… and avoiding the “one and done” mentality in cybersecurity decision-making.
The term Red Team is being used loosely as another term for penetration testing, though it is generally not being used as a solid business planning tool for improving the overall security of an organization’s security. The relationship between doing a Red Team exercise and long-term decision-making is very often lost on executive leadership while planning the security of their networks. The feedback gained from a true Red Team “cycle” is key to helping organizations budget resources appropriately. Red Team efforts should never be a “one and done” effort; they must be part of a continuing process to be truly effective.
There are many definitions of what it means to Red Team. For the sake of simplicity, one of the best is provided by Red Team Journal. “Defined loosely, red teaming is the practice of viewing a problem from an adversary or competitor’s perspective. The goal of most red teams is to enhance decision making, by challenging assumptions, specifying the adversary’s preferences and strategies, or by simply acting as a devil’s advocate.” There are two key take-aways from the Red Team Journal definition: a) view information security from an adversary or competitor’s perspective, and b) use it to enhance decision-making. Without undertaking a Red Team effort as part of a business cycle, network security actions become haphazard and resource-draining at best.
Do a quick image search on Google for “Red Team Cycle” and, other than getting a bunch of pictures of a cycling club named “Red Team”, the first picture shown is this:
The picture states it is the Red Team Operations Attack Lifecycle, essentially going through the same steps provided in ethical hacking training; but, it is incomplete from a Red Team business process. In fact, the diagram does not show a cycle at all. It simply shows a timeline of activities to be stepped through, almost as a checklist. As shown, the work is done at the point of exfiltration, implying there is nothing further to do. But, as a business decision-making tool, there must be a feedback loop for improvement.
The “Complete Mission” action in the graphic, can be interpreted almost a million different ways, but most would read this to mean very little will be done to further improve security posture. A thorough Red Team Lifecycle should include additional actions leading back to the beginning of the Red Team Operations Attack Lifecycle. The additional steps, after exfiltrate and cover tracks (vice Complete Mission) are:
- team debrief
- building the report
- comparing results to previous red team activities
- remediate and
- begin planning for the next red team evolution.
Without a thorough debrief and remediation process, the Red Team efforts were a box checking exercise of no long-term value. Comparing results to previous activities can provide valuable metrics, ensuring executive leadership can make appropriate risk mitigation decisions.
In today’s ever-evolving security environment, a “one and done” security mentality is not a path to successful protection of business information. Red Team efforts can provide significant feedback on security measures’ effectiveness and investments designed to improve/remediate previously-known security shortfalls. For a company wanting to maintain a high security level without sacrificing production, Red Team operations should be budgeted in long-range planning as a regular step in their security testing processes.
Learn More about Red Teaming
About the Author
Dave Snell is a Senior INFOSEC Consultant at Sera-Brynn. Dave has over 15 years’ experience in technical and cyber operations in support of U.S. special operations forces. He is presently a lead penetration tester at Sera-Brynn, specializing in red team operations.