Are you considering conducting Red Team testing in 2020? Have you ever conducted one? It’s a New Year, maybe its time for a new approach – a more holistic approach to assessing your information security controls from the perspective of an adversary. But are you ready?
Simply put, Red Team testing is a methodology for confirming the effectiveness of the controls associated with the people, processes and technology that are involved in processing, storing or transmitting your information assets. (A bigger remit). Where penetration testing only assesses the effectiveness of the controls in your technology, Red Team testing includes identifying and attempting to exploit, the vulnerabilities in your people and your business processes which may result in access to these assets. (A bigger return on investment).
Red Team methodology
The methodology implements real-world tradecraft that would be implemented by an adversary who seeks to obtain access by circumventing the technical controls you’ve implemented in your systems to secure them. This “real-world” attack simulation results in the identification of viable attack vectors, which you may have overlooked to date.
Sound worthwhile? It is. And you must ask yourself, why did it take us so long to adopt this more pragmatic and comprehensive approach? The answer is vendors. Historically, we have taken a product-approach to solve our data security challenges because vendor’s marketing messages have said this is the answer. Messages like Internet security = firewall. Still, having problems? You need an intrusion detection system. What? Still, having problems? You need an intrusion prevention system… And so on, and so forth and so on… ad infinitum.
Security does not always equal prevention
Sure, security devices and software play significant roles in preventing the threats to our data. But it should be clear that they only address one-third of the problem. Surely Kevin Mitnick clearly demonstrated long ago that the easiest way into any system is through the end-user and the vulnerabilities associated with the day-to-day businesses processes associated with the target. So instead of focussing on testing the configuration and effectiveness of the products we’ve deployed to protect our data, Red Team testing also includes testing the staff and practices associated with accessing the data.
The challenges of Red Team Testing
This makes good sense. But unfortunately, not all organisations are ready for implementing this more comprehensive testing approach. The first challenge and the obvious one is the budget. Red Team testing due to its more expansive scope is significantly more expensive than conducting security penetration testing. Let’s face it; it was hard enough to demonstrate the return on investment for getting the budget to conduct penetration testing. And selling penetration testing to Senior Management as a ‘must-have’ annual activity was cited in virtually every best practice standard. It is a compliance-driven requirement that Senior Management understand. Red Team testing on the other hand – is not. It is not required for compliance with ISO 27001, nor the Payment Card Industry (PCI), Data Security Standard (DSS) or the UK Data Protection Act 2018.
Is your organisation mature enough for a Red Team?
Consequently, the business case for conducting Red Team testing does not include compliance. So, if your organisation’s risk management approach is ad-hoc or compliance-driven you may not be ready to move to a Red Team testing approach. “Ready” for me means “mature”. A mature organisation is a “risk-driven” organisation that implements an information security management system (ISMS) based on identifying, protecting and testing all attack vectors – not just the technical ones. A mature organisation will implement tests controls in their people and processes as well as the technology that hosts their data.
Here are a few questions to consider helping you determine if your organisation is ready for a Red Team and its enhanced benefits. If you answer yes to more than half of them – you may be ready to step-up your testing to a new more effective level.
- Have you conducted security penetration testing of your systems for at least 5 consecutive years?
- Can you predict the general results of the annual penetration testing you currently conduct?
- Does your penetration testing include verification of key performance indicators?
- Do you verify that penetration testing was identified in logs and records?
- Do you conduct vulnerability assessments?
- Do the vulnerability assessments include identifying weaknesses associated with your staff and business processes?
- Do you conduct information security compliance audits against control points or key performance indicators?
In short, if your business has a mature ISMS that produces evidence of its implementation, perhaps you’re ready to enhance your approach and move up to Red Team testing.