The Cyber Scheme recently attended the National Cyber Security Show in Birmingham, whilst there we attended a talk by Gemma Moore the director and co-founder of of Cyberis on Red Teaming “How to run a red team without losing friends and alienating people”.
Penetration Testing Vs Red Teaming
Penetration Testing:
- Designed for technical assurance of a system, application, or network
- Defined scope
- Full (or good) coverage
- Technology focused
Red teaming:
- Designed to simulate a real attack by a threat actor against a business
- Broad scope
- Identify attack paths, achieve an objective
- People, process, and technology
Gemma explained whilst there is an overlap between penetration testing and red teaming in the exploitation of technical vulnerabilities, they do have some big differences. An example of this is that red teaming is inherently riskier than penetration testing, due to mimicking a real-life attack without limitations. Red teaming is an exercise against a whole live business, meaning this can affect the business’ ability to run during the exercise. People are unpredictable, as such you can never be sure of how people will react, to either the simulated red team crisis or a real-life crisis. As a result of this you need dynamic risk management before, during, and after the simulation.
What can go wrong?
There are multiple things that can go wrong during a red teaming exercise, Gemma highlighted the following:
- Production servers crashing
- Networks slowing down
- Support calls because things are broken
- Exposure of sensitive data to the attack team
- Financial damage to the company because of the attacks taking down systems
- People can get upset, angry, and frustrated: budget holders, service providers, response teams, and your employees can all react negatively to circumstances they weren’t expecting especially of they feel undermined or that their privacy was violated.
The risks presented when running a red teaming exercise are similar to BAU risks with penetration testing.
Budget Holders
It is best to include budget holders in early planning conversations. However, you need to be careful not to disclose too much information to the budget holders risking the exercise. You need to provide a way for them to ask questions and establish reality to maintain trust. If you get buy in form the budget holders leading up to the exercise you will get wider business benefits across different departments.
Service Providers
If you do not notify service providers that you will be undertaking red teaming, they can often feel like their trust has been breached. Another thing you need to be careful of when undertaking red teaming is ensuring that the activities do not fall out of scope of your contract. You need to check your contract with any service providers that are likely to be impacted by or involved in the exercise to confirm that you will not be acting in breach of your contract. You also need to ascertain that you can authorise red teaming against or involving your service providers from a legal standpoint. A good way to prepare for this is to notify you service provider account managers that this may occur up front at the beginning of the business relationship.
Response Team or SOC
Your response team can often feel that their trust has been broken or a sense of failure. You need to remember that you are inducing a stressful state of emergency when no actual emergency existed. A way of helping with this is to notify your SOC or response team that red teaming will occur at some point and coming to an agreement of how long the sense of emergency will be allowed to last. You can also get buy in from the response teams about the red teaming occurring, this is a great opportunity to highlight room to grow for the team and any gaps in knowledge. You also need to ensure you debrief properly after the exercise is complete, by doing this you can make the most of any learning opportunities that arise.
Your Employees
The manor in which a red teaming exercise takes place can have an effect on how you employees feel at the workplace. They may feel you have breached their trust; red teaming often results in a singular staff member being targeted this can create feelings of shame or fear of consequences if the team was successful. You need to take care to establish clear privacy policies so that your employees do not feel their privacy or rights have been breached. You should be clear to your employees from the outset that personal data may be used in a security simulation. As a result of this your IT and HR departments should be clear about the lack of privacy with the employees’ user accounts.
It is vital that you avoid blame culture in the wake of a red teaming exercise. You need to avoid instating punitive measures as a result of mistakes made during the exercise. Instead praise you employees for what they did well, such as reporting phishing attempts. When planning your red teaming exercise, you should consider whether social engineering can be avoided. A way to protect your employees in the wake of a red teaming exercise is to remove personal information from the report, this prevents the singling out of any employees or any humiliation. Before you begin the exercise, you need to ensure the control group are prepared to make decisions on how far to go when targeting employees.
Key points for you to remember during red teaming are:
- Be supportive
- Risk management is complicated
- Work with empathy
- Prepare for damage
- Control in advance
Read more on red teaming here
Check out Cyberis here.