In 1871, military theorist Helmuth von Moltke wrote, “no battle plan survives contact with the enemy.” Because cybercriminals will do trillions in damage this year, often to well-protected organizations, the same logic seems to hold for cybersecurity today. Fortunately, there is a way that organizations can find their security weak points before real-world attackers do: by testing their security posture with red teams.
Red teams are security professionals who play the “bad guys” against “blue team” defenders. Every bit as skilled as real threat actors (sometimes former nation-state attackers themselves), red teams probe an organization’s attack surface looking for ways to gain access, get a foothold, move laterally and exfiltrate data. However, unlike cybercriminals, red teamers don’t cause actual damage. Instead, they expose cracks in an organization’s battle plan – creating valuable opportunities for security teams to learn and make changes before damage is done.
Whether employed and staffed in-house or provided through a platform like Randori, red teaming help improve security by telling organizations exactly how a real-world cyberattack would succeed or fail. By pitting their defenses against red teams, security teams learn what is and is not working. Organizations with a red team capability, do not have to wait until a real attack to find out if their security strategy is effective. They can know in advance.
In part one of this series, we talked about the components that go into creating a red team. In part two, let’s explore the benefits of red teaming and when it makes sense to establish a red team capability.
Red Teams Are Vital for Testing Security
Red teams are a uniquely powerful way to assess your security return on investment (ROI). For anyone responsible for cybersecurity, this capability has never been more critical. The majority (69%) of organizations will increase the amount they spend on cybersecurity this year. Unfortunately, even though CISOs have more on the line than ever, linking dollar amounts to actual increases in security remains notoriously complicated.
Budgets may be rising but funnelling money into the right areas is critical. How do you know the right areas, if you don’t test? Without proof and data on what is and is not working, security investments can easily end up being spent renewing or acquiring ineffective tools or spending time piecing together an ever growing list of disparate security tools in the hope that it will simply come together.
The resulting security solution bloat can quickly obscure ROI further — an issue that compounds with scale. Tellingly, the average small to medium-sized business now uses up to 60 security tools, yet 78% of IT leaders do not believe their organization is protected against cyberattacks. Fewer still can tell you which of those tools is most effective.
The only way to figure out what is and is not working when it comes to an organization’s controls, solutions, and even personnel is to pit them against a dedicated adversary. This is the real value of red teams. They give security leaders a true-to-life assessment of how secure their organization is. With red teaming, it’s possible to gain a high-level picture of whether an investment is helping stop the kinds of threats organizations face in the wild.
Aligning with regulatory frameworks can help security leaders ensure they have the foundations in place is but should never be the end goal of an effective security strategy. Even the most comprehensive frameworks will not protect an organization – so having a way to accurately show defenders where their organization’s weak points lie in reality is essential. While most frameworks require annual or quarterly pentetration testing, the reality is that environments today change far more quickly and so the need for organizations to adopt continuous approaches, such as Randori Attack, is growing.
When a Red Team Makes Sense
Whether you’re new to an organization and trying to understand what you got yourself into or have built out a program and looking to demonstrate progress, CISOs and security leaders need to understand the current situation and whether what they have in place works. The key question leaders need to answer before building out a red team capability is – is my team ready?
Unlike a pen test, a red team gives insight into the systematic issues inside a security posture. Red teaming is not just for answering basic questions, like is my EDR solution configured properly or can my NDR solution detect specific C2 techniques. Instead, a red team seeks to do that and much more – providing unique insight into not only if you have the right pieces but if they are coming together in a way that is effective in practice. As a result, red team deployment makes the most sense once an organization already has invested in efforts or solutions, such as EASM (Randori Recon) or VM, to identify low hanging issues. Further, red teams work best when they have an active blue team to spar against, so having a SOC or other group internally capable of engaging and learning from the experience is key.
Why Red Teams Are So Rare Today
Regrettably, historically develop a red team capacity has been incredibly expensive – as a result few organizations have the resources to field a dedicated red team. Some organizations have attempted to cut the difference, leveraging their resources to hire a single red teamer. However, to be truly impactful, a red team needs enough personnel to mimic the persistent and well-resourced threat level that modern cybercrime gangs bring to bear. This means a red team should include dedicated members, or sub-teams, for targeting, research, and attack.
A variety of third-party vendors exist to give organizations the option of contracting red team services. These range from large firms to boutique operators that specialize in particular industries or IT environments. Nevertheless, while it is easier to contract red team services than to employ full-time staff, doing so can in-fact be more expensive, particularly if done regularly. As a result, few organizations use red teaming frequently enough to gain real insight.
How Randori is Making Red Teaming More Accessible
Randori has developed an industry-first — a continuous and automated red-teaming solution. By giving organizations the ability to continuously assess their security posture like an in-house red team would. Powered by some of the world’s foremost hacking talent, Randori Attack works just like a full on-prem red team does.
Searching for and probing network defenses for entry points, Randori automatically finds exposed attack vectors and prioritizes them based on hacker logic. Once it finds a way in and is authorized to proceed, Randori can simulate a real-world attack, finding and gaining access to critical data and assets. The entire time, Randori provides security teams with a transparent window into how their attacks are progressing and detailed reporting when an attack ends.
As a result, Randori offers organizations the benefits of a red team at a fraction of the cost. Most critically, it tests an organization’s security posture continuously. This gives security leaders a way to gain up-to-the-minute visibility into how their defenses are performing and gives mid-sized organizations access to enterprise-level security visibility.