Thought Leadership

May 2, 2022

The Recipe for Red Team Scalability

SafeBreach serves up the five fundamentals to building a scalable cybersecurity red team program.

In a recent blog for Help Net Security, SafeBreach’s Chief Product Officer Yotam Ben Ezra explored the concept of cybersecurity red teams, including what they do, their goals, and the weaknesses in their methodology. We’ve built upon Yotam’s ideas in recent posts exploring the initial steps to take when starting a red team program and some key red team setup and tool choices to consider. 

Now we’ll take an even longer-term viewpoint to help you prepare for the rising risks and overall threat landscape you’ll face as your organization expands. Here are the five crucial ingredients needed to ensure your red team is positioned for scalable growth.

1. Goals

First, you must clearly define the red team’s goals around specific threat scenarios. To do this, it’s important to develop a full understanding of the adversaries you face, including their past attacks, their preferred tactics and techniques, and the impact their attacks may have on your business. There are many threat intelligence services and resources—like the MITRE ATT&CK framework—to help identify which type of adversaries are targeting you based on your industry, geography, attacker motivations, and other factors. 

Attacks produce a range of consequences—from data loss and business continuity disruption to reputational harm and financial damage—but not all will have the same level of impact on your business. Determine which attacks pose the highest risk to your organization, and prioritize your goals around those first. With a solid understanding of your business impact and adversaries, you can set focused goals around the threat scenarios most relevant to your business.

2. Metrics

Tied closely with setting goals, your red team should have a measurable set of outcome metrics around your objectives. This starts with clearly defining the consumers (or stakeholders) of your red team’s output and the types of deliverables they will need. Your red team’s direct consumers may include your CISO, blue-team counterparts, or other representatives seeking quantitative risk data to inform compliance and investment decisions or strategies.

Once you know who you need to reach, you can then decide which deliverables will best meet their requirements, whether that’s a high-level risk analysis or a pinpointed attack assessment. In producing these deliverables, it’s key to create a common language all your consumers understand and agree upon. With this alignment in place, you can then demonstrate how closing the identified gaps will lead to quantifiable risk reduction and arrive at a clear set of outcome metrics to assess your red team’s ongoing performance.

3. Methodology

The threat environment is constantly changing, so the scalability of your red team will depend heavily on the repeatability of your methodology. Be prescriptive about your process from the outset, with an aim to build threat scenarios and launch attacks in a way that can be repeated continuously and at a frequency that enables you to achieve real-time risk-level monitoring.

Your repeatable red-team methodology should give you the ability to:

  1. Attack effectively and efficiently, testing the full range of threat scenarios across relevant assets.
  2. Process results, produce actionable data, and prioritize the findings based on business impact.
  3. Act swiftly on your findings and report back to stakeholders in the format they need.

4. Ecosystem

The ultimate goal of your red team is to better understand and improve upon your security ecosystem’s effectiveness. This is why it’s imperative your red team is armed with the right tools to properly integrate with your ecosystem and ensure each element generates the right contextual understanding of how it responds to an attack.

Security posture reporting should include a clear assessment of each security tool’s ability to protect, prevent, and respond to threats and what type of alerts and events those tools produce. You can then unify all that information into a more holistic ecosystem analysis and output your results in a way that can be easily tracked and operationalized for continued growth and streamlined remediation efforts. 

5. Automation

Although we’ve listed it last, automation should be a primary objective of any red team plan from the outset to achieve true scalability. Talented red teamers will come and go, and building a skilled team takes a significant investment in people. Automation will help your red team stay consistent through the personnel ups and downs, but automation is not necessarily intended to replace skilled red team players. Rather, it will grant your team more bandwidth to focus on the activities where they can make the greatest impact, while leaving many of the day-to-day tasks needed to perform continuous security testing in the “hands” of a reliable, automated solution. 

Automation also enables red teams to cover more of their environment and threat landscape than any individual or team could ever hope to—and with greater consistency and alignment by repeatedly testing the same scenarios without allowing the goal to become a moving target. Some organizations with the means and resources may opt to build their own red-team automation in house. Others will leverage general automation tools, and finally, there’s the option to make a wise investment in a specialized security testing automation system that meets your business needs. 

From setting clear goals and metrics to establishing an automated, repeatable methodology that easily integrates with your security ecosystem, the SafeBreach BAS platform can aid your red team’s scalable growth. Connect with a SafeBreach cybersecurity expert to learn more or schedule a personalized demo

Get the latest
research and news