Chasing Fire Engines (Red Teaming)
Updated: Aug 29, 2019
So your organisation has done everything right to effectively manage security. You have the best technology, a crack team of security specialists, well-tested applications and infrastructure, a cyber-aware workforce and rigorous processes for detection and response.
Having reached this enlightened place of happiness and well-being - is it now time for quiet contemplation or celebration of a job well done?
Due to the unrelenting nature of the threats, It is little surprise that many security teams suffer the corporate equivalent of PTSD. So what should a mature organisation do to help iron out the kinks and improve the efficiency of its incident response processes?
In the same way that we test a building evacuation, a DR failover or a backup we want to 'drill' these events so that when / if we have to perform them in real circumstances we have a working, well-tuned process and everything in place that we need.
Just as in the real world - we would not want to test a building's resilience to a fire by setting it alight and admiring our expert sprinkler and alarm setup. Instead, we 'simulate' the alarm safely and under supervision, and get people ready to evacuate.
So how do we do this for a cyber attack? Well the answer is reasonably straightforward - we simulate a cyber attack. Under controlled conditions (rules of engagement) - we conduct activities that the organisation should ideally detect and respond to.
So what things do clients generally learn from a red team event?
Security is not a technology or product that can be simply purchased.
An organisation's largest attack surface (and most valuable security control) is its workforce.
Security incident response is an orchestration of People, Process and Technology and relies on effective leadership and communication.
An organisation with a well-resourced and trained security incident response team, supported by realistic playbooks is worth its weight in [Gold | Bitcoin | etc].
As Red Team testing is an advanced assurance activity, it should ideally be conducted only by organisations that consider that their security incident response is reasonably mature.
How do I know if my organisation is ready to perform red team testing? You would ideally:
have an experienced cybersecurity leader for your security incident response team
have a program of security awareness to educate all personnel about the risks
have an approved, well-documented, formalised security incident response process
have incident-specific playbooks, supported by a well-resourced dedicated/virtual team
have sufficient logging and monitoring for your important networks and assets
If you would like to discuss how we can assist you to test your cyber resilience get in touch.
Author: Clinton Smith