Can Security Red-Team Exercises Give You ROI On Your Cyber Security Expenses?
Updated: Jan 14
Penetration testing has always been a way for companies to test their resilience to a cyberattack and their preparedness.
In recent years, we can see a shift in this practice, from a penetration test of a specific system, or systems, to a more elaborate, full-blown attack launched on the whole organization in the form of a red-team exercise. Being the founder of a red-team exercise provider, I have seen companies go through this process. Companies do this to evaluate the worst-case scenario, what will happen during a security breach, and how well equipped the organization is to identify and respond.
In the scenario of a red-team exercise, a group of attackers has identified one or more security holes that will allow them to: access the organization's network. Once the attackers gain access to the network, they will usually try to go after the "crown jewels," including its financial systems, private intellectual property, and data of its business and clients. Sometimes attackers can spend many months on a compromised organization's network to fulfill their plans and fully exploit the organization.
Many organizations have learned this lesson the hard way, with several attacks launched against large corporations, such as Sony Pictures, Marriott, Yahoo, Target, Alteryx, and Equifax. However, this shift also came from industry leaders, seeing where other companies fail and proactively handling these situations.
Nowadays, we see company leadership asking questions like: How can we tell if we are a victims of a cyberattack? Will we know when it happens? Are we equipped enough to handle this incident in real-time? Have we wisely spent the millions from our security budget on these security tools? Can we trust them when the time comes?
This maturity phase of the security industry is also the dawn of understanding that for an organization that wants to be ready for cyberattacks, there is no magic solution, no silver bullet.
When companies start performing these security red team exercises, I usually see initial shock. At first, most organizations don't even know that anyone has infiltrated their network. Even when the red team reaches their SAP systems, compromises management laptops, and takes control of critical systems — they often know nothing about it.
The second exercise is usually much better. Improved detection usually enables seeing the attackers on their accounting systems, but the response is nonexistent. By that time, usually, management becomes a bit restless, and that's when some significant improvements start happening.
Organizations that regularly perform this activity become very effective within a couple of years. EDR solutions support the improvement in detection. When deployed correctly, these solutions can grant the organization more visibility in real-time and into the forensics of the attack. Unfortunately, cybersecurity is a game of cat and mouse — some advanced attack methods bypass these EDR solutions.
Preparing an organization for a cyberattack involves higher management, the technical teams, and the security teams. Testing all layers of the security stack and the way the security team, handles security incidents will show the holes in an organization's defenses. Not only that, but this exercise can help identify which security tools operate well (and which should to replace) and will help the organization to learn and adapt to this changing reality.
When a company takes its first steps in the form of a red-team exercise, I recommend keeping in mind the following:
• Prepare to be surprised: The product of the first exercises can be somewhat "scary," Still, a friend (e.g., a trusted vendor/service provider) should find these problems rather than a hacker or a malicious entity.
• Remember, this is a proactive exercise: The goal is to identify the weakest links in the organization's defenses and fix them, not find who is responsible and punish them.
• Rules of engagement are a critical piece of the puzzle: Due to the sensitivity of these exercises, one should lay them out very clearly.
The targets of a red team (sometimes referred to as "trophies") can be of a large variety, so make sure these targets align with your goals and plans. For example, a marketing website fearing defacement, which would significantly impact the brand’s reputation. This defacement would make a different target compared with a financial institution concerned with having its sensitive clients' data accessed or a pharmaceutical company that malicious parties will steal its IP assets and formulas.
A red-team exercise can serve as an MRI scan of an organization's security infrastructure. A successful red-team exercise will showcase the main gaps and whether the organization can adequately identify a cybersecurity attack, respond to the attack, identify the root causes and hopefully prevent future episodes. It will also present the organization’s gaps in terms of tools, knowledge and methods, such as application security, network segregation, vulnerability management and more.