Maksim Kabakou - Fotolia

Security Think Tank: How to get the best out of red team exercises

How can organisations use red teaming to identify security gaps?

It is common to see people with the red team field manual sitting on their desk and for organisations to talk about red teaming their security. But red teaming – using a number of people to attack a system or get inside the mindset of a hacker – only provides one side of the story. Like penetration testing, to get the best out of a red team, you have to understand what they can do.

It is important to specify the objectives of the work you want the red team to do, require a good paper trail documenting their work, and properly understand what the results mean.

Additionally, you must consider the “good guys” or the blue team who will try to stop the red team. To get the best out of a red team, the blue team must be at the top of their game and push the red team to the limit so their capabilities are fully tested and they discover as many vulnerabilities as possible. Some organisations have combined the “bad” and “good” guys into purple teams to try to get the best out of both.

But this is a traditional model, and there is no clear reason for teams to do only one or the other. Especially, given that the best members of either team, red or blue, are known for their skills in both domains.

In order to improve cyber security, organisations need not just blues, reds and purples, but “security champions” who are seconded to teams for the purpose of consultation and learning. Such secondments from, say, blue to red or development to security testing ultimately ensure that problems are addressed at a systemic level. At least until the next vulnerability is discovered.

To understand why the traditional model is not enough and why security champions are also needed, picture a workstation with a vulnerability to a specific type of attack. Based on the scope of the exercise, the red team will find this vulnerability and exploit it. The blue team will have some intelligence on the attack, detect, defend and deter it.

It is very unlikely the battleground for this attack will be the vulnerable workstation. Instead, network monitoring and similar perimeter defences will actually determine how successful the exercise has been. After all, the vulnerability may be in the very setup of the individual workstation in question.

It is not until the specific team responsible for building the workstation is given the instruction to systemically fix this vulnerability against this type of attack at a structural level that the issue will go away. To draw on a metaphor, you cannot simply train people to defend the outer wall of the castle more effectively; eventually, you have to build better fortifications.

Thus, a simple way for organisations to use red teaming to improve cyber security is by having security champions readily available to be seconded to different teams. These security champions will ensure findings discovered by the red team are addressed at a systemic level.

Finally, red teaming exercises must go beyond specific attack methods or targets and seek out the deep structural weaknesses in the organisation, enabling those “security champions” to build a stronger castle.

Adrian Davis is managing director for Europe at (ISC)2 and Yiannis Pavlosoglou is co-chair of the (ISC)2 EMEA Advisory Council and strategic change manager for operational resilience at financial services firm UBS.

Read more on Hackers and cybercrime prevention