence to, and performance of, processes for escalation. You may also keep technical leadership out of the loop to assess responsiveness to a truly blind event.
The second is to define the roles of secondary team members. Will they be bystanders or active participants in the game in terms of updates, decision making/deconfliction. In this way, you can focus on the performance of key stakeholders, or conversely, the depth of your “bench” that may have to compensate for departures.
Finally, you need to make sure that you don’t have too many voices and perspectives in the room that could distract from focus and undermine the efficacy of the test. Be selective about who is involved in real-time communications throughout the engagement to avoid noise and distraction.
