Maksim Kabakou - Fotolia

Security Think Tank: How to maximise the value of red team exercises

How can organisations use red teaming to identify security gaps?

There is a good reason why sports teams play practice matches and militaries stage war games. Simulating realistic scenarios is an effective way of exposing weaknesses and judging the capability to respond to an evolving threat.

The term red teaming originated in the military and has been used to describe a group of protagonists whose purpose is to simulate a threat to judge how that threat is managed.

The concept quickly passed into the information security lexicon to describe a penetration testing technique that takes a “gloves off” approach to achieving a set of objectives by exploiting people, processes and technology.

Red teaming has seen a rise in popularity in recent years as the limitations of existing assurance methods are better understood and attackers have found novel – or obviously simple – ways of gaining access to organisations’ information resources.

The leading principle behind red teaming is that it simulates realistic threat scenarios using a full range of tools and techniques available to a theoretical attacker.

For organisations, the benefits are significant. They are able to model simulations based on specific threats to their enterprise and can accurately test defences that rely on technical measures and the human factor.

Active defence, known as blue teaming (another military term) can be deployed to ascertain the ability of security teams to detect and respond to simulated breach.

To maximise the value from red teaming, consider the following:

  • Use threat intelligence to identify realistic scenarios with defined objectives. 
  • Red teaming should augment the existing assurance processes, not replace them.
  • Performing red teaming properly takes time and resources to undertake testing, analyse the results and prioritise opportunities for improvement.
  • Understand the right time to perform red teaming. Known weaknesses and vulnerabilities need to be addressed first otherwise it’s likely that it reconfirms what is already known.
  • Use external teams that can approach the task without preconceptions. If a single supplier is used over a multi-year period then value can be gained from using different testers during that time. 
  • Red teaming is not just a security exercise. Engage all teams that have parts to play in security, including business users, infrastructure and support teams.

Red teaming is a powerful tool if used at the right time and with support from the organisation, and it is effective at revealing unintended weaknesses.

Like war games or practice sports matches, red teaming enables decision making and responses to be evaluated in a risk free environment to better prepare the organisation for an actual breach.

Read more on Hackers and cybercrime prevention