This view is echoed by other professionals, and there’s particular disdain for what red teamers are supposed to look like. Richard De Vere, director of social engineering consultancy Anti-Social Engineer, says he “despises” the view that red teaming entities equipped in black camouflage - “that’s not what it’s about” - and says there are misconceptions too over what team you need. “They are social engineers, not failed army guys. Red Teams need definition. They should not be stuck behind middle management with no scope.”
As such, perhaps it is little surprise that red teaming maturity varies across companies. “From a technical sense, it can vary from very good to poor,” says Quentyn Taylor, director of information security at Canon Europe, asked on how advanced businesses are with red teaming. “However, the main issue is organizations not understanding what they are trying to get from red teaming, what they are trying to simulate.”
With that in mind, here’s a six-step guide to getting red teaming right.
1. Understand what you’re trying to do
“The first point is to understand what it is you are trying to do. If red teaming, you are trying to simulate a likely attack, which means the attacker has to adjust their attack to suit who/what they are emulating,” says Taylor. “As a person contracting companies to perform this task, it is critical that you only work with companies who understand this principle. Similarly, the defenders must also have the appropriate tools and information as they would do in a real attack.”
“I would advise companies to think about what they want to achieve from the red team,” adds Rob Shapland, principal cyber-security consultant at information security and pen testing consultancy First Base Technologies. “It's not really appropriate for companies that do not have a mature cyber-security strategy. However, if defenses have been implemented, then red teaming should be an exercise that is done regularly and can be of immense value. Ensure that the report you get from the red team is of value, and that the recommendations are implemented where viable.”
Cuthbert agrees on the maturity of the business: “A red team is meant for those companies who feel they have done all they can to implement security measures and need the ultimate test. A red team exercise is the need for the team to truly target the organization as an adversary would do, so that both sides can understand, control the environment, and implement a more robust security posture.”
2. Choose the right partner
“Red teaming can attract the wrong kinds of InfoSec professionals, ones that aren’t directly in it to improve security but ones that believe that to break into the company is the only goal,” says Taylor. “My advice: Listen to the red teaming company, and if you don’t like what you hear, walk away. If they aren’t talking about how their services can benefit and how you can have an inclusive test, then they may not be the kind testers you need.”
Sign up for CIO Asia eNewsletters.