Maksim Kabakou - Fotolia

Security Think Tank: Red teaming can help businesses identify best security controls

How can organisations use red teaming to identify security gaps?

In a previous contribution to Computer Weekly’s Security Think Tank, I mentioned the need for the business side of a company or organisation to articulate to the operational side both what is at risk in the company and what its value is.

This comes down to understanding a company’s business, and includes its client base; inputs and outputs; the data the company holds; its standing in its industry; and appetite for risk.

But the operational side of the house needs some other inputs to develop a comprehensive range of cost effective security controls. Those other inputs include:

  • Identification of threat sources or adversaries
  • Mechanisms an adversary might use to attack a company
  • Motivation and capability of the adversary
  • Value to the adversary of a successful attack

The value in this context is not necessarily financial. It could be to embarrass a company, drop a project, extract intellectual property or acquire information. The set of adversarial values will vary by company, industry and market sector. 

How does the operational side of a company use the business inputs, its own knowledge of the company (such as number of sites, building security, technology deployed and security controls) to develop the adversarial input necessary for the subsequent identification of a comprehensive set of cost effective security controls? 

One answer is to employ a red team, and in many companies the concept of a red team is already in use – though either the formal name and/or constitution of a red team may not be known or understood. 

A red team is a multi-disciplined group of individuals drawn from across a company or organisation and independent external sources. The role of the team is to think like an adversary and find exploitable vulnerabilities in a company that would yield value.

Why multi-disciplined? Why drawn from across a company and not just IT? Why have external advisors? Vulnerabilities are not just technical ones such as poorly configured software, they can be people related, building related, PR or industry-image related. The inclusion of independent external resources in a team is to balance out any intrinsic bias that a solely in-house team would have, and to provide direction.

The output of a red team includes identification of the advisories (threat sources) and their motivation and capability, but also the identification of exploitable vulnerabilities ranked in order of type (technical, building and people), the ease of exploitation and value to the advisory.

From this, the operational group will be able to develop suitable, cost-effective controls, covering not just the IT estate but also building controls (such as CCTV and access control), HR (staff and contractor vetting, training, and education) and public relations.

Peter Wenham is a member of the BCS Security Community of Expertise and director of information assurance consultancy Trusted Management.

Read more on Hackers and cybercrime prevention