Sunday, March 27, 2022

The 10 Hidden Secrets Of Successful Red Teaming

 


The world of Cybersecurity is a very broad one, and encompasses many areas of technologies.  If somebody tells you that they are a master of it all, you can tell for sure that they are lying through their teeth. 

The same thing holds true abut the technical writing aspect of Cybersecurity.  Anybody can claim that they can write anything, but it takes a great talent to do that.

While I have written on quite a broad range of topics, one of the areas that I love to write on and am very passionate about is Pen Testing.  I have studied and reviewed this topic quite a bit these last few years, and in fact, it is a huge chapter in one my books.  I am by no means a practitioner into this art, but I do love writing about it.

So with this in mind, this is the topic for today’s article.  A lot of you might be asking, “Well, what is Penetration Testing”?  In very simple terms, this is where a group of ethical hackers take the mind of a Cyberattacker, and break down your walls of defenses from the external environment going inwards to see where all of your vulnerabilities and gaps exist at.

From here, a report or security brief is then compiled for the client as to what was discovered, as well as solutions that can be undertaken to remediate, or fix them.  The size of a Pen Testing team can be just a few individuals or even as large as 10-12 people, depending upon the scope of the work that needs to be done and how large your organization is.

Typically a Pen Testing team is broken down into three sub teams:

*The Red Team:  As just mentioned, these are the ethical hackers;

*The Blue Team:  These are the team members and are deemed to be the “good guys”.  They work closely with the IT Security team in order to thwart off the attacks launched by the Red Team.

*The Purple Team: This is composed of members of both the Red Team and the Blue Team, and this these group of people keep a system of checks and balances of the other two teams.

We will look at the last two teams in further detail in future articles, but on this one, the focus will be on the Red Team.  As both a company that is creating it and the client that will be hiring them, there are a number of key factors that you need to take into consideration, and are as follows:

1)     Assemble the team:

You will of course want to hire the best of the best.  The thing about Pen Testing is that it can be done remotely from anywhere in the world, at any time set forth by the client.  But, you want to select a group of people who not only have a lot of experience, but also have strong coding skills (as there could possibly be a lot of scripting that will need to be done), and have worked with the latest tools, such as Nessus, Metasploit, etc.  Although it is not a requirement, you should also give serious consideration to those candidates that have the Certified Ethical Hacker (“CEH”) cert.

2)     Utilize a framework:

While your Red Team will know more or less exactly what to do from the get go based upon their level of experience, it is important to first adopt a framework to keep your work organized as well as prioritized.  Thus, you need to pick a certain type of methodology to help your Red Team humming in a seamless fashion.  Some of the most popular frameworks are those found in OWASP, NIST, etc.  The links for these are respectively as follows:

https://owasp.org/www-project-top-ten/

https://www.nist.gov/

Also by adopting one of these frameworks, it will give a good image to your customer, as you will be using well established standards and protocols.

3)     Decide what will be ethically hacked:

Obviously, your Red Team will want to get through each and every digital asset.  But keep in mind that there are resource limitations here.  You can only go as long as your team still remains focused, and the budget that your client has set forth.  Therefore, in consultation with the client, you should strategically pick and choose those targets that are most vulnerable.  But this can only be revealed by a Risk Assessment.  Keep in mind also that it is not just the digital assets you will be going after.  If there is the need, it is quite likely that you will also be launching Social Engineering attacks against the employees of your client as well.

4)     Keep track of the work that is being done:

As you check off all of the stuff that your Red Team is hacking through, this needs to be recorded in detail as well as the possible solutions that can be implemented to fix the issues.  Not only will you need this information and data to compile the final report for your client, but you will also need to have an exhaustive record in case you are ever audited, for example by the CCPA or the GDPR.

5)     Communications is key:

This is one of the most important pieces of any Pen Testing exercise, and a siloed approach must be avoided at all costs.  For example, the Red Team needs to communicate clearly with the Blue Team, and vice versa.  But in the end, it is really the job of the Purple Team to make sure that all of lines of communications remain open and transparent.  In terms of your client, you need to explain what is going on to them in clear, layman terms without using any fancy lingo or technojargon.  This is especially important when you compile that final report for them.

My Thoughts On This:

Keep in mind that the bulk of this article was written with the business owner in mind that offers Pen Testing services.  But for you the client, there are a number of steps that you need to take into consideration as well, which are as follows:

*Always hire an extremely reliable Pen Testing company.  They should have been around for a long time, and always ask for references!!!

*As mentioned, numerous times, the Red Team will be giving you a final report.  Make sure you understand what they have written, and if you cannot, always ask questions, or have them keep rewriting the final report until you can finally understand it.

*This report will also contain a list of solutions that you should take to remediate the problems found.  Typically, the Red Team will not implement these, but rather, they will refer you to an MSSP to get this part of the job done.  In this regard, and for considerations fo your budget, it might even be wiser to hire an MSSP that not only has the Red Team to do the Pen Testing, but they can also work with you to implement the needed controls.

*Try to hire locally.  Avoid hiring Red Teams that are based overseas, especially in those geographic regions where there are nation state threat actors.  Better yet, you should have direct, face to face contact of the Red Team that you will be working with.

*Always make sure that that a contract will be signed, laying out the roles and responsibilities of all that is going to happen.  Also make sure that your Red Team is insured, in case something goes unexpectedly wrong.

Finally, keep in mind that Pen Testing is really about the only way to go to see truly what is going in your IT and Network Infrastructure.  With more than 50% of all businesses being Cyberattacked each week, this is a risk that you cannot afford to take.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...