You may have a very mature security program for your organization with comprehensive technical and administrative security controls. You have stopped a variety of dangerous events in the past 12 months and you can see things are going well overall. But there’s always room for improvement. The threats we can’t see and can’t plan for are still lurking. But you can check the maturity and strength of your security posture by conducting a Red Team engagement.
Contributed by Dick Wilkinson, IT Security Officer, New Mexico Judicial Information Division
Red Team engagements are a series of simulated attempts to breach your security perimeter. The concept can include physical attempts to enter secure spaces, social engineering on the phone and in person, technical attacks against your computer network or even a spear-phishing attempt at senior board and executive members. The team of people executing these attacks will be given some amount of limited knowledge about your organization and some clear boundaries on acceptable behavior.
Some considerations when planning a Red Team engagement:
- No breaking windows to gain entry or physically damaging computer equipment to disrupt the network.
- Capture the boundaries in your contract’s statement of work. The hope is to create a realistic dress rehearsal of attacks your organization may face.
- Understanding your business market, the security practices of industry peers and the threats that face your industry as a whole are crucial to creating a realistic set of scenarios your security plan can defend against.
- The previous experience of the red team will likely determine what techniques they find most useful.
- Be open to suggestions from the team and listen to how they have helped previous clients.
This event can be a learning experience for your organization, even during the planning stages, before any offensive actions have taken place.
The Blue Team defends
The alternative to the red team engagement is the blue team. This is your team of network defenders, and they are probably already doing the job of protecting your network daily. These employees are crucial to help you define what the outcome of this special event should be. They should have the best insight to understand what the weakest parts of your security plan may be.
What a Blue team offers:
- Advice from this group could range from very technical input to general anecdotes about previous security incidents.
- The historical knowledge these employees have should be built into your requirements for your red team actors. That knowledge may not define the entire plan but it will give you very clear starting points.
- The everyday network defenders will be your blue team during the engagement as well.
Some considerations for the Blue team engagement:
- To maintain some realism to the penetration events, keep this team out of the meetings where you go over the plan with the red team.
- You will want the defenders to use their real-world tools and sensors and execute real responses to the red team’s offensive actions.
- They need to have some element of surprise to act the way they would in real scenarios.
- Details to share with the blue team should be the rules of the engagement, what is and is not allowed; the start and end date of the event; the way to call a stop to the exercise if a real-world incident begins to impact business operations.
- The blue team does need to be informed but they should not know the script the red team may follow.
Planning a Red Team Engagement
Several factors may lead to the decision to hold a red team engagement. Your industry regulations may require some type of adversarial event to prove your security plan is well designed. Your leadership may have heard about another organization’s event and wants to try it at your company.
A red team event could be self-directed because you and the IT staff know it is time to really push the limit and prove that your ideas work. Understanding why you need to do the red team will determine what you should expect to learn from the engagement. From the beginning of planning the event, the IT staff needs to create clear objectives to cover that help you learn the most about your gaps in the security plan.
Create a list of known threats and what controls you have in place to protect against those threats; refer to your risk registry to get you started. When you discuss the need and desired learning outcomes with the team that will engage in the penetration attempts, be very clear with your expectations.
Some red team events are conducted by internal audit teams, some by third-party security vendors; this can change the expected outcomes and that should be identified early in the planning process.
Some important items to consider in the plan could include:
- Will there be a physical perimeter breach attempt?
- Will we allow social engineering?
- Could there be a punitive response from HR if an employee violates company policy during the test?
- How much detail do you share with your executives and board if they are considered “in-scope” targets of the test?
- How will you call an emergency stop to the event and how will that be communicated to all participants, vendors and company employees?
- What laws may dictate how we execute the event? Physical security vendors have been arrested during scripted penetration events.
Most important of all, what are we going to do when we hear bad news? As the IT leader in this engagement you will feel responsible for the outcomes of this event. This is your plan, your defenses, and your security team; a failing grade may be hard to face. Talk openly before anything ever starts about where you think you might fail. Be clear with senior leadership that this event may lead to some outcomes that cost time and money to remediate.
In the course of one or two weeks you will learn more about the effectiveness of your program than you could in one or two years of regular operations having only minor incidents. The impact that this engagement can have on moving your security posture to a new level can’t be understated.
Create the narrative that this was not a failure but an accelerator to your next level of maturity. When you speak in those terms to your leadership and employees, they will take the deficiencies found by the red team as a plan to grow from, and not a report card that says you failed.
This article has been adapted for online reading. Read the complete article in the March issue of CISO MAG here.
About the Author
Dick Wilkinson is the Chief Information Security Officer on staff with the Supreme Court of New Mexico. He is a recently retired Army Warrant Officer with 20 years of experience in the intelligence and cybersecurity field. He has led diverse technical missions ranging from satellite operations, combat field digital forensics, enterprise cybersecurity as well as cyber research for the Secretary of Defense.
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.