Share this article
Joaquim Espinhara from Tesserent explains why organisations should employ ‘red teaming’ strategies to improve their responses to cyber attacks.
The Australian government is exploring options to hold company directors liable for cyber attacks. boards, directors, and CEOs need to improve their cyber security defences, continually seek to increase resilience and implement a process to detect and stop threats.
One of the most powerful tools available is red teaming – the engagement of a third party to probe and try to simulate a bad actor and execute a cyber attack in order to measure the organisation’s readiness to deal with cyber attacks.
Red teams employ a broad array of tactics, including using tools to overcome both physical and logical security, in attempt to overcome an organisation’s security controls. Red teaming is the best way to evaluate the effectiveness of your protective services, after you have implemented all your security controls. Red teams provide crucial feedback to the board, CEO and directors.
Who should engage the red team?
Senior leaders should initiate red teaming with the goal to test and measure the security controls that are in place. This covers both physical and logical controls. This is critical as physical controls such as security cameras and door locks often have a logical component. An open door can render even the strongest logical security controls ineffective.
Often, the engagement with a red team is a closely held secret. The goal is to test your organisation’s security capability. Warning your defensive party, or blue team, of an impending attack can lead to a result in the exercise that masks potential weaknesses. If the blue team knows that the goal is to use a stolen user credential to gain access to the finance server, then they might increase monitoring on relevant logs or put some temporary measures in place to ‘pass’ the test. This is why the engagement of a red team is usually done without the knowledge of the cyber security or IT team.
What does the red team do?
In an end-to-end red teaming exercise, the ‘attackers’ start with very little information about how to break into an organisation. They might start the exercise with a spear-phishing campaign that tries to dupe someone into giving them access or handing over some user credentials – this might be tailored to replicate the actions of a known actor typical to a specific industry.
Digital access is most often the main game – many threat actors are based overseas, however they might employ some physical security tactics and use disguises to enter a premises to gain access. For example, they might dress as a courier or technician to bypass security. Once inside, the ‘intruder’ might directly access an unattended computer or simply look over someone’s shoulder as they log into a system. This is why physical security is just as critical as logical security.
In other instances, the ‘victim’ may provide some information as they want the red team to test them against a specific type of attack. A professional red team will agree on the scope of the attack before commencing, in order to ensure the exercise delivers the right value to the client, and to ensure that industry-specific compliance and rules are not broken.
Setting the scope
It is important to establish the terms of engagement for a red teaming exercise. Just as military organisations set rules for war games, the same applies to a red teaming exercise.
A red teaming exercise against a bank might be designed to mimic a specific type of attack. But the exercise might stop short of actually accessing or exfiltrating data as that could put the bank in breach of regulations and require a report to a regulator. While red teams may employ physical tactics such as surveillance or tailgating staff through doors, they stop short of breaking laws.
The goal of red teaming is to find potential weaknesses before an adversary does and to improve the controls that are in place to keep the business, its customers and wider community safe. It shouldn’t be used to shame security and technology teams. The goal is to evaluate the effectiveness of the security controls that are in place so that they can be refined and adjusted, and provide essential insights for senior leaders, the board and CEO about their organisation’s cyber defences.
In some cases, once appropriate security controls are in place, red teams can engage directly with blue teams. Dubbed purple teaming, the red team executes their attack and explains what they are doing with the blue team to help them hone and improve their defensive technologies, processes and methods.
Red teaming requires investment
Some red teaming exercises take many weeks to execute. For example, a phishing campaign, designed to trick someone into revealing confidential information or fool them into allowing unauthorised access to a system may take days or weeks to execute. And then, once a weakness is exposed, the red team may wait some time before executing the first steps of their attack in order to escape detection.
This requires a strong level of commitment from the company opening themselves up to the exercise. It also requires trust as the organisation hiring the red team is trusting them not to go too far. This is why spending time at the start of the engagement is critical. It is important to understand what limits there are and whether there are any areas that should be avoided in order to ensure regulatory compliance is not compromised.
Red teaming is a powerful tool for boards, company directors and CEOs to test the cyber security controls they have in place, to implement processes to detect and stop threats and to strengthen the security posture.
Speak with a Tesserent
Tesserent is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.