Red team exercises are growing in popularity, with 4 in 5 organisations increasing their security investment to cover such activities. But what is a red team exercise, and should you perform one on your business?
The origins of the red team exercise
Red team exercises are routed in tactical war games. Back in the 19th century, the German military would plan their attacks – including how to account for unpredictable events, like the weather – to give their men the best chance of success.
Today, red team exercises are more commonly associated with the battles fought in the digital sphere against threat actors. The objective is not to win or lose. Rather, to simulate an attack so you can build resilience against them. The focus is on revealing vulnerabilities in your processes, people and technology so it delivers higher assurance about your security posture.
What do red team exercises involve?
The red team must step into the enemy’s shoes to think and act as a bad actor would. Unlike penetration testing, which tests a specific application/system, a red team exercise targets the broader IT infrastructure. The focus is always to reveal vulnerabilities in your organisation’s security – not to play the blame game, but to know how to strengthen the protection surrounding your attack surface.
It’s common for a red team exercise to follow the MITRE ATT&CK® Framework, a globally-accessible knowledge base of adversary tactics and techniques. The red team exercise simulates an attack using real-world techniques and methods. It could range from simply stealing user credentials or adding malware via a USB key, to more sophisticated techniques like phishing emails or an SQL injection.
Advantages of red team exercises
A red team exercise creates a low-risk training environment where your team is safe to make mistakes. A bit like an experiment, the objective of a red team exercise is to test and learn – once you know where your weak points are, you can take action to strengthen the security and protect them. For example, to reconfigure existing security tools, automate manual processes, and train employees. In strengthening your overall security posture, your business is more prepared to face the most sophisticated threats.
One of the most significant benefits of undertaking a red team exercise is that it goes beyond technology and tests your people and processes – this is particularly valuable when insider threats have increased by 47%. A red team exercise provides a rare opportunity for positive collaboration between the business, IT and security teams, who will all be responsible for restoring business-as-usual services in the event of a cyber incident.
Finally, it is considered best practice and a requirement for many security certifications to perform a test of cyber incident response plans. A red team exercise is the most thorough and realistic approach to performing such tests.
Considerations for a fruitful red team exercise
Typically, a red team exercise is focused on finding faults that lie deep within your business. Therefore, before undertaking an exercise, it’s essential to ensure the people chosen for the red team possess the right skills, including:
- Knowledge of computer systems and security techniques.
- Software development skills to create new tools that bypass security controls.
- Penetration testing, so time isn’t wasted on easily detected vulnerabilities.
- Social engineering so you can encourage others to share information or their credentials.
While it might feel scary to find the “skeletons in the closet”, it’s important to remember that every business has weaknesses, so if your red team doesn’t find something, they’ve not done their job properly. It’s better to find and address any flaws today than wait for a bad actor to take advantage of them tomorrow.
Rather than a simple pass/fail, think about setting practical objectives to help you prioritise remediation actions.
Remember: the test is purposefully designed to push your security to its limit, so beware of ‘off-the-shelf’ offerings. Every organisation is different, so no two red team exercises can ever be the same.
What is the cost and duration of a red team exercise?
Like a real-world attack, a red team exercise can take hours, days, weeks – even months.
More important is how frequently you perform the exercise, because the threat landscape continues to evolve and you need to keep pace with change.
In a recent survey of security-aware organisations, nearly a quarter (23%) performed a monthly red team exercise. Commit to frequent testing; it will boost your resilience against an attack and reduce the potential impact on your business.
Be prepared for the inevitable
Unfortunately, cyber attacks are a certainty. It doesn’t matter how much security controls and training you throw at your business, you will always have vulnerabilities open to being exploited.
However, our red team testing service can reduce the frequency and impact of cyber attacks within your business. In particular, a red team test carried out by a skilled team will identify critical vulnerabilities that can be subsequently remediated before a malicious third party exploits them.
CyPro’s highly-skilled security testers perform red team exercises for a wide range of organisations. Talk to us to find out how we can help you identify and remediate critical vulnerabilities within your infrastructure.