The threat landscape has evolved dramatically over the past couple of decades, and cyber attacks are no longer considered to be an ‘if’, but a ‘when.’ Security solutions have subsequently popped up left, right and centre across the world as individuals and companies strengthen their defences. One solution that is growing in importance is red teaming, an intelligence-led security assessment designed to thoroughly test organisations’ cyber resilience and threat detection and incident response capabilities.
Unlike off-the-shelf services, there will never be two red teaming exercises that are the same as they are specific to each organisation and its current security posture. Where penetration testing focuses on identifying and testing technical vulnerabilities with a combination of automated and manual techniques, red teaming exercises have a significantly broader approach. These operations take place over a longer period and usually involve more people and resources. They dig deeper to fully understand the level of risk and vulnerabilities within a company’s technical systems, human elements, and physical assets.
To ensure they’re ready for a red teaming engagement, businesses should have already carried out pen testing and other security assessments regularly. Going into this deep-dive exercise, companies should believe they are as secure as possible. This way, the team can focus on identifying those vulnerabilities that are harder to detect.
As the threat landscape is constantly changing, organisations are advised to undergo red teaming exercises on an annual basis if possible. But before businesses decide to embark on a red teaming journey, it’s important they understand what is entails, and there are a few considerations to take into account.
Automated hacking, deepfakes and weaponised AI – how much of a threat are they?
The scope of a red teaming exercise
A red teaming exercise is undertaken with the aim of exploring areas that other assessments would overlook to determine the overall attack chain. Unlike a penetration testing exercise, which usually lasts for around a week or two, a red teaming engagement should be considerably longer. The total elapsed time of an engagement will be several months, or even up to a year, with the team carrying out a series of different exercises during that time and allowing time gaps in between. During the exercise, the team works to identify vulnerabilities and formulate plans on how criminals could exploit the identified weaknesses. These could lie within a business’ people, network, company inboxes, or even physical access to offices.
There are several stages to a red teaming engagement, both on a technical and physical level. This may well involve monitoring buildings, observing employee behaviour, and identifying security measures, such as guards and ID passes. The red team will spend a significant portion of time mapping out the various physical and technical access points to an organisation before they attempt to breach. The preparation for a red teaming exercise takes significantly longer than other security assessments, as there is often a very specific set of targets in mind, rather than testing any and every area of the business.
The social engineering aspect of red teaming makes it far more targeted, as it looks beyond simply testing existing security solutions. Teams will play on the ‘human factor’ and look to exploit any information available, including user profiles on LinkedIn and publicly listed contact details.
What role do employees play?
It is often said that employees can be the weak link in an organisation’s security armour. Largely accidental and with no malice, it is the employees that inadvertently click on a rogue link in an email, bypass a security policy to connect their latest smart device to their corporate laptop, or even just hold the door open for the guy in overalls that is laden down with tools and heading into the building. This is why employees are an important part of red teaming exercises.
This is also where the social engineering side of the engagement comes to life, as teams will often research staff at a company, usually through social media, and engage with them over a couple of weeks to build up a rapport and gain trust. These exercises help build up a list of people who work for the company, as well as gathering information on the targets. Part of the process includes getting into the minds of criminals and identifying weaknesses that threat actors would be quick to take advantage of.
A key element of red teaming is understanding which individuals are most likely to be targeted in an attack. CEOs, and other board-level executives for example, are common targets for criminals as they often have access to the most information. It’s easy to see why whaling – targeting the big fish in a company through a highly targeting phishing attack – is a common practice for hackers, as these top positions generally have access to everything.
Some companies may opt to leave employees out of the process; however, it’s recommended that red teams are given appropriate free reign in order to deliver the most in-depth, and reliable results and it is important for businesses to understand how employees affect their security stance. Everyone has a different level of technological understanding, and so employers must take responsibility for bringing awareness to the entire company, for both the safety of each member of staff, as well as the organisation overall.
How to boost internal cyber security training
Achieving the highest ROI
Declaring a red teaming exercise a success means different things for different parties – is it a success if the team achieved the set-out goals, or if they didn’t? Either way, it’s important to understand how to achieve a sufficient return on investment. Setting targets for the team, either technical or physical, will help identify where priorities around security should lie. The red team will keep these flags in mind as results they want to achieve throughout the process. For example, a physical goal might be to break into the CEO’s office undetected, and a technical flag could be to hack into a data store that holds confidential company information.
The steps taken and the progress made during the exercise are just as valuable as achieving the final goal. As such, reporting is critical in a red teaming exercise. These reports need to tell the company how the team achieved what they did, and the processes they went through to get there. This could include any physical barriers they managed to bypass, including alarms that didn’t go off, or gaining access through the back door. Any identified vulnerability, be it physical or technical, will help a business to improve its security posture.
Red teaming is a valuable tool for those willing to push their security to the limit. By testing the boundaries of their systems, companies can get into the minds of threat actors and identify vulnerabilities before criminals can take advantage. When carried out correctly, red teaming should help ensure business continuity and strengthen their cyber and physical defences.