At Randori, we help security teams by unlocking the attacker’s perspective. Red Teaming has long been the gold standard of offensive security, offering an authentic and highly realistic process for organizations to gain a holistic assessment of cyber risk. As more organizations move to adopt more proactive approaches to managing cyber risk – many are considering hiring a red team or investing in establishing a red team capability in-house.
For those unfamiliar with red teaming and without hand-on experience conducting red team operations, establishing a red team can be a daunting and scary task. However, for those who know what’s required and how to find the right talent, adding red teaming to your security arsenal can be transformative. In this new series, our team will guide you through the process of establishing a red team and help you decide if doing so is right for you.
Spread out across five chapters, we will explain:
- What is a red team?
- What is the value of red teaming?
- What’s needed to build a red team?
- How do I get started?
- When does it make sense to have a red team?
- Who do I hire?
- What should I look for in an applicant?
- What tools will my red team need to be effective?
- What metrics should I use to measure effectiveness?
- Is establishing a red team right for me?
- What are my alternatives?
In this first chapter, we look at how to begin engaging with red teams and what value they can bring to your organization. Click below to watch.
Transcript:
Hi I’m Eric McIntyre, Vice President of Hacker Operations at Randori.
The whole point of what we’re doing right now is to help businesses reduce and assess their risk when it comes to their cyber assets. That’s the point of any red team really is to exercise your security program. So you can figure out: where does it have holes, and where can it be improved?
Being able to measure investments in security has been something that’s been difficult for the industry to do, because the absence of an attack is not an indication of effective security posture. If you want to have a red team function, that’s a function that regardless of the extent to which you do it requires a lot of focus.
The smallest red team that is really effective would be one person, but that one person would be an individual that would need a wide array of skills. So when you’re starting a red team from scratch, hiring your first red teamer can be a big step for a lot of companies because in the size of our most IT budgets, and FTE is a portion of that.
For us at Randori, the components that we have are our effective red team is a targeting team, a research team and an attack team. And in general, you can look at each of those components as a component that is essential to any red team.
So in any red team, you’ll have some necessity to do research activity where you have some expertise in finding vulnerabilities, analyzing vulnerabilities, that are out in the public and then building the tools and capabilities around those vulnerabilities to actually exercise some kind of an effect in the network. You also need a targeting team. Your targeting team is going to be your intelligence analysts. These are people who are able to identify targets within your network and who are able to look at network activity and determine whether a vulnerable system exists or not. And then you need an attack team. An attack team is people who can be hands-on-keyboard, who can look at a network environment and execute the tools that your research team is producing.
So at Randori, our three teams come together to form all the functions of effective red teaming in a way that you can leverage across all of our customers. So if we have a certain set of targets that we see that our targeting team can identify and dig in on and report that to our research team who can then develop novel techniques and exploits against those targets and then provide that as a toolset to our attack team. You have a lot of individuals working for you when you have a Randori red team experience that would be really expensive to recreate on an individual company’s basis and is outside of the range of what most companies could afford to build in-house.
A lot of corporations we see run similar in-house applications. And so there’s a lot to be gained by leveraging the commonalities and having a red team that’s looking across the board at everything that’s happening in the industry.
From our perspective, it’s not about just providing you some level of attack. There are two primary benefits of having a red team. One is the ability to test your ability to detect attacker activity. You have this security program that you’ve invested a lot of money in. Not a lot of people have the ability to test the effectiveness of all of their investments.
Look at what just happened with Log4j: the top targets that we found in log4j affected a really wide range of our customers. And so when we were able to develop the tooling and exploitation around those targets, we were able to apply that to a number of customers simultaneously. So they could all see whether their systems were in fact patched or if there were some that were forgotten. Or what the result of exploitation was — whether their teams were able to detect that and recover it.
So when you have a red team activity, you get to see the feedback loop of how far an attacker is going to get in your network before it starts triggering some of your defenses. Or where attackers find holes in your defenses and where you can improve the defenses that you have.
Tune in on Wednesday, April 6th for part 2, where we’ll discuss the business case for red teams.