‘If you don’t know what a red team is or what it does, how can you hire one?’ Speaking to security practitioners, buyers, and other vendors, we often hear a lot of interesting takes on what stops companies from embracing offensive security. But this comment, made by a participant at a Birds-of-a-Feather session hosted by one of our attack experts, Evan Anderson during this year’s RSA conference, stuck with us.
For the people in the room—an international collection of offensive security experts—stakeholders’ confusion about the role testing plays in security is a constant headache.
Beyond hype around terms like “purple teaming,” our participants reported that individuals responsible for giving the green light to security investments are often less than certain about when or why they might need to do red teaming, purple teaming, or even basic pen-testing. Although over 80% of companies admit that it is hard to identify the majority of their network-connected devices, some security pros can even be hostile to the idea of taking an offensive look at their company’s security posture. Diving deeper into the conversation, the reasons why continued to surprise us.
Types of Testing
The boundaries between terms like red teaming and penetration testing are often shrouded in misconceptions. It helps to start by exploring the questions that different testing methods are designed to answer.
Penetration testing is useful when you want to measure the business risk and impact related to specific threats. In a penetration test the scope of systems tested and the attack techniques leveraged against them are purposefully limited. Greater investment allows for more systems to be tested or a wider range of attack procedures to be deployed, but there is always a focus on measuring risk related to specific, defined threats.
The focused measurements of penetration tests are helpful for uncovering and repairing defensive gaps. Overall, organizations report that pen testing is becoming more important to their security posture. However, their focus and cost in terms of capital and time limit penetration tests’ ability to help organizations improve their defensive resilience over time.
Red teaming has a much broader scope and employs a wider set of attack techniques than penetration testing. Red team engagements measure how well an organization can defend itself against an adversary rather than the specific impact of a chosen set of threats to a limited group of systems.
The goal of the red team is to achieve access to data of the most value to the target organization. They may phish the CFO to get a password to an application that also allows VPN access to a manufacturing network and production equipment with access to the company’s secret product recipes. Some number of vulnerabilities may be exploited in the test, or none may be. The red team’s goal is to reach an objective before the defenders can detect and remove them from their systems.
The more often an organization conducts red teaming exercises, the better their understanding of how their blue team will respond to a real-life attack.
When you mix attackers (red teams) with defenders (blue teams), you get purple teaming. Through purple teaming, offensive and defensive teams can answer questions they might have about their counterparts’ findings.
Purple teaming can be a great way of breaking down silos, but it’s essential to understand that purple teaming is an activity, not someone’s dedicated job or role.
Overcoming Obstacles to Red Teaming
Visibility is one of the biggest challenges facing modern security leaders. To counter it, taking an outside view of your attack surface through red teaming is essential. But as our peer group told us in San Francisco, getting organizational buy-in to move beyond the limited scope and irregular testing routines is challenging.
Over 70% of enterprises do penetration testing. But the vast majority do so once a quarter or less. And what’s holding regular testing back isn’t just a lack of resources.
Testing can indeed be expensive. A typical penetration test can cost tens of thousands of dollars, and hiring a dedicated red team is a serious undertaking for any organization. With over 3.5 million security job openings last year, finding the right skills needed for proactive security testing is a significant challenge in today’s marketplace.
However, by far the biggest obstacle standing in the way of offensive security is politics. No one wants to be the person that makes their company’s cyber defenses look bad.
There is undoubtedly more executive interest in testing. Especially with technologies like continuous automated red teaming (CART), testing is now more affordable than ever. Still, a common trend among the practitioners we spoke to was that testing needs to be limited in scope and give relatively predictable results to get buy-in. In many organizations, executives can sometimes be more afraid of what testing might reveal than what it costs.
Because it’s clearly defined, penetration testing is easier to get approval for and is often seen as an essential part of cybersecurity. However, it does not resemble the free-ranging and gloves-off nature of actual cyber-attacks. Unfortunately, the first time many companies realize this is when they suffer a breach.
Prioritizing Continuous Testing In your Organization
The positive takeaway from our Birds-of-a-Feather group was that there are ways to counteract testing reluctance. Here are two that our participants said worked for them:
1. Make it positive
Loss aversion is a well-recognized physiological phenomenon. It can be difficult to convice executives to invest in testing like red teaming. It’s a hard sell to tell your boss to invest more money to uncover new problems, especially since these problems will require even more money to fix. It can look to a board like the security team is in a cycle of throwing good money after bad.
To get around this, security leaders need to flip the script. Instead of proposing testing as a way to “find out what’s broken,” it should be seen as a way to answer “what works.”
Ultimately, red teaming and testing is a win, even when it reveals unpleasant truths.
2. Focus on future learning
Red teaming is a way of investing resources in return for a clear idea of how to improve your security posture.
Besides suffering a data breach, something no security professional who experienced it ever wants to see again, red teaming is the most potent on-ramp to security maturity. It’s also a direction that more regulatory frameworks like Tiber-EU, an evolving EU-wide framework for financial institutions, are moving towards.
The ultimate goal is to ensure that organizations have the necessary buy-in from their leadership to invest in tools that continuously help them become more resilient.
How Randori does Offensive Security
The Randori platform allows organizations to gain full visibility of their attack surfaces and to continuously test for blindspots. Built by hackers, the Randori platform consists of two solutions: Attack Surface Management (ASM) and Continuous Automated Red Teaming (CART).
Helping organizations monitor their attack surface, Randori’s ASM product flags and prioritizes the real-world risks adversaries are likely to exploit in your environment. However, while gaining increased visibility of your attack surface is crucial, in today’s ever-evolving threat landscape, it’s far from enough. No matter what types of testing are right for your security posture, the Randori platform validates your real-world risk by testing blue team defenses with a continuous and automated red team.