Maksim Kabakou - Fotolia

Security Think Tank: How one organisation’s incident can become everyone’s defence

How can organisations use red teaming to identify security gaps?

“And the cyber exercise begins in three, two, one….”

Nothing. Not a blip. One minute goes by. Two minutes. Three. Four minutes and 43 seconds.

Then the whole office goes dark. All the lights. Every digital screen. Every connected device. Every power outlet. Every phone. Badge swiping systems. Every backup system. The elevator. Everything.

Now the cyber attack really starts. Welcome to what’s known as a red team exercise.

Red teaming – as it is sometimes known – is a practice utilised across both the private and public sectors to test the cyber preparations, defences and resilience of an organisation.

Typically, a red team is a team of ethical hackers that pretends to be the “bad guys” and does everything in their power to compromise an organisation. From reconnaissance to social engineering to tailored malware to brute force attacks. From cyber to physical and systems security.

The red team looks at any avenue open to a real adversary and “thinks like the enemy”. Some of the attack is meant as a diversion to cover the actual intent of the attackers. For example, a distributed denial of service (DDoS) attack may be a distracting attack to cover an attempt to compromise systems and steal critical business or account data – or even funds.

What is typically termed the blue team is the defending team that operates under existing documented incident response best practices.

These types of exercises can range from “tabletop” simulations to actual attacks (within acceptable parameters) that have an immediate and real-world impact on an organisation to help show gaps that need to be mitigated – keep your friends close, and your enemies closer.

Most advanced organisations have a cyber security incident response playbook. An exercise involving a red team puts that playbook to the test. Often, the red team will act in unexpected ways, and not according to a playbook or schedule just like real life adversaries do).

At the end of the exercise, the teams debrief – or perform a “hot wash” as it is sometimes called – and help the organisation identify how the systems, processes and  playbooks should be strengthened to improve the organisation’s cyber security posture and overall resilience.

Red team and beyond

But is the typical red team exercise enough nowadays?

One trend in the financial sector is to move beyond the limited sphere of a red team operation and include many operating areas of the organisation, not just the security and risk teams.

For example, this type of expanded exercise may include executives, operations teams, payment teams, cyber teams, physical security and risk management teams, PR teams, customer services teams and more. 

While this type of exercise may not be quite as dramatic as the traditional red team exercise, it involves a broader cross-section of an organisation and in many ways can be more realistic in its approach, its implications and its learnings.

Each organisation may choose to run this type of exercise. In the financial sector, there are several well-regarded exercises that are run annually or semi-annually. Thousands of organisations participate, but each one participates as an individual entity and information utilised during the exercises is anonymous and confidential.

Two of the best known exercises in the financial services space are “Quantum Dawn”, run by the Securities Industry and Financial Markets Association (Sifma), and “Caps”, run by Financial Services Information Sharing and Analysis Center (FS-Isac).

Rather than just having a small enclave of a financial firm participating, these exercises invite every functional area to be involved in a realistic, real-time tabletop simulation exercise.

The FS-Isac, a member-run not-for-profit organisation with nearly 7,000 members worldwide, runs the Cyber-Attack Against Payment Systems (Caps) exercise.

This is a confidential, two-day, tabletop exercise to simulate an attack on payment systems and processes. Formerly named Capp, this annual exercise has been held for the past six years for US financial institutions and has recently expanded to Europe. In the US, nearly 1,000 organisations participated actively.

The Caps exercise simulates a robust, real-world cyber attack against same-day wholesale payment systems to challenge incident response teams to practice mobilising quickly, working under pressure, critically apprising information, as it is available, and connecting the cyber dots to defend against the attack.

This respected model discovers gaps in incident response plans; strengthens incident response team relationships; builds understanding of system vulnerabilities; and drives exploration of improvements in response.

Another well-known exercise is the Sifma-sponsored “Quantum Dawn”. Held at regular intervals, Quantum Dawn 3 (QD3) was the latest in a series of cyber security exercises performed in 2015. The next Quantum Dawn is in the planning stages now.

During QD3, more than 650 participants from more than 80 financial institutions and government agencies took part. Participating entities included key industry and government partners such as the US Department of the Treasury, Department of Homeland Security, Federal Bureau of Investigation, federal regulators and the FS-Isac.

The Quantum Dawn exercises are one component of Sifma’s comprehensive work with its members on a variety of cyber security initiatives. These exercises create a cross-departmental incident response focus that is tough to achieve in daily business operations. 

For example, the cyber security team at a given bank may understand their realm extremely well, but may not fully understand how payment processing in their bank works and the impact if payment processing functions are attacked as part of a sophisticated criminal enterprise targeting the bank.

But through such collaborative exercises, each department understands its roles and responsibilities. Rapid and accurate communication is key. Indicators of compromise discovered during the early parts of an attack may trigger specific parts of the incident response playbook.

Customer services teams need to be able to respond to high net worth clients. PR teams need to respond to media inquiries and leaks. Regulatory liaisons need to know when and how to engage regulators. Executives need play-by-play information to make business decisions, and so on.

While red team exercises are an important part of resilience preparations, broader exercises that incorporate multiple functional areas of each organisation are truly the wave of the future and can help each participating firm identify security and risk gaps, improve playbooks, and – in a relatively safe environment – practice for a ‘very bad day. Hopefully that day never comes but, if it does, as they say, luck favours the prepared.

Andrew Hoerner is vice president of communications at the Financial Services Information Sharing and Analysis Center (FS-Isac).

Read more on Hackers and cybercrime prevention