What is red teaming? It’s a new technique used by cyber security experts to simulate realistic cyber-attacks. These highly genuine exercises helps companies effectively measure their current security policies and procedures. But how does “red teaming” differ from a traditional penetration test? Why can it be beneficial to an organization? What are you to do with the results from red teaming? To learn more, we checked-in with Hill + Knowlton’s Digital Resilience expert, Ray Boisvert, to ask him for a crash course on red teaming.
Ray is an intelligence expert and well-respected thought-leader in the Canadian security space, providing clients with uniquely sourced insights into risk-mitigation strategies and solutions. His expertise is rooted in more than 28 years with the Canadian Security Intelligence Service (CSIS), from which he retired in 2012 as the assistant director for intelligence.
It’s about trying to really ‘break in’ to your own network – and you do this by adopting the mindset of a predator. – Ray Boisvert
Q: Why is red teaming becoming a popular exercise for testing vulnerabilities? Is red teaming considered to be a justified ethical hacking method?
Ray: Well first, and to be precise, Red Teaming has not become “popular” (at least not yet), but it has increasingly been seen as a viable and perhaps even a necessary step in a contemporary approach to Cyber security resilience building. First, it’s about going well beyond testing one’s basic assumptions on how effective their cyber security strategy is. In other words, it’s not about a new Cyber security policy blitz or a once yearly penetration testing effort that involves sending employees relatively enticing email with embedded (yet harmless) malware.
It’s about trying to really “break in” to your own network – and you do this by adopting the mindset of a predator, and acquiring the prowess of skilled hackers. The reason I believe it will eventually be a normal function within an effective defence-in-depth strategy, is because in challenging times we must increasingly consider innovative and truly bold approaches. Given the threat environment is increasingly volatile and complex; all organizations must challenge their own security policies, networked architecture and threat monitoring capabilities. The challenge of course is it takes a certain amount of foresight and willingness to take such risks, along with a good dose of institutional courage. I say foresight because not all organizations will assess the risks inherent in the current and evolving threat environment to the appropriate level. Moreover, fewer still will be able to achieve an executive consensus view of letting “hackers” break into their network.
Finally, it is clear from my experience working three decades within the national security infrastructure, that Red Teaming or applying the skills of internal or external “ethical” hackers, is a most necessary measure. In a present day environment, where most institutions and organizations are up against the best hackers in the world – all with malicious intent such as steal assets or abuse privacy, organizations are left with a singular pathway to the highest level of threat assurance, that is the path of appropriately applied ethical hacking.
Q: What are some of the tactics used in a red team exercise that are not used in traditional penetration tests?
Ray: As partially illustrated in my other previous comments, it’s really about a dedicated and purposeful approach to hacking your own organization. Again, it’s not about a perfunctory penetration testing via an external vendor who goes about sending random emails to employees in the hope of enticing a few people to click on a malicious email link. The most significant differentiator is the skill sets of those doing the targeting.
I’ve worked with various firms who do this, and of course I only turn to the professionals, many of whom are former national security types. I do this for obvious reasons, value for a client’s investment is the first priority. In real terms that means contracting only those that are truly the best in the world… or at least the best available from the ethical or lawful side of that virtual world. In addition, you want a team that is very precisely focused on the clearly articulated operational objectives and conditions set out by the client. Therefore, I’m contracting-out exclusively to the most capable assets from that world as they are the most ethical and frankly the most bound to the culture of confidentiality.
My last thought on your question is too many firms do what I call “security by the numbers”. They do everything with an eye on meeting basic standards and ensuring routine preventative maintenance. That is simply a predator or malicious threat actors’ preferred state for targeting. Trans-national hacking collectives, or nation-states seeking a firm’s IP, hunt for organizations that demonstrate that type of institutional predictability or cyber security complacency. What I like most about Red Teaming is it puts your best defence to the best, most realistic threat test. It’s about testing yourself in real world conditions, or I’ll even call it in “battle-field” simulation.
Q: Why is red teaming much more effective for uncovering potential vulnerabilities that can be exploited to gain further access to an organization’s data and information?
Ray: The teams I’ve worked with from the UK, the US and Canada are subject matter experts who literally “go to school” on the target. Reflective of my experience in the security intelligence realm responsible for special operations planning, success in penetrating a target has as much to do with collecting relevant data on that target, planning operational moves, and then repeatedly surveying the locale. Execution, in fact, is greatly subservient to the former items I just noted. A top tiered intelligence agency would never operate based on faulty intelligence or with the chance they could be caught in the act. So they plan, survey, and then survey and plan again. Before going live, rest assured the firms I recommend to clients have the knowledge necessary to get in.
