January 28, 2015
Webinar Series: Purple Teaming - Validating Detection & Response Capabilities
In this post, I'd like to talk about how to actually apply the concept of “red teams” in your enterprise. First, and foremost, red teaming for cyber security refers to the concept of a small team of hackers reviewing an organization to determine if they can gain access to critical assets. This may not sound much different than a penetration test, but one crucial piece is almost non-existent in a red team exercise: scope. A red team will utilize a web application, mobile platform, physical, social engineer, and network tester as part of a team whose goal is to profile the organization and gain access.Let me be the first to say that I am not stating that every organization needs to hire or employ a red team. As with any security assessment, the right amount of intelligence gathering must be performed to determine if your organization is even a potential target for a red team test. I want to highlight how to help determine if a red team test is right for you.First thing that every organization should determine is who is targeting them. This is a critical and often overlooked step. Organizations will sometimes default to the answer of “everyone” which is not always the case. This is often time referred to as “threat intelligence” and involves reviewing several non-technical aspects of the organization. Threat intelligence is a beast in itself, and outside the scope of this conversation. Some easy questions that you can ask yourself are:
As you can see these are not overly technical questions, but they can help you to evaluate the types of threats that could face your organization. After we have performed our own threat intelligence, we can then look to determine the “Levels of Hackers” that might be interested in our organization. If you are unfamiliar with our levels or hackers, then I encourage you to read my previous article. In a nutshell, Level 1 represents our least sophisticated hackers, while Level 3 represents our most sophisticated hackers. Believe it or not, red teams can be employed by all levels of hackers in our model. Organizations that are not as fluent in their security posture as they should be can easily find themselves victim to very unsophisticated attacks but hacker groups that do not possess the operation doctrine employed by cybercriminal or state sponsored attackers. However, the tactics employed by these attackers can resemble red teaming activities.After your organization has determined its threat, and the types of attacker that could be targeting it, finally it’s time to allow your security team to go to work. This is the easiest part. Your security teams should be employed with the people and resources they need to conduct testing in the same fashion your attackers are. As an organization, you should strive to allow your testing entity the freedom of movement throughout your organization as they see fit. If the organization attempts to limit the scope of a red team test, you run the risk of negatively isolating segments of your organization that pose the greatest risk.If you consistently outsource your testing to a third party (such as NetWorks Group), then that organization has to do steps 1 and 2 above before they test your organization, and the good ones will. After all, the success of the red team helps to push organizational security farther.Learn about Ethical Hacking Topics: Security Monitoring, Managed Detection & Response, Ethical Hacking, Penetration Testing
Security news, tips, webinars, and more straight to your inbox.
