Maksim Kabakou - Fotolia
The Nato red teaming handbook defines it as: “The art of applying independent structured critical thinking and culturally sensitised alternative thinking from a variety of perspectives, to challenge assumptions and fully explore alternative outcomes, in order to reduce risks and increase opportunities.”
It’s not surprising the same can be said about red team exercises in the cyber security domain. But what should they deliver?
“Red teaming should identify strengths, weaknesses, opportunities and threats, hitherto unthought-of; challenge assumptions; propose alternative strategies; test a plan in a simulated adversarial engagement; and ultimately lead to improved decision making and more effective outcomes.”
The benefits to business from carrying out well-managed red team exercises are profound. Imagine an organisation that just spent considerable resources creating cyber security strategy, implementing and testing all security controls, only to find out that an adversary broke in via an avenue not recognised as a threat attack vector in the strategy.
If red team exercises are carried out, the chances of discovering such an attack path would be far greater. As per the above quote: the benefit is improved decision making and more effective outcomes.
Before I close, a word of caution: red team exercises does not equal a penetration test! However, one could claim that the desirable qualities of a good red team member also apply to a penetration team member:
“Red teaming is largely an intellectual process, but it is more of an art than a science. It requires red team members to possess superb critical and creative thinking skills.”
Read more from Computer Weekly's Security Think Tank about red teaming
My closing word is again a quote from the aforementioned Nato handbook listing key points about red team exercises. While all of them are valuable, my favourite is point is that red and blue teams should work together rather than against each other, yet in adversarial manner.
Principles of red teaming
- Create the right conditions. Red teaming needs an open, learning culture, accepting of challenge and criticism.
- Plan red teaming from the outset. It cannot work as an afterthought.
- Support the red team. Its contribution should be valued and used to improve outcomes.
- Provide clear objectives for the red and blue teams.
- Fit the tool to the task. Assemble an appropriate red team and ensure individuals have the right skills and experience to do the job.
- Ensure that the red team works with the blue and not against them, but that the red team approach is critical and appropriately adversarial.
- Focus on key issues. Red teaming should contribute quality thinking rather than quantity.
- Poorly conducted red teaming is pointless. It may be misleading and engender false confidence.