Why You Want to Fail a Red Team Exercise

A Red Team exercise is designed to find weaknesses in cyber security defenses before the criminals, so you’d think passing with flying colors without detecting any vulnerabilities is every CISO’s ambition. In reality, this is unrealistic: if your Red Team doesn’t find problems, they are not doing their job properly.

Red Teaming, or simulated attack, covers a whole organization to target specific objectives, including accessing customers’ details or stealing crucial data. It’s tempting to regard it in terms of ‘pass’ or ‘fail’, but a Red Team achieving its objectives can be much more useful. 

An attack simulation helps you look at the big picture regarding security resilience and to understand strengths and weaknesses. Failures help analyze aspects of organizational security, such as structural weaknesses in processes or procedures, which may have gone unnoticed for years. 

The Red Team will take the most expedient attack path allowing them to achieve their objectives and only need to be lucky once, whereas the defending Blue Team needs to be on top of its game constantly. Understanding how the Red Team succeeded is vital to assess resilience. 

Other considerations:

  • With so many security products available with increasingly comprehensive features, it’s easy to have a false sense of security. An attack simulation can help identify where and how these controls could fail to deliver effective security and help improve coverage or configuration.
  • It’s common for legacy systems to be poorly documented or lack ownership. It’s also common for legacy accounts to be active within large networks. These might have poor quality passwords or undocumented administrative privileges. Third-party software packages are often problem sources – possibly difficult to upgrade and susceptible to vulnerabilities. Testing and development environments can also be less secure than production environments. The larger and older the network, the more likely some aspects of regular cyber security have been overlooked. Uncovering these offers clues on where else to look.
  • One of the most important things an attack simulation can reveal is whether your current controls enable detection of an intrusion in progress. Do you have monitoring, logging and alerting to spot on-premise or cloud compromises? Can you detect an attacker exploring internal systems or moving between environments? Can you see data being accessed and extracted? If you can ‘see’ these things, can your defense team respond and contain the breach?

Red Teaming is generally constrained by time and budget, whereas most adversaries will not be similarly hampered. Success in gaining a network foothold will often depend on the right phishing hook to the right person at the right time, when a vulnerability has been identified and not patched. 

If you are satisfied that early attack paths have been tested sufficiently, de-chaining Red Team attacks will allow its later stages to be explored and help to understand what might happen if your perimeter is breached again.

When your Red Team achieves a foothold and moves laterally, it’s an opportunity for your Blue Team to practice their response processes and hone their investigation skills. 

Triage is crucial. Blue Teams need to distinguish an advanced, targeted intrusion from an unskilled attack. Differentiating between opportunistic phishing and sophisticated attacks can be difficult, even for experienced responders. If initial tactics are similar, only careful analysis of malware samples might reveal any differences. 

Blue Teams need to avoid revealing information about their malware analysis and response procedures to attackers, which could be used to tailor a future attack. For example, when run in a sandbox, malware might call to command and control servers, giving away information about the host being used for analysis. Once this is known, an adversary can change tactics.

Containment is also difficult. Blue Teams need to understand when to terminate activities quickly and when to ‘wait and see’. When an intrusion is identified, it’s tempting to isolate, cut off command and control instantly. But what if the adversary has been operating in your network for a while and has multiple footholds and remote access channels? Cutting off one intrusion can tip them off them off to escalate activity or change tactics. 

A Red Team may not get full coverage of an organization during a simulation, but will observe systemic process failures and ‘big picture’ weaknesses to prioritize and focus your resources, while also helping your defenders understand how they could have done better. 

It’s important to remember that Red or Blue, we’re on the same team.

What’s Hot on Infosecurity Magazine?