Maksim Kabakou - Fotolia

Security Think Tank: A real world approach to security testing

How can organisations use red teaming to identify security gaps?

While many organisations still approach cyber security as a due diligence checklist, this is becoming more challenging as they become increasingly distributed, using third-party services and multiple suppliers with a wide variety of technologies.

Instead, an organisation’s security approach should be based on real-world threats, rather than the ability to pass an audit.

Going beyond those responsible for risk, audit and information security, cyber security is increasingly becoming a board-level issue with leaders of FTSE 100 companies requesting these services.

IT leaders are beginning to understand that their security posture needs to be informed by the threat landscape and that a threat-based approach to security makes sense.

A red team exercise involves completely re-imagining the traditional penetration test and vulnerability analysis.

Rather than examining individual components of the security model in isolation, red teaming simulates a real criminal attack under controlled conditions.

These tests mimic the real-world targeted attacks that businesses face on a daily basis, using a goal-based engagement that simulates the true business impact of a breach.

Based on a military model, red teams are designed to subject an organisation’s IT and security systems to rigorous analysis and challenge. By simulating these real attack scenarios, red teaming provides a realistic picture of an organisation’s cyber security readiness – putting theory into very real practice.

How does it work?

In most cases, organisations are unlikely to have sufficient in-house capability and will hire an external organisation to organise the simulation.

While there are many providers that offer red teaming services, businesses will want to ensure that they are in safe hands and employing a genuine provider when undertaking this type of exercise.

Businesses should look for a provider that is well established, with proven security credentials and thoroughly vetted staff. They should also ensure that they will be getting a genuine red team exercise – not just a standard security assessment marketed as a red teaming product.

Before developing a specific scenario or story for the simulation, the chosen ethical hacking organisation will determine the type of attackers to whom the organisation might be exposed, what they might be trying to achieve, how motivated they are and what methodologies they might use.

The simulation then tests the business’s defences at each step that might take place in a real attack, or along the so-called “kill chain”. This includes steps where the attacker undertakes research and reconnaissance on the target organisation, “social engineers” target employees to gain access and breaches the organisation’s security perimeter to finally take control of internal systems or networks and achieve their objectives.

Involving a diverse range of employees in the simulation helps demonstrate that everyone is accountable for security
Peter Wood, First Base Technologies

In doing so, the simulation involves employees at every level of a company’s defences – not just those directly responsible for cyber security, but those in unrelated departments.

Involving a diverse range of employees in the simulation helps businesses to demonstrate that everyone is accountable for security, and employees can even become security evangelists in their own right as a result.

By involving the participants in an engaging story that is genuinely relevant to their organisation, it is possible to raise the bar on that most difficult of security controls – the human firewall.

By rolling these simulations out periodically, further red team exercises can build on this exciting precedent and provide more engaging scenarios to continue the education of everyone in the organisation.

What are the results?

As well as increasing employee awareness and engagement in security best practice, a threat-based approach highlights vulnerabilities that otherwise would have been missed or perhaps not even considered during a standard training or typical “due diligence’ exercise.

Red team simulations deliver critical results for a modest outlay in time and expenditure, making the experience much more engaging for employees.

That’s not to say that red teaming is an alternative to traditional testing, but it is a very valuable additional activity. While due diligence continues to be crucial, testing existing security measures with this type of exercise highlights where vulnerabilities still exist and enables organisations to take proactive steps to improve security before a real attack occurs.

Peter Wood is member of the security advisory group of Isaca’s London Chapter and CEO of First Base Technologies, which is to run a session on ‘Red & Blue Teaming’ at Isaca’s CSX Europe in October 2017.

Read more from Computer Weekly’s Security Think Tank about red teaming

Read more on Hackers and cybercrime prevention