Cuthbert, adds that a red team could be as many as eight people, with everyone from a mission planner, a reconnaissance and physical breach specialist to those skilled in communications and IT. Shapland adds a team could also include an expert on vishing.
“Look at the pedigree of the company you are choosing. Do they name individuals who make up the team? If not, will they supply names? If we use the same process as above, a smaller highly skilled team, then understanding who the team is, is key,” says Cuthbert. “Perform research on those individuals. Are they involved in this industry? Do they create tools, research, speak at conferences or give you an air of ‘this person knows what they are doing?”
Shapland adds that it’s vital to have the right team leader.
3. Surprise - you may not need a blue team
“You don't always need a blue team,” says De Vere. “Remediation and improvements can be made by the organization using employees that have full time roles in IT and other departments. An experienced penetration tester will be able to understand the attacks from the blue side and later work with the client to defend against malicious attackers. This might sound crazy, but it's cost effective and convenient - it's a little like playing chess against yourself.”
4. Communicate clearly with all involved
Cuthbert argues that a red team’s success will ultimately come down to a clear and understood brief, constant communication and an understanding of what red teaming ultimately entails. “You need clear and concise communication between the client and company/internal group requesting the red teaming operation,” says Cuthbert, who notes that the client should be totally clear what the red team will - and won’t - carry out.
“At the foundation of a red team is the realization that it will do everything in its skillset and experience to gain access and exploit vulnerabilities in the company’s infrastructure to give a realistic and concise overview, and they’ll do it without getting caught,” says Cuthbert. “The overall person in charge of the team needs experience in every area of red teaming, but also needs to understand the impact on the business of doing the testing, and how best to present the findings to be useful to the organization.”
5. Prepare, prepare, prepare
“Recon! Do lots and lots of boring recon,” says De Vere, whose firm carries out red teaming for a number of clients. “I try to build a really accurate picture of the organization, and I want to know everything about them. Days are spent researching them. For example, if I am entering the building on the pretext of being agency staff, I will create a fake business to back me up. If the ingress relies on gadgetry like invisible headphones, I will wear these to remain in constant contact with an assistant that will document the attack.”
Sign up for CIO Asia eNewsletters.