In a recent blog for Help Net Security, SafeBreach’s VP of Product Yotam Ben Ezra explored the concept of cybersecurity Red Teams, including what they do, what their goals are, what weaknesses exist in their methodology, and what a more modern approach may look like.
In this blog, we’ll build on his ideas by diving into some of the foundational steps that can help support the development of a modern Red Team program. While it doesn’t have to be complicated, it does require a commitment to identifying the correct personnel, operationalizing their skills, aligning their activities with the overall goals of the business, and providing them with the right tools to maximize their efficacy.
Step 1: Align Red Team Goals with Overall Business Goals
The baseline rationale for Red Teaming is an improved security posture and reduced risk. It is worthwhile, however, to provide detailed guidance on how security risks map to the overall business risk and then design Red-Team exercises to match accordingly. For example, a CISO may be concerned about supply chain risk and vulnerabilities in third-party libraries that could directly affect the enterprise. In this situation, the Red Team may want to design an exercise to attempt to identify third-party libraries in use by internal applications and determine whether those libraries have been properly patched and updated. While it’s important not to limit exercises too tightly, focusing on specific areas of concern will allow deeper dives and provide better guidance on process changes that can eliminate root causes at the operational- or software-development level.
At a more strategic level, aligning the Red Team with broader business goals will help win broader budgets and buy-in. Cybersecurity organizations have traditionally struggled to communicate their proactive value to key stakeholders, including those in the C-Suite and on the board. Linking Red Team exercise metrics to key business objectives in a visible and measurable way is a critical step in ensuring the long-term viability and budget for these valuable programs.
Step 2: Build the Team & Technology Stack
The first step in building a modern Red Team is to identify whether you will build the team internally or start first with an outsourced team, which can offer a more feasible way to build a baseline, identify bias-free security gaps, and give yourself time to build internal buy-in and Red Team capabilities inside your organization.
If you decide to build the team yourself, you’ll first need to determine the size of your team and the types of experience you would like individuals to have. While it’s typical to fill out a Red Team with security engineers, it’s equally valuable to consider adding a fresh perspective with DevOps practitioners or application developers looking to try something different. It can also be helpful to mix internal hires who know your systems, applications, and environments with a few external hires who are seeing all of your IT assets and applications for the first time. Also, for key aspects of Red Teaming, such as social engineering and physical penetration, you will likely require external expertise, as few organizations train their security engineers in these disciplines.
On the technology side, assess what the arsenal of your Red Team should contain. For the most part, successful Red Teams mirror the tactics and tools of real-world adversaries, which may entail using open source or widely available software. Rarely are purchases of additional and expensive software or technology required. That said, Red Teams will require the compute infrastructure and environments necessary to mount credible attacks. Building this capability to truly simulate adversaries may mean setting up separate cloud environments or building sandboxed environments for safe Red Team engagements. If public cloud environments are used, it is critical to keep the service provider informed so as not to trigger their internal security tools and response protocols.
Once you have made these team and technology calculations, build a detailed budget that adequately reflects the costs to hire, train, and enable your team. This is a key step in building executive sponsorship and securing the resources necessary to ensure the success of your Red Team.
Step 3: Create Team Relationships
Red Team exercises are adversarial simulations that, if done properly, will induce better channels of communication between all involved personnel and teams as they work together to address a common threat. Make sure all the participants from the security team are known to each other and that there is an organizational chart that clearly outlines roles and responsibilities. Consider some in-person or live video conferences to break the ice. This can be an important step toward fostering relationships and creating an environment where learning is a shared goal and postmortems are relatively frictionless.
Equally important to consider are the other operational teams that should be involved, including network operations, IT, and DevOps. Each of these functional groups should be aware of Red Teaming exercises and may even need to actively participate in exercises as well. You may also want to consider whether it makes sense to deploy a Purple Team strategy. Purple Teams are a newer construct where the Red Team (typically tasked with attacking assets and infrastructure) and the Blue Team (typically tasked with protecting assets and infrastructure) may play either role in the exercise. As the industry trends toward a state of more frequent or even continuous Red Team exercises, be sure to also consider the resources required to create an ongoing program.
Step 4: Determine Specific Rules of Engagement & Scope
The Red Team should work with all the other parties listed above to determine rules of engagement for any exercises. Ideally, the rules of engagement should be broad enough to allow for meaningful creativity and variation, while ensuring there are no surprises and that all participants understand they may be targeted. Rules of engagement include:
- Time duration for the exercises
- Targets that are allowed
- Tactics, techniques, and procedures (TTPs) to include—these may be adapted to match specific threat actors or advanced persistent threats (APTs)
For higher fidelity, Red Team exercises should include key stakeholders all the way up to the C-Suite. Smart attackers are increasingly targeting executives and top management with sophisticated attacks, even using deepfake voicemails and phone calls. Business email compromises that target finance teams can be one of the most damaging financial attacks, with millions of dollars in losses happening in a matter of minutes.
In addition, it’s important to decide what information to provide the Red Team to help them target. This typically breaks down into three types of data access:
- White box access: Offers full or partial access to internal code and even scan or control configuration data.
- Black box access: Offers zero access to Red Teams and is most analogous to attacks from the wild.
- Grey box access: Offers a mixture of white box and black box access, with Red Teams getting access to certain types of information.
While it may sound counterintuitive, providing some upfront information can actually improve exercise efficiency and outcomes. While a white box exercise might provide the Red Team with details of applications and even patch status from software composition analysis testing that would not generally be available to attackers in the wild, it might help the Red Team more efficiently craft attacks for maximal educational impact and to stress the areas of focus in that given exercise.
Step 5: Create & Execute the First Exercise
For the first Red Team exercise, pick a clearly defined and bounded target and rules of engagement. In other words, keep things relatively simple as you get used to the concepts and realities of Red Teaming in practice. Realistically, you’ll want to plan for at least a month or two in advance. Document and aim for a repeatable process that can make Red Team exercises quick and easy to stand up. Ideally, team members who have participated in Red Team exercises before can help lead the project, set expectations, and get everyone up to speed quickly.
As a warm-up, you may want to run a simple penetration exercise as preparation for your first Red Team exercise. If you’d like to be even more prepared, leverage a breach and attack simulation solution to get a full picture of your defenses and security control coverage to guide target and TTP options. Be prepared for a bumpy first time though, and don’t be surprised if either Red Teamers or Blue Teamers get confused during the exercise. In fact, the entire goal of Red Teaming is to put real stress on the security teams and others who might be tested. Hold a cordial postmortem with both sides and ask for feedback on how to improve both the response to the simulated attacks and the Red Team exercise itself. Keep in mind, this is just the beginning and there is room for growth and improvement.
To continually test and improve security posture and organizational response to live attacks, Red Team exercises should be practiced on a continuous basis with a rotating set of participants. Cybersecurity is constantly evolving and so must your Red Team exercises in order to continue to drive tangible results and map back to the objectives and business risks of an organization. Check back over the coming weeks as we share additional blogs on Red-Team topics, including in-depth insights regarding tools and technical considerations.