This Interview was originally published in the 2021 TAG Cyber Annual and is part of a collection of interviews with cybersecurity leaders. View the full report here.
Testing your security defenses is foundational. Without an understanding of your weaknesses, it is nearly impossible for the security team to accurately and efficiently decrease risk. Traditionally, organizations have relied on a combination of testing methods including vulnerability scanning and penetration testing. Vulnerability scanning is the least intrusive way for organizations to assess weaknesses in assets. However, scanners rely on a database of known vulnerabilities and thus can’t handle zero days or advanced attacks. Penetration tests go deeper; testers use a combination of scanning and manual techniques to find vulnerabilities and then attempt to exploit them to determine the organization’s risk. That said, penetrations tests are generally designed to assess a limited portion of the organization’s assets.
Red teaming is by far the most thorough type of security testing, as it is designed to simulate a real-life attacker’s tactics and techniques. But quality red team assessments require dedicated resources and a big budget.
Former Carbon Black VP Brian Hazzard and red teamer David “Moose” Wolpoff founded Randori to build an automated red team platform accessible by any size organization. We spoke with David Wolpoff, Co-Founder and CTO, about this area that’s quickly gaining traction among enterprises.
TAG Cyber: First, can you explain what a red team assessment is?
As a former enterprise red teamer, people regularly ask me, “Should I do a pen test or hire a red team?” The answer comes down to the question you want to answer.
A pen test will tell you if a specific set of security controls are working as designed to work but will not provide insight into your security program’s overall effectiveness. A red team assessment focuses first and foremost on delivering an authentic evaluation of your ability to adequately defend against an adversary—real attacks, real targets, real objectives. It’s the closest thing a security team will get to a live-fire exercise.
Questions a pen test will answer:
- What public exploits am I vulnerable to?
- Does this security control work as expected? • Am I getting the right alerts?
Questions a red team engagement answers:
- How hard is it for an adversary to breach my organization?
- Is my security program working as expected?
- When unexpected things happen, can my team respond under pressure?
TAG Cyber: What are some of the secrets you learned as a red teamer?
We founded Randori to be able to provide organizations an internal red team capability. That means the experience needs
to be authentic, dynamic, and provide CISOs the necessary confidence and information to build board-level trust.
Like any real adversary, the product starts with recon. The Randori Recon engine is “Black Box” —meaning we start with very little information, like an email, to kick-off our continuous reconnaissance—just like a hacker would determine what’s connected to an organization.
From there, we flavor that information with what we call “Target Temptation” to identify what things to attack first. Just like a real attacker, Randori is always working against an objective. Security teams looking at a list of top targets on the Randori platform can use Randori to determine why that target is tempting, and through the use of attack, understand if there is a route to the company’s “crown jewels,” i.e., most valuable commodities.
Unlike BAS (breach and attack simulation) solutions, the Randori attack experience is both safe and authentic. When a user launches a Randori attack, they will be learning how to protect their unique environment and a deeper understanding of how to protect their real production assets. Hence the meaning behind the company name Randori, which means “freestyle practice against an adversary.”
TAG Cyber: Before a company conducts a pen test or red team, how should they prepare?
First, start with the basics. The point of a red team engagement or a penetration test is to learn. If there are things you already know you need to address, address those first. After that, you should stress the entirety of a program to see how hard it would be for an attacker to zig-zag through an organization.
Secondly, not every security program is ready for a red team. Don’t jump to bringing on a high-end red team unless you’re prepared for high-end learnings. If you’re still focused on blocking and tackling, maybe you’re not ready to get a red team to beat you up.
TAG Cyber: No type of security testing is beneficial unless something can be done with the results. How does Randori help with remediation?
It’s an interesting question and one that comes up with almost every customer. I’ll give you the same answer that I used to give on red team engagements, and I now use talking with Randori customers.
The goal of Randori is to challenge your assumptions. We leverage our perspective as an adversary to raise questions, uncover issues, and identify process failures organizations may otherwise overlook. We are not trying to find every vulnerability; instead, we aim to help organizations up level their security program by identifying systemic failures and empowering their teams with the skills needed to get to the root cause. Sometimes that’s a patch—but far more often remediation in the Randori context involves providing security teams with the evidence they need to change processes and training. Rather than fixating on the specific issue, we encourage our customers to focus on enacting changes, such as network segmentation, improved visibility, and better training. These things allow companies to build security programs resilient to entire categories of risks, not just the latest vulnerability.