Apr 29 2021

When Is a Business Ready for a Red Team Test?

The most advanced type of cybersecurity assessment provides peace of mind, but many organizations have work to do before they try it.

Cybersecurity teams spend countless hours designing, implementing and managing security controls to protect against confidentiality, integrity and availability threats. Teams of professionals read threat intelligence reports from vendors and government agencies, learn about attacks that compromised peer organizations, and study attacker tactics, techniques and procedures to better understand these threats and design controls against them.

Still, you can’t have confidence in even the best-planned defenses until they’ve been put to the test.

Different Types of Security Testing

Security leaders may take advantage of a variety of tests to better understand their risk exposure. The three main categories of tests are vulnerability assessments, penetration tests and red team exercises. These terms are not interchangeable; each represents a distinct type of security testing and comes with its own advantages and disadvantages.

Vulnerability testing is the most basic form. Testers use automated scanning tools to probe networks, systems and devices for thousands of known vulnerabilities. They perform an exhaustive search using a brute-force approach.

In a vulnerability test, imagine the t­ester is thinking: “Well, I know 17,240 possible problems that might exist on a network. Let me check every system here for every one of those vulnerabilities and see what issues exist.” This is normally the first type of security testing that an organization performs as it seeks to develop a prioritized list of issues to remediate. Security teams also normally configure periodic scans to automatically run against their environments to detect new vulnerabilities that might arise.

However, this highly automated approach is prone to false positives, or reports of errors that don’t really exist. That’s because automated systems lack the nuanced skill set and follow-up capabilities of a trained analyst.

The Next Level of Security Testing

Penetration tests overcome this limitation by introducing trained security professionals into the equation. These experts are well-versed in the tactics used by real attackers and bring this “hacker mindset” to their work.

The testers analyze the vulnerability scan carefully, looking for chinks in an organization’s security armor that might provide hackers with an opening. The testers then exploit those vulnerabilities and attempt to gain access to systems and data. After all, there’s no better way to prove that a vulnerability exists than to actually exploit it. Penetration tests can be time-consuming, but they’re also highly productive. Their focused results provide organizations with a deep dive into how an attacker might target them.

Red team tests operate with a similar mindset and tools but a different goal. Instead of attempting to enumerate and explain vulnerabilities, red team tests evaluate an organization’s security incident response process. The red team tester often works at the behest of management, without the knowledge of operational security teams. The tester carries out the activities of an attacker, with a focus on doing so stealthily to avoid detection. The red team tester operates as a sophisticated adversary, assessing the preparedness of the ­security team to identify and respond to a real attack.

WATCH: Learn how to defend your infrastructure throughout new work environments.

Begin Security Testing with Baby Steps

While organizations might be tempted to jump right to the most advanced test and engage in red team testing out of the gate, this is not normally an effective approach.

The reality is that most organizations simply aren’t ready for a red team test. It’s quite common for them to have ­glaring vulnerabilities in their systems or underdeveloped incident response procedures that would quickly fall victim to a red team test, limiting the value of that engagement.

Instead, organizations should view the three types of security testing as a set of tools to incrementally add to their security programs as they advance in maturity.

Vulnerability scanning is the first step in this approach, helping an organization identify the low-hanging fruit that requires attention. Teams may use the results of vulnerability scans as a roadmap to improving their security posture, working through the list and remediating vulnerabilities until all high-risk issues are corrected.

Once the organization thinks it has successfully addressed the issues that arise in a vulnerability scan, those scans may be put on autopilot and the organization can move on to the next level of testing.

At this stage of maturity, a penetration test might identify more subtle issues that an advanced attacker could exploit. Running periodic penetration tests focused on different areas of the organization can help keep defenses primed for evolving attack types.

Be Ready for a Red Alert

An organization with a mature incident response process and a few penetration tests under its belt may be ready to move on to a red team test. These tests will help leaders understand the state of their detective and corrective controls, noting the time required to identify the attack and the success of their teams and systems in repelling the attackers.

While many red team tests occur without advance warning to the security team, organizations may also adopt an educational approach to red team testing.

Known as purple teaming, this method allows the organization’s security team to sit beside red team members as they perform their work. It offers them an attacker’s view of their network and helps them gain an appreciation for the attacker mindset.

Security testing plays an important role in cybersecurity programs. While all organizations will benefit from performing these tests, they should adopt a phased approach that incorporates testing strategies that are appropriate to the maturity of their security programs. 

Nazan Akpolat/Getty Images