The military does it. The Government Accountability Office does it. So does the National Security Agency. The concept has made its way into the corporate world, too: war-gaming the security infrastructure.
Red team-blue team exercises take their name from their military antecedents. The idea is simple: One group of security pros — a red team — attacks something, and an opposing group — the blue team — defends it. Originally, the exercises were used by the military to test force-readiness. They have also been used to test physical security of sensitive sites like nuclear facilities and the Department of Energy's National Laboratories and Technology Centers. In the '90s, experts began using red team-blue team exercises to test information security systems.
Companies in any industry can benefit from a red team-blue team exercise by following this advice.
Red teams are external entities brought in to test the effectiveness of a security program. They are hired to emulate the behaviors and techniques of likely attackers to make it as realistic as possible.
For example, this team may try and get into a business building by pretending to be a delivery driver in order to plant a device for easy outside access (think port 80, 443, 53 for HTTP, HTTPS or DNS respectively). They may try also try social engineering, phishing, vishing or simply posing as a company employee.
On the other side lies the blue team, the internal security team that is charged with stopping these simulated attacks. A growing number of companies, however, are not using formal blue teams in their exercises. The idea is that they get a more realistic idea of their true defensive capabilities by seeing how their security teams react to the simulation without prepping.
The ultimate aim of such test is to test an organization's’ security maturity as well as its ability to detect and respond to an attack. Such an exercise could take up to three or four weeks depending on the simulation, the people involved and the attacks being tested.
On the surface such exercises carried out by the likes of Fortune 500 companies, governments and even NATO (with its Crossed Swords exercise) have clear benefits. Yet red teaming continues to often be confused with pen testing.
“Red teaming is in vogue this year. Every company and their dog all of a sudden are red team experts,” says Daniel Cuthbert, COO of SensePost. “Sadly, our industry thrives on firsts, often snake-oil but sounding sexy and professing to do X when in reality they have no idea what they are doing. Red teaming, as marketed by many a company, is often just penetration testing with a slightly extended scope.”
This view is echoed by other professionals, and there’s particular disdain for what red teamers are supposed to look like. Richard De Vere, director of social engineering consultancy Anti-Social Engineer, says he “despises” the view that red teaming entities equipped in black camouflage - “that’s not what it’s about” - and says there are misconceptions too over what team you need. “They are social engineers, not failed army guys. Red Teams need definition. They should not be stuck behind middle management with no scope.”
As such, perhaps it is little surprise that red teaming maturity varies across companies. “From a technical sense, it can vary from very good to poor,” says Quentyn Taylor, director of information security at Canon Europe, asked on how advanced businesses are with red teaming. “However, the main issue is organizations not understanding what they are trying to get from red teaming, what they are trying to simulate.”
With that in mind, here’s a six-step guide to getting red teaming right.
1. Understand what you’re trying to do
“The first point is to understand what it is you are trying to do. If red teaming, you are trying to simulate a likely attack, which means the attacker has to adjust their attack to suit who/what they are emulating,” says Taylor. “As a person contracting companies to perform this task, it is critical that you only work with companies who understand this principle. Similarly, the defenders must also have the appropriate tools and information as they would do in a real attack.”
“I would advise companies to think about what they want to achieve from the red team,” adds Rob Shapland, principal cyber-security consultant at information security and pen testing consultancy First Base Technologies. “It's not really appropriate for companies that do not have a mature cyber-security strategy. However, if defenses have been implemented, then red teaming should be an exercise that is done regularly and can be of immense value. Ensure that the report you get from the red team is of value, and that the recommendations are implemented where viable.”
Cuthbert agrees on the maturity of the business: “A red team is meant for those companies who feel they have done all they can to implement security measures and need the ultimate test. A red team exercise is the need for the team to truly target the organization as an adversary would do, so that both sides can understand, control the environment, and implement a more robust security posture.”
2. Choose the right partner
“Red teaming can attract the wrong kinds of InfoSec professionals, ones that aren’t directly in it to improve security but ones that believe that to break into the company is the only goal,” says Taylor. “My advice: Listen to the red teaming company, and if you don’t like what you hear, walk away. If they aren’t talking about how their services can benefit and how you can have an inclusive test, then they may not be the kind testers you need.”
Cuthbert, adds that a red team could be as many as eight people, with everyone from a mission planner, a reconnaissance and physical breach specialist to those skilled in communications and IT. Shapland adds a team could also include an expert on vishing.
“Look at the pedigree of the company you are choosing. Do they name individuals who make up the team? If not, will they supply names? If we use the same process as above, a smaller highly skilled team, then understanding who the team is, is key,” says Cuthbert. “Perform research on those individuals. Are they involved in this industry? Do they create tools, research, speak at conferences or give you an air of ‘this person knows what they are doing?”
Shapland adds that it’s vital to have the right team leader.
3. Surprise - you may not need a blue team
“You don't always need a blue team,” says De Vere. “Remediation and improvements can be made by the organization using employees that have full time roles in IT and other departments. An experienced penetration tester will be able to understand the attacks from the blue side and later work with the client to defend against malicious attackers. This might sound crazy, but it's cost effective and convenient - it's a little like playing chess against yourself.”
4. Communicate clearly with all involved
Cuthbert argues that a red team’s success will ultimately come down to a clear and understood brief, constant communication and an understanding of what red teaming ultimately entails. “You need clear and concise communication between the client and company/internal group requesting the red teaming operation,” says Cuthbert, who notes that the client should be totally clear what the red team will - and won’t - carry out.
“At the foundation of a red team is the realization that it will do everything in its skillset and experience to gain access and exploit vulnerabilities in the company’s infrastructure to give a realistic and concise overview, and they’ll do it without getting caught,” says Cuthbert. “The overall person in charge of the team needs experience in every area of red teaming, but also needs to understand the impact on the business of doing the testing, and how best to present the findings to be useful to the organization.”
5. Prepare, prepare, prepare
“Recon! Do lots and lots of boring recon,” says De Vere, whose firm carries out red teaming for a number of clients. “I try to build a really accurate picture of the organization, and I want to know everything about them. Days are spent researching them. For example, if I am entering the building on the pretext of being agency staff, I will create a fake business to back me up. If the ingress relies on gadgetry like invisible headphones, I will wear these to remain in constant contact with an assistant that will document the attack.”
“I will have a few other gadgets like GSM bugs and Wi-Fi Micro cameras charged up and ready to be deployed. I will also have a small Raspberry Pi dropbox that I can use to attack Wi-Fi from a distance and leave on-site for remote access during and after the test,” De Vere adds. “I believe 90 percent of the work is in preparation.”
Taylor adds, “Make sure you understand what the end goal is, make sure that all people involved know what they should be doing and what the parameters of the test are. Make sure that you have a contact point in case something goes wrong / you need verification. Essentially, understand what you are going to get and how it will help you become more secure.”
6. Rinse and repeat
Finally, it’s vital that teams learn continually throughout the exercise, and repeat as often as they deem necessary. “From the perspective of the red team, constant learning is required to keep up to date with the latest attacks,” adds Shapland. “Because it's based on real-world threats, we need to be current on what attacks the real threat actors are using. From the perspective of the organization commissioning the red team, it's very important to learn from each exercise, implement new defenses and processes, and then test again. This should be a constant cycle.”
“If you're a small SME that really hasn't got the budget for this, maybe you can do this once every two years and get some cheaper work and training to fill in-between,” says De Vere. “If you're a multinational this should be a constant task - a bit like painting the golden gate bridge. Test can be repeated, but you should try and recreate different attacks each time, different MO's, different skill sets - even different testers.”
In many ways, parenting and security have a lot in common. No book exists that provides all of the answers. There is no silver bullet, and both roles can be overwhelmingly stressful. Getting into the mind of the enemy, though, might be a little easier done than understanding the inner workings of the teenage mind.
Parents are the blue teams that want to know how susceptible their children are to life's many temptations and pitfalls. The red teams, all of the possible dangers that could hurt a child, are those who want to get in. The greater challenge is for the blue team to protect their domain by finding that one vulnerability that can be exploited without putting too many limitations and restrictions on users.
There is only so much preparation a blue team can do without defeating the purpose of running a simulated attack. It should, however, do the following ahead of the exercise.
1. Understand the controls
What's most important for blue teams, