Red team tests are simulated cyber-attacks intended to assess a company’s ability to detect and respond in a real-world scenario. Typically performed without the knowledge of the broader security team, red team testing covers not only network and application breaches, but can involve social engineering and physical security attacks as well.
In the past two years, we’ve seen a significant change in the way our clients are approaching us about their security. As well as high profile Advanced Persistent Threat (APT) style cyberattacks like the recent COVID research supercomputer breaches in the UK, Germany and Switzerland, businesses have seen an increase in cyberattacks during the COVID period and the new way of working has created some formidable challenges for businesses forcing them to adapt under some extreme circumstances. Further, regulatory interest from the UK, EU and other regions many companies are now including red team testing as part of these proactive efforts to assess their resilience to a cyberattack.
Given the risks involved in this type of testing, it is important to select a vendor that is a good match for your company’s specific threat landscape and risk tolerance. To help guide your evaluation process, we’ve provided the following discussion points to consider when evaluating potential vendors to help ensure you select one that will provide the insights you expect while minimizing operational disruption.
Customize scenarios to mimic relevant TTPs
The types of cyber threats a company faces vary based on factors such as industry sector, company structure, and business size, among many others. Modern security programs identify and track the threats directly relevant to the company through proactive threat monitoring. For red team testing to realistically simulate the threat actors your company is most worried about, you should ask your vendor: How will you customize the scenarios you’re testing? How much control can we have over your scenarios?
A good red team vendor will be able to mimic the tools, techniques and procedures (TTPs) and threat actors that you or your threat intelligence provider have been tracking. Additionally, you should confirm that red team vendor’s toolset can be customized to seed relevant indicators of compromise (IOCs) from the custom implants they use. Both will help to create as realistic an assessment of your organization’s susceptibility to cyber attack as possible.
With hacker tactics constantly evolving, we may never be able to prevent breaches entirely, but with practice, companies can strengthen their ability to detect more sooner and respond adeptly to help minimize loss. This is the definition of cyber security resilience, and the standard to which the best companies aspire.
Manage the risks inherent in red team tests
To mimic real life scenarios, red team testing is performed on production targets around the clock, including during peak business hours. However, if tests are not carefully planned and executed, they can result in service disruptions on critical internal and external-facing systems. Given this level of operational risk, the first question you should consider asking your potential vendor is: How do you plan to minimize the risk of production downtime?
A red team’s test plan should demonstrate a high degree of project management sophistication, including continuous communication of testing activities to “in the know” company stakeholders, advance notice of potentially damaging activities, and the demonstrated ability to pull the plug on activities that may have or are having noticeable negative impacts. Additionally, a red team vendor should establish priorities and reasonable scope in terms of what constitutes evidence that goals have been achieved to avoid unnecessary operational impacts. For example, instead of shutting down a critical system to prove they can, it would be sufficient for the red team to demonstrate that they have gained the access needed to do so. These types of safeguards can help to dramatically decrease the operational risk of red team testing.
Maximize implant safety with appropriate safeguards
Red team tests also normally involve the deployment of implants (e.g. malware) into an environment either as payloads staged via phishing attacks on staff, or otherwise staged into the environment via another exploit pathway. When testers gain a foothold in your environment through this method, the risk of exfiltration of confidential data and the potential for a real attacker to take control of the access point emerges. To be confident in the vendor’s safety measures, you can ask: How will communications and command and control (C&C) of the implant be assured? How will information that may be exfiltrated via the implant be protected?
Red team vendors should be able to provide examples of detailed protective countermeasures they use, such as restricting access to C&C channels to client IP ranges, or encrypting and signing all communications resulting from the exploit, including any exfiltrated data. A vendor should also utilize measures to prevent the implant from targeting people and environments that are out of scope, such as staff members or third-party vendors who happen to be on your network. They must also be able to explain how the implants will behave after the completion of testing. Implants that self-destruct are an effective protection measure for these scenarios.