Part 2 in a Series on how businesses can leverage US Military “Intelligent Adversary” tactics to stay cyber-secure.

Last week we highlighted the point that doing the right things doesn’t necessarily result in doing things correctly.  This notion is particularly true when we talk about security assessments.

Most IT professionals will tell you that regular network vulnerability assessments are critical to good network hygiene.  They will also tell you that periodic penetration tests are a good idea.  In fact some industry regulators include regular penetration testing in their compliance standards.  But these techniques are only snapshots in time and do not measure or replicate the broader organizational impact of a breach.  The fact is that not even the most heavily resourced cyber defense capability will identify and defeat all adversaries at the network perimeter. So accepting the reality that at some point a hacker will be successful, organizations must prepare for sustaining critical business functions and operations while the Security and IT staffs are pushing the attacker off of the network.  So how can a company do this?  Let’s walk through a scenario which should answer the question.

Consider a notional airline company; we’ll call it “Notional Air” because we’re creative.  Like most airlines, Notional Air relies heavily on its network for virtually every aspect of daily operations; scheduling, schedule changes, maintenance, ticketing.  Now consider what would happen if the Notional Air network was hacked and airline personnel were incapable of performing the functions we just described.  The reality is that if the hack was significant enough, Notional Air would likely shut down its network in order to mitigate the hack.  Even a minor hack would cause major disruption across all airline functions.

Fast forward to the post-mortem during which Notional Air IT staff provides comprehensive documentation showing up-to-date patches, regular vulnerability assessments, and a penetration test during the previous calendar year.  The IT staff and Company leadership is left scratching their collective head, asking how the breach could have been successful in spite of the diligent efforts of the IT Staff.  Enter the concept of Red Teaming.

Before we talk about why Red Teaming would have helped, let’s talk about what Red Teaming is at a high-level.  The Red Team concept is based upon the idea of taking assessments from administrative to operational context.  To be more concise, Red Teaming operationalizes assessments.  It brings together vulnerability assessments, penetration testing, and training into an operationally focused approach to assessing an organization’s network security posture, and that same organization’s ability to function when its network is degraded. One more point, Red Teamers are not run-of-the-mill penetration testers.  Effective Red Teamers penetrate networks to demonstrate what hacker activity would look and how that activity would impact business operations.  Red Teamers don’t penetrate networks to simply identify vulnerabilities.

Now back to Notional Air and how Red Teaming could have helped.  In our scenario, Notional Air would have hired a Team of highly skilled cyber security experts, trained in offensive and defensive cyber warfighting.  This Red Team would have breached the network much like penetration testers, but that’s where the similarities end.  The Red Team would have established a foothold on the network, moved laterally to critical nodes where they would have commenced creating effects.  Effects would have included exfiltrating data and rendering critical systems partially or completely inoperative.  This approach would have demonstrated what hacker activity looks like in real time to Notional Air personnel.  This approach would have also provided Notional Air operations personnel with the opportunity to learn how to operate on a degraded network, while IT Staff mitigated the hack. Most importantly, Notional Air would have been able to continue some level of operations.

The real value of Red Teaming is providing companies with an understanding of what it would take to operate on a network that has been hacked, before the company is hacked by a real adversary with malicious intent. Given the choice between no business operations and degraded business operations, I’m betting most companies would choose the latter…Notional Air did!

Part 3 of will cover “Understanding Red Teaming,” a Threat-Based approach to network assessments.  This edition will be a tactical discussion of who red teamers are, what they do, and why they shouldn’t be considered high risk.  Stay tuned!

Click to read from the beginning: Part 1


Mike Walls is Managing Director, Security and Operations and Analysis at EdgeWave. While on Active Duty in the U.S. Navy, Mike served as Commander Task Force 1030 reporting directly to the Navy’s Fleet Cyber Command, and was responsible for Cyber readiness of over 400,000 people, 300 ships, and 4,000 aircraft.  Comments and questions for Mike Walls are welcome: blog@edgewave.com