Only through this type of national security level of attempted intrusion can an organization truly test its security investments. But of more precise value, is an organization can gain invaluable insights on what happened during the multiple attempts to enter, and even more importantly what were the actions – reactions of the inside team, such as the Security Operations Center or SIEM. The post-Red Teaming analysis is of extremely high value, and not always properly valued or exploited by organizations seeking to improve their defences.
Q: Can you explain the steps taken to properly conduct a red team exercise? Can you also provide the average length of time it takes to complete an exercise?
Ray: First, and as stated earlier, it begins with a recognition of the need, a consensus on what needs to get done and then some good advice with the intent to meticulously plan the project. To break that down, let me say first, it really resolves to a realization by the internal leadership team that a more aggressive, real-world set of tests and evaluations must take place. Second, it will involve the development of what I would call a “quiet consensus” that the risks inherent in such an effort must in fact be assumed. Thirdly, the leadership group must agree on what needs to be accomplished through such an investment and identify a lead, including perhaps who should advise and procure this specialized skill set. Lastly, it’s really about figuring out the rules of engagement for the ethical hackers. This in itself is one of the most important aspects of the process. Getting it wrong will lead to failure, perhaps only a failure to meet expectations, but quite possibly it may involve an embarrassing failure or even one with unexpected negative consequences.
Once a decision is made and preliminary planning has been completed, the actual time it takes to complete the mission varies tremendously. It depends on where the starting point is. A firm can provide the Red Team with a number of leads into the organizations, from technical specs to network details. However, the teams I’ve worked with prefer to go without any privileged insight – just like the state malicious hackers would find themselves in. And, I agree that creates conditions that will deliver the best results. Typical time, however, could range from a thirty-day contract, to one that goes into perpetuity… well I don’t mean forever, but until they get in, and often that means less than a couple of months. Much depends on the depth and scope of the organization, how well versed employees are about cyber security, the nature of the investments previously made to secure the firm, etc.
Q: Do you think it is necessary, when conducting a red team exercise, to have a blue team in place to defend the attack? Can blue teams be beneficial in identifying vulnerabilities?
Ray: As I said, it comes down to what we really want to learn from this. Well certainly my answer would be I want to watch how we cope with day to day network activities, how our security staff do their job, but most importantly how they handle what should appear to be a complex attack or a very stealthy, low energy campaign to gain access to our environment. Then, we must certainly track and record how we respond to each and every step – and that involves the home team. That team does not have to be a dedicated Blue Team, especially when I prefer to not / not communicate what is about to take place. But also because not all enterprises or institutions can afford to have a dedicated cyber security team, let alone one that can engage in a full blown exercise or real world assault.
Having said that, however, one would hope all organizations, irrespective of size or budget have the protocols in place and / or outsourced IT management to deal with this everyday occurrence and certainly respond to an attack by ethical, yet highly skilled attackers.
Q: Once initial information is collected and the multi-staged attack executed, how do you measure the benefits of the outcomes? What is an organization to do with the results from a red team exercise?
Ray: There is a particular lesson from national security practice that has not been lost on me in the four years since I left the Canadian Security Intelligence Service (CSIS). Post-event reporting is likely to be one of your most important activities to develop relevant information, and long term insight. Given the sensors that are deployed on networks, recognizing the skills (we hope) exist within a number of organizations doing defensive work, we could consistently and successfully access important data that will allow us to provide judgment on capability and response.
Therefore, even prior to an effort to invest in Red Teaming, but certainly immediately before, during and after, the CIO or CISO and her or his team must plan to fully exploit data and general information parameters made available from established or enhanced sources of reporting. And, when a Red Team exercise is launched, that they’ve redoubled that intake effort and have made plans to analyze results for short, medium and long term trends and intelligence.
From what I’ve seen in the past, organizations have been able to glean important information that has allowed them to make critical adjustments across the broader spectrum of the organization – from policy and practices, to Security Operations Center protocols and larger response capabilities.
Q: Why should Canadian organizations – in the private and public sectors – strongly consider conducting a red team exercise?
Ray: I’ll say three words relative to long term harm in this complex and fast moving cyber and insider threat environment: complacency, complacency and complacency. In the national security environment those words were tantamount to potential loss of life or serious reputation damage to the agency or the government it served.
Doing routine things and relying on traditional playbooks or approaches to security simply do not cut it anymore. The stakes pertaining to costs, careers and organizational reputation are increasingly high – and their long term effects are measurably hurtful to the sustainability of a firm or institution. As such, more creative and innovative approaches are necessary in order to achieve the highest level of cyber resilience assurance.
Moreover, I believe most CIOs and / or CISOs are now paid to be those types of leaders. I appreciate the environment for these types of leaders is not always accommodating to security concerns, but I also know once a breach occurs, they are the ones left to demonstrate to the executive team or the Board what steps, and particularly leading-edge approaches or measures, were taken to secure the realm.
So with that in mind, I cannot think of a better insurance policy worthy of active consideration than Red Teaming.