By Zac Amos, Features Editor, ReHack
In cybersecurity, a red team exercise is a unique way to ensure businesses can respond to cyberattacks appropriately. While it’s generally beneficial, taking extra steps can ensure they get the best results.
What Is a Red Team Exercise?
Red-teaming is the practice of using ethical hackers to intentionally attack internal software. The purpose is to see how the company’s cybersecurity — or blue — team would react to a real-world security threat. While it’s similar to a penetration test, no employee has advance notice, targets are variable and the “attackers” test all systems simultaneously.
They use various tools to mimic an attacker’s movements, including system reconnaissance, vulnerability exploitation and data exfiltration. The process provides an organization with a life-like simulation, accurately informing them of potential risk areas. How can businesses get the most out of their red team exercise?
- Explain Limitations
Businesses should carefully communicate any limitations with the red team before moving forward. Even though they aim to mimic a real-life cyberattack, it’s OK to tell them certain areas are off-limits. Even if they don’t test some things, the best results are still achievable.
The process could result in file corruption or system downtime if they’re not careful, which is why having an in-depth conversation is so important. Everyone needs to clearly and thoroughly discuss what actions are acceptable. It can help them prevent critical errors or data leaks.
- Identify Goals
The entire red team process is only genuinely useful with proper goal identification. While generally improving security is a good starting point, it’s better to be specific. Industry type, hardware and software can help inform it.
Cybersecurity professionals should also consider which security threats are relevant because cybercriminals constantly adapt their approaches. In fact, organizations experienced a 35% increase in the proportion of cyberattack methods and malware types during the pandemic.
Businesses must recognize their security needs and determine how red-teaming can align with them. For example, they could decide to focus on how easily an attacker can access and exfiltrate files. It can help them define their next steps once the process is over.
- Treat the Process as Training
Even though the red team exercise may seem like a test, businesses should treat it as training. Instead of considering it a pass-or-fail situation, they should view it as a series of learning opportunities. Every internal and external party aware of the process should record successes and failures to identify potential areas of improvement.
Thorough documentation ensures it translates into something actionable. For example, recognizing unusual network activity may take the blue team longer than their employers initially anticipated. Instead of facing punishment, they should learn how to improve. It can help them appreciate the situation and get something valuable out of it.
- Cover All Attack Surfaces
The red team must have comprehensive knowledge of every attack surface to perform their duties adequately. While a business may only want to consider its most sensitive hardware, cybercriminals can get in through anything. For instance, testing the old servers or storage systems is just as essential.
Threat actors constantly look for better ways to gain access. Although critical systems may have thorough protection, they can still get in if they take advantage of forgotten hardware. Red-teaming is only genuinely successful when it encompasses every possible attack surface.
- Keep the Exercise Secret
Although the blue team’s aim is to defend the business against the red team, they shouldn’t be aware of the exercise’s existence. The entire point is to simulate a real cyberattack, so they should not know it’s coming.
An organization can get more accurate and valuable information about its threat detection and incident response when it keeps the process a secret. Cybersecurity teams that assume any unusual activity is a legitimate concern will respond much more realistically than during a regular penetration test.
- Recognize the Legal Obligations
Although red-teaming is supposed to simulate an actual cyberattack, certain actions should still be off-limits. Most organizations have a legal duty to protect their customers’ details, so they must ensure the team’s efforts comply with applicable laws and regulations.
For example, the Payment Card Industry Data Security Standards dictate that organizations must protect customers’ financial files or face regulatory action. Other acts cover health records or personally identifiable information. Their relevance depends on the company’s location.
Organizations that allow data security testing must ensure everything remains encrypted throughout the process. Alternatively, they could instruct red teams to only act in compliance with regulations. Recognizing legal obligations can protect a company’s reputation.
- Stay Within Policy
A comprehensive red team exercise typically addresses all attack vectors. However, some things may be off-limits. For example, a cloud storage service provider may have specific rules regarding penetration testing. Organizations must inform their vendors of the process or ensure they stay within their policies. It can help them protect their business relationship.
- Protect Valuable Assets
Creating an asset list is crucial before a red team exercise begins. Businesses take inventory of everything to recognize where they should focus. Also, it can help them identify potential areas of concern. The process can come with risks — like data corruption — so they should take relevant preventive measures.
Although red-teaming only mimics a cyberattack, it can still lead to adverse outcomes. An organization should identify the hardware, software, intellectual property and sensitive information the red team will interact with. It should then create backups of everything.
Get the Best Results
While the red team process is generally smooth and secure, organizations should consider their obligations and goals to ensure they get the best results. The exercise can be incredibly beneficial if they take additional steps beforehand.
About the Author
Zac Amos is the Features Editor at ReHack, where he covers cybersecurity and the tech industry. For more of his content, follow him on Twitter or LinkedIn.