In the past 18-24 months, we’ve seen a significant change in the way our clients are approaching us about their security. Companies have heeded recent warnings and are putting more resources into their proactive cybersecurity programs than ever before. Increases in high profile Advanced Persistent Threat (APT) style cyber-attacks like the recent SWIFT hacks at the Bank of Bangladesh, as well as UK regulatory interest are also driving many companies to include red team testing as part of these proactive efforts.
Red team tests are simulated cyber-attacks intended to assess a company’s ability to detect and respond in a real-world scenario. Typically performed without the knowledge of the broader security team, red team testing covers not only network and application breaches, but can involve social engineering and physical security attacks as well.
Given the risks involved in this type of testing, it is important to select a vendor that is a good match for your company’s specific threat landscape and risk tolerance. To help guide your evaluation process, we’ve provided the following discussion points to cover with potential vendors to ensure you select one that will provide the insights you expect while minimizing operational disruption.
Manage the risks inherent in red team tests
To mimic real life scenarios, Red Team testing is performed on production targets around the clock, including during peak business hours. However if tests are not carefully planned and executed, they can result in service disruptions on critical internal and external-facing systems. Given this level of operational risk, the first question you should ask your potential vendor should be: How do you plan to minimize the risk of production downtime?
A red team’s test plan should demonstrate a high degree of project management sophistication, including continuous communication of testing activities to “in the know” company stakeholders, advance notice of potentially damaging activities, and the demonstrated ability to pull the plug on activities that may have or are having noticeable negative impacts. Additionally, a red team vendor should establish priorities and reasonable scope in terms of what constitutes evidence that goals have been achieved to avoid unnecessary operational impacts. For example, instead of actually shutting down a critical system to prove they can, it would be sufficient for the red team to demonstrate that they have gained the access needed to do so. These types of safeguards can dramatically decrease the operational risk of Red Team testing.
Maximize implant safety with appropriate safeguards
Red Team tests also normally involve the deployment of implants (e.g. malware) into an environment either as payloads staged via phishing attacks on staff, or otherwise staged into the environment via another exploit pathway. When testers gain a foothold in your environment through this method, the risk of exfiltration of confidential data and the potential for a real attacker to take control of the access point emerges. To be confident in the vendor’s safety measures, you should ask: How will communications and command and control (C&C) of the implant be assured? How will information that may be exfiltrated via the implant be protected?
Red team vendors should be able to provide examples of detailed protective countermeasures they use, such as restricting access to C&C channels to client IP ranges, or encrypting and signing all communications resulting from the exploit, including any exfiltrated data. A vendor should also utilize measures to prevent the implant from targeting people and environments that are out of scope, such as staff members or third party vendors who happen to be on your network. They must also be able to explain how the implants will behave after the completion of testing. Implants that self-destruct are an effective protection measure for these scenarios.
Customize scenarios to mimic relevant TTPs
The types of cyber threats a company faces vary based on factors such as industry sector, company structure, and business size, among many others. Modern security programs identify and track the threats directly relevant to the company through proactive threat monitoring. For Red Team testing to realistically simulate the threat actors your company is most worried about, you should ask your vendor: How will you customize the scenarios you’re testing? How much control can we have over your scenarios?
A good Red Team vendor will be able to mimic the Tools, Techniques and Procedures (TTPs) and threat actors that you or your threat intelligence provider have been tracking. Additionally, you should confirm that red team vendor’s toolset can be customized to seed relevant Indicators of Compromise (IOCs) from the custom implants they use. Both of these will help to create as realistic an assessment of your organization’s susceptibility to cyber-attack as possible.
With hacker tactics constantly evolving, we may never be able to prevent breaches entirely, but with practice, companies can strengthen their ability to detect more sooner and respond adeptly to minimize loss. This is the definition of cyber resilience, and the standard to which the best companies aspire.