Ljupco Smokovski - Fotolia

UK leading in using red team cyber security testing

Red teaming is set to become a key approach to ensuring cyber security controls and processes are fit for purpose and compliant with regulations, and the UK is leading the way

In the face of increasing data protection regulations and cyber security threats, red team testing is an essential tool to find out just how susceptible organisations are to cyber attack.

This is the view of risk management and red teaming expert Justin Clarke-Salt, managing director and co-founder of Gotham Digital Science, a Stroz Friedberg company.

The concept of an adversarial team, or red team, defensive team, or blue team, has been common in the energy sector among others that operate in hostile environments for decades.

As cyber attacks make cyber space an increasingly hostile environment for all organisations that rely on the internet, red teaming is likely to become a common element of cyber defence efforts.

In 2015, the UK finance industry launched the CBest threat intelligence-led cyber resilience testing framework, which embodies the red teaming approach.

CBest is designed to find out how susceptible the big operators in the UK financial services sector are to highly advanced attackers like national state attackers, national state sponsored attackers and organised crime attackers.

Typically the cyber resilience of an organisation is tested by running simulated cyber attacks using various threat intelligence-based scenarios, and often without warning the participants.

Read more about red teaming

Since 2015, regulators in the financial hubs of Hong Kong, Singapore, Europe and the US have looked at this with a lot of interest.

“Regulators are asking critical organisations to prove they have the appropriate controls in place, and it is not just in the financial sector, where CBest is already up and running,” he told Computer Weekly.

Similar approaches are in development for telecoms, nuclear and even for space in the UK. “So it is being looked at by various regulators,” he said.

This increased pressure from regulators worldwide will push in-house red teaming capabilities to accelerate in 2017, according to the Stroz Friedberg Cybersecurity Predictions report.

Simulating cyber attacker tactics

The value in red teaming is that it launches simulated attacks using the same tactics, techniques and procedures used by real-world cyber attackers to see how resilient organisations really are.

“In penetration testing, you usually have a specific scope of what you are testing and you don’t go outside of it. But in red teaming we usually flip that on its head, and everything is in scope except for anything specifically out of scope, so it is potentially all-encompassing.

“This particular type of testing is the only way of seeing how likely it is that somebody could get in, which more traditional pen testing does not really test. Red teaming is testing an entire organisation’s attack surface and far more realistic in terms of how someone would go about attacking an organisation, mimicking what real attackers do,” said Clarke-Salt.

Red teaming not only tests an organisation’s ability to keep attackers out, but also how well it detects an intrusion and responds to it. It also tests an organisation’s ability to deal with blended attacks that combine several low-level attacks or low-risk issues to undermine and bypass defences.

“This approach is not just testing security around a thing, but also the wider security processes, security controls, intrusion detection capabilities and incident response.

“It does not replace penetration testing, but enables organisations to see their response team’s ability to determine what is going on and respond to it, testing those things that are more process and people-based rather than technology-based.”

Processes break down under pressure

Organisations commonly discover that processes do not work as well as expected under pressure situations, that incident response plans are not easily accessible, that responsibilities are not clearly understood, that communication processes are flawed, and that insufficient contingencies have been made to deal with the absence of key staff.

“Incident response plans are very similar to business continuity plans – really don’t know how it is going to shake out until somebody goes and flips the big red button,” said Clarke-Salt.

Simulated attacks are also often accompanied by table-top exercises designed to help organisations assess whether in the event of a cyber attack they have adequate processes in place to deal with public relations, the media, customer enquiries, forensics, and regulatory reporting.

Although the UK is leading the regulatory agenda in the financial sector and other regulated industries, Clarke-Salt said the EU’s General Data Protection Regulation (GDPR) is likely to drive the adoption of the red teaming approach to testing cyber resiliency across all industry sectors.

“GDPR will have a lot of organisations asking themselves – especially at the board level – how susceptible they are to being breached; especially in light of the regulation’s requirements to report breaches quickly.

“And red teaming is one of the ways organisations can test how well they are able to detect, contain and respond to cyber attacks to prevent data from falling into the hands of the attackers,” he said.

In-house red team capability scarce

While red teaming is an effective way of testing cyber resilience, Clarke-Salt said it is resource intensive and not even many large organisations currently have a true red team capability in-house.

“Some of them do, but most have what I would term mature penetration testing or a more compliance-focused security testing capability in house,” he said.

While an internal red team is ideal because testing can be done on a continual basis to test a wider range of attack scenarios, Clarke-Salt said an internal red team is “quite a challenging thing to build and operate”.

The biggest challenge is acquiring and retaining people with enough skill, even for the largest and most well-resourced organisations.

Red teaming requires a higher level of skill than pen testing because there is the risk of it knocking over production systems and causing downtime.

“We are usually not doing these in test environments, but in live environments that require sufficiently experienced people to ensure all the necessary risk management stuff is in place,” said Clarke-Salt.

“We have been building our capability in this for some years now so we are ahead of many of our competitors, but it is still a very small pool of skilled people in the UK.

“It is going to be challenging to upskill people to be able to do this, especially in countries where red teaming to test cyber resilience is just starting to emerge,” he said.

Buyer organisations must be informed

As demand for these types of specialised security services increases, buyer organisations will need to be informed about the skills and expertise a genuine provider should be equipped to offer, according to the Stroz Friedberg 2017 Cybersecurity Predictions report.

“They will need to be discerning as some providers attempt to market standard security assessments as red teaming products.

“The most valuable external providers will be able to offer outsourced red teaming services, and also share their expertise in setting up and supporting internal capabilities,” said the report.

In 2017, the report predicts that regulatory pressure on financial institutions to conduct red teaming will spark an uptick in the number of organisations across sectors establishing programs and bringing these capabilities in-house.

To meet the demand for these skills, the report predicts there will be a concerted effort to build new marketplace strategies and education programmes to strengthen the talent pool.

“Companies will face pressure to retain talent as forward-thinking competitors will be aggressively seeking out security professionals with this skillset,” said the report.

Working with external providers

A key recommendation in the report is that organisations work with external providers on designing and implementing red teaming programmes and bringing them in-house.

While developing an internal team or even hiring an external one may be too expensive for smaller organisations, Clake-Salt said there are still affordable ways to use the red teaming approach.

Smaller organisations, for example, could simulate phishing attacks on employees and build the findings into tailored cyber awareness programmes.

They can also make sure they have appropriate web filtering and email filtering controls in place, but then also do some concrete testing of how effective they are.

User awareness training is valuable to organisations of all sizes. “Although you would hopefully have the situation where your technical controls are effective, at the end of the day you last line of defence is your staff,” said Clake-Salt.

“And if they have been appropriately trained to report security incidents internally – at which point your security team or external supplier can investigate whether someone is attacking – you are then at least aware of it and can respond to it.”

Read more on Data breach incident management and recovery