This is Part 3 of a Series on how businesses can leverage proven US Military “Intelligent Adversary” tactics to stay cyber-secure.
Part 2 discussed how how businesses could stay operational during a successful cyber attack. This week we will uncover who Red Team members are, what they do and why we should trust them. With their help and expert insights, we can better prepare for tomorrow’s battle against cyber criminals.
What is a Red Team? How do they work? Can we trust them?
As simple as the above questions are, they are frequently asked by clients. The reason why these questions are asked is rooted in one inescapable facet of human psychology: fear of the unknown. The irony of course is that one of the principle functions of a Red Team is to educate by emulating attacker methodology, thereby removing the “unknown.”
What is a Red Team?
A professional Red Team is a group of highly trained and experienced experts in a given field that can effectively analyze a problem from an adversarial perspective, thereby allowing planners to mitigate any discovered problems. In essence, Red Teams approach an issue from a potentially unexpected angle. In the information security field (or cyber, if you prefer), Red Teams carefully study threats to information systems. These threats may be vulnerabilities, configurations errors, or even “threat actors” ranging in sophistication from hacktivist, to organized crime, or even Nation-State (APT!). Red Teams are typically small, highly flexible organizations that can rapidly adapt to changing situations or environments, and often include experts in a variety of commonly encountered targets (enterprise-level routing, Microsoft Active Directory forests, web applications, database exploitation, client-side attacks, wireless attacks, physical security, etc.). Red Teams are very tight-knit teams that work well together, and strive to establish professional relationships with other Red Teams to fill in any gaps in capability.
How do they work?
Red Teams may take a holistic view of an organization’s operations and how they are supported by information systems, or they may very narrowly focus on an individual application. The approach depends upon the threat being emulated, which should be negotiated with the client beforehand. Ideally, the Red Team will faithfully emulate the given threat in order to demonstrate an operational impact on the client organization. An operational impact is anything that affects the way an organization functions on a daily basis, thereby preventing the execution of the organization’s primary mission. Operational impact is the only way to communicate the seriousness of a discovered vulnerability. If a vulnerability does not realistically threaten operations, the organization (rightly) will prioritize other issues. Professional Red Teams will not overstate a vulnerability, nor will they create one. A professional Red Team will not leave an organization more vulnerable than when they started, and will clean up any artifacts upon conclusion of the engagement. In addition to a final comprehensive report, all activity logs will be turned over to the customer to facilitate (a highly recommended) internal after-action analysis and remediation effort.
Can we trust them?
Authentic Red Teams are comprised of absolute professionals at the top of their field, often with decades of experience. Many Red Team members started out doing incident response within large organizations, or within the US Military’s Cyber organizations, and bring that experience to their current position. Red Teams can absolutely be trusted to surprise the client, as this is their stated intention (remember operational impact?). However, this surprise will be delivered purposefully and professionally, and should be carefully coordinated with a trusted liaison within the client organization. Professional Red Teams will not *actually* create operational impact, but will provide enough of a demonstration to remove any doubts about the seriousness of the discovered issue.
Remove the fear of the unknown.
Professional Red Teams force organizations to understand their own vulnerabilities and how those vulnerabilities can impact business operations if exploited by a determined adversary. This understanding removes uncertainty and builds confidence within the organization, shedding light on the unknown and removing the fear.
How do we include Red Teams in our processes?
Many organizations struggle with this question, for a variety of reasons, including cost, trust, internal politics, etc. Building a Red Team organically, while obviously desirable, takes time and resources that often are required for other security priorities. The quickest and most effective way for an organization to realize the benefits of Red Teaming is to hire a Red Team to assess the organization. The Red Team will have a completely different perspective of the organization and its mission, and will undoubtedly shed light on any hidden vulnerabilities. Look for cyber security companies, such as my employer EdgeWave, that have actual former US Military Red Team cyber specialists to provide this valuable service. But whichever path you take, you must act now as cybercriminals and other nefarious actors may be looking at your organization and plotting their way inside.
Read Part 1: A holistic approach to Network Security
Read Part 2: Insights on how businesses can leverage US Military “Intelligent Adversary” tactics to stay cyber-secure
Mike Walls is Managing Director, Security and Operations and Analysis at EdgeWave. While on Active Duty in the U.S. Navy, Mike served as Commander Task Force 1030 reporting directly to the Navy’s Fleet Cyber Command, and was responsible for Cyber readiness of over 400,000 people, 300 ships, and 4,000 aircraft. Comments and questions for Mike Walls are welcome: email@example.com