Red Teaming

Simulate Cybersecurity Attacks and Secure Your Organization at all Turns

25 June 2019

The use of "red team" groups to test an organization's defenses has long been used in military and intelligence contexts. Over the last few years, red teaming, also known as "simulated attack" or "intelligence led penetration testing" has become an accepted cybersecurity testing method for sectors where cybersecurity is critical to their business operation.

In a red teaming engagement, the Red Team represent the attackers, and are typically independent external specialists.  The Blue Team represent the defenders, and are normally the company's IT security department.

Although red teaming is related to penetration testing (sometimes known as ethical hacking), there are fundamental differences between the two disciplines: red teaming is not simply a more thorough or in-depth penetration test, and organizations conducting red teaming should already be conducting regular penetration tests and implementing the agreed remediation plans to gain the most benefit from the exercise.  One key difference is that the red team exercise starts with a Threat Intelligence phase.  In this phase the threat intelligence provider in conjunction with the customer (together with input from the regulator for some frameworks) analyses and reviews applicable threat intelligence and uses this information to develop scenarios and draft a penetration test plan.

This threat intelligence information is passed to the red team who use it to attempt to penetrate the organization's defenses using the agreed scenarios and test plans.  This provides a realistic simulation of an actual attack which gives an accurate assessment of the organization's defenses and their detection and response capability.  This test of the organization's detection and response to an incident is just as important as the test of the defenses because the ubiquity of data breaches across all sectors shows that relying on good defenses to stop all attacks is naïve; rapidly detecting and responding to a breach is essential to robust cyber security

Who uses it?

This intelligence-led approach is already well accepted for physical security: an organization planning to build a secure facility in a hostile environment would normally seek intelligence to understand the goals, resources and typical attack methods of local threat actors.  An organization that doesn't do this will inevitably fail to understand the threats they face and as a result will defend against too little, concentrate their efforts on the wrong areas, or waste money trying to defend against all possible threats.  Red teaming brings this intelligence-led approach to cybersecurity testing.

The first sector to embrace red teaming was the UK banking sector.  The first red teaming regulatory framework for the banking sector was the Bank of England's CBEST scheme, which was developed in 2014 in response to the results from the "Waking Shark II" cyber war game exercise.  This was followed by similar frameworks from other central banks including De Nederlandsche Bank's TIBER-NL scheme in 2016, which was adopted by the European Central Bank as the TIBER-EU scheme in 2018; and the Hong Kong Monetary Authority's iCAST scheme in 2017.

The requirement for red teaming is now spreading outside the banking sector. Within the UK, the Civil Aviation Authority is developing their ATTEST framework for the UK aviation industry; The Cabinet Office is piloting the GBEST scheme for UK Government Departments; and OFCOM plans to launch their TBEST scheme for the UK telecommunications sector in 2019.

It is expected that other regulators in various sectors around the world will adopt red teaming as a key part of their cybersecurity risk management. As well as highly regulated sectors, multinationals and other organizations whose high public profile raises the likelihood of attack are also increasingly using Red Teaming.

How Red Teaming Helps

In a world where organizations are subject to increasingly sophisticated, targeted cyber attacks, red teaming provides a crucial test of a business' defenses. Given the difficulties of maintaining perfect perimeter security in large organizations, ensuring breaches are detected and stopped rapidly is the most effective way of maintaining a robust level of cyber security.

Because Red Teaming simulates an actual attack, not only does it uncover vulnerabilities, it also exercises an organization's own IT department's performance in real time under sustained attacks. Knowledge and experienced gained is vital to ensuring rapid detection and successful response to sophisticated, sustained campaigns, ensuring the organization's resilience when an attack occurs.

Red teaming can benefit any organization, but certain sectors in particular:

  • Financial institutions
  • Operators of critical national infrastructure
  • Organisations with high public profile (whether temporarily or long term)
  • Multinational or global organizations with complex IT infrastructure

 

Roy Hills
Director of Intertek-NTA

Roy Hills is the Director at Intertek-NTA, and formerly the President of NTA-Monitor before its acquisition into the Intertek family in 2018.  He has more than 20 years of experience in information security services including; penetration testing, consulting and advisory to equip organisations with PCI compliance and ISO27001 certification.  Roy is a founding member of CREST and sits on several security awareness trainings and standards panels.