Typically, ROI is seen as money spent vs money received to see if the investment is profitable. In this case, it is the security testing investment vs savings (average cost of a breach minus security testing cost). If you are curious why a red team test improves testing ROI and how to gain an impressive ROI on your security testing then read to find out.
Make the most of a Red Team
To get the most return from your investment, there are some guidelines you should take to ensure maximum results and benefits from the testing being deployed. The first step is to ensure you do your best not to limit the Red Team testing scope.
A Red Team Test with severe restrictions on what can be done will impede the testers ability to find control flaws. As an example – if you don’t allow the tester, Barry, to use social engineering techniques on, say Sam, a senior manager, you might miss deficiencies born out of human frailty to identify and deal with a social engineering attack. This could result in a costly breach that the test could have mitigated if included.
Next, once you have identified the Red Team Test’s control flaws, you must remediate them. The outcome of a comprehensive and well-executed test will likely throw up vulnerabilities in your controls. Say, for example, a CCTV operator is caught sleeping on the job – an obvious flaw in your controls which could allow a highly damaging intrusion. Although, a good Red Team Test lifts the curtain on the illusion of security, even the most well-executed and expensive CCTV kit can be rendered useless if the human factor is not operating as it should.
At this juncture – and if we use the above as an example, it’s a good time to point out that remediation should not be viewed simply as an exercise in admonishing the perpetrator. Instead, you need to consider what led to the failing in the first place. Were your shift patterns adequate enough? Was there sufficient training? Did the training message accurately reflect policy and procedures? Did you have a failsafe in place, and so on…?
Lastly, you must gather metrics to measure performance that can be used to see how efficient your controls are at detecting and mitigating threats (see top 8 metrics to gather in a red team test). This can help maximise the savings from future attacks, optimising ROI. The next three sections explore further why a red team test improves testing ROI.
Sample the means & methods a threat actors use
Attackers generally don’t set themselves strict parameters on what areas they will attack, so testing shouldn’t either. However, a Red Team Test will give you valuable insight into how your controls work against simulated attacks that reflect those seen in the wild. This can help you identify how you can mitigate the threat from these attacks. In doing so, you will enhance your ROI by leveraging the knowledge you have discovered.
When considering potential attack vectors that could be used against your environment you need to ask: do we know how to combat this threat? If the answer is No then a Red Team Test can help you identify the answer you need. If the answer is Yes, then the test will help you evaluate the effectiveness of these controls as described in the next section.
Security controls get an upgrade with improvement
Unlike a Penetration Test that is limited to a pre-defined scope, a Red Team Test is there to see how effective all your controls are. This can include areas like RFID scanners, security team response times, people, procedures, technology and staff awareness. A Red Team Test will show you how effective your controls are at identifying, reporting and neutralising all manners of threats. This can mean uncovering control gaps that demonstrate where the weakness lies in the lack of controls in a particular area. A simple example to demonstrate the point could be say, no locking mechanism in place to guard secure areas.
By improving your current controls, and remedying control gaps, you will be better prepared to detect and mitigate attacks. This improvement in controls will limit the ways an attacker can exploit your defences, resulting in an improved ROI compared to other more strictly defined tests.
Red Team covers more ground than other penetration tests
The top 5 social engineering attacks post shows that not all attacks exploit your applications, systems or networks. Indeed, the better shape security-wise the technology aspects of your organisation, the more pressure is on your personnel – often seen as the route of least resistance. These can be attacks against people and also against the physical security controls that the humans sit behind. A comprehensive Red Team Test will show vulnerabilities that a penetration test and a social engineering test do not demonstrate on their own.
One way it does this is by testing all areas of a security system. Think of it as a no-holds-barred onslaught across all areas at the same time. For example, imagine a scenario where company information leaked from a web application or off social media channels leads to a successful social engineering attack against a staff member that helps attackers access your office without supervision. Unfortunately, social Engineering engagements and Penetration Tests do not deliver this level of combined metrics. The result is that more control gaps can be discovered than during other engagements, thereby maximising the potential ROI.
Real-World Security Testing
Deploying a comprehensive and robust Red Team Test is uniquely well-placed to simulate just how good your controls are in a real-world situation. Since the real-world is where the bad guys operate, it’s clear that this methodology gives you the optimum ROI from your testing budget.
Learn about Risk Crew’s Red Team Testing Service