When Red Team Isn't Right For Your Business (and When It Is)

Red teaming: the ultimate goal for a lot of pen testers. The super shiny, super cool stuff we see in the movies (or on Jayson E Street's YouTube account), where people are breaking into buildings for a living, plugging in their laptop and compromising a whole organisation within the hour, meanwhile the SOC is rapidly trying to defend against all the pew pews being thrown at them.

It's all super spy, super secret, super sexy shit, right?! The kind of engagement us sales people want to be selling. Making our pen testers sound like they're James Bond, bypassing security gates with custom made ID badges and chatting up the receptionist, sneaking into server rooms and hitting that F12 key HARD to hack into the mainframe... conceptually, it's not that hard a sell. But.. and here is the BIG but... it's also probably not the right thing for your organisation. Here's why...

The majority of organisations that I, and many other salespeople, deal with on a daily basis have neither the foundational security processes, the actual people in place defending the business, or the budget for this kind of engagement. You want someone putting in the prep time, hiring cars, creating a backstory, etc? Well they don't come cheap! In my honest opinion, most companies are just not mature enough for a red teaming exercise to provide them with any real business value.

I've seen sales people selling full on red-teaming exercises to organisations who've never even had an external pen test. That business will absolutely be pwned within about five minutes because they have no visibility into their weaknesses in the first place, never mind the technology in place to prevent a malicious actor from doing their thing on the network. That kind of salesperson is the kind that gives us a bad name. In it for the money, not for helping clients become more secure.

So what would a highly ethical and brilliant salesperson like yourself recommend then, Amy?

Well, I'm glad you asked, Amy! Personally, I like to get an understanding of where a client is on the maturity scale. An initial conversation with a customer usually has me understanding what their security team looks like - having the right people in place to drive the security strategy of the organisation is crucial.

Businesses right at the beginning of their security journey may not even have a strategy in place at all. This is why red teaming would be absolutely pointless. If they've not got the basics in place, then going straight in with advanced security testing techniques is not going to provide any benefit, other than for our tester to be able to say they got domain admin within an hour.

I'd recommend that organisations pick a security framework and work towards implementing the basic controls to give themselves a foundational layer of security. At Cognisys, we usually start off by mapping a business' existing security measures to the NCSC Top 10 which covers: Risk Management, Network Security, End User Awareness & Training, Malware Prevention, Removable Media, Secure Configuration, User Privileges, Incident Management, Reporting, and Remote Working.

Once an organisation has an overview of where they are vulnerable in terms of their overarching strategy and where they could be doing better with their foundational layer of security, then they can start to work up that maturity curve.

What would the next steps be?

Great question, Amy! Once the baseline is in place, I'd recommend starting some more indepth testing. If we think of our business as our house, by putting in controls like multi-factor authentication and a proper patching policy, we've essentially locked the front door. Now we want to test out how well the windows fair. Our attack surface has been reduced, and now it's time to understand how the smaller entry points can pose a risk for our organisation.

If you're brand new to security testing, then I always think that an external network test is the best place to start. It's basically checking your perimeter, or with our house analogy, it's checking the garden gate and the front door are closed properly so people can't just walk in. Nowadays, many insurance companies require businesses to have an external security test before insuring them against cyber attacks, so it's always a useful exercise to carry out.

From there, you should be looking really at where your critical data is and working with your security testing company to come up with a strategy for mitigating the risks posed to your business. From web application tests against your website to internal infrastructure tests to see whether a malicious insider (or someone who's good at phishing) can escalate their own privileges to reach that all important domain admin role. There is a myriad of testing that could, or should, be completed before you attempt a red teaming exercise.

So when would red teaming be right for my business?

Once you've got a regular cadence of security tests in place, and you've got a handle on the vulnerabilities you have and understand the risks posed, then it would be time for a red-teaming exercise.

I'd also say that you need to have monitoring in place to make sure your blue team (your SOC) has the ability to spot when an attacker is in the network. and you need to have proper reporting processes so if someone is doing a physical red team engagement, there is a protocol for highlighting that someone is coming into the building and you're not 100% sure they should be there.

If you're at the level of maturity with your people, processes and technologies that you think you could identify a malicious actor in the network, then I'd be more than happy to have a discussion with you about how a red teaming exercise would work for your business. But without these things, you'd be better off with a set of security tests and a really good incident response plan.

If you're interested in discussing developing your cyber security strategy, security testing or red-teaming exercises, then get in touch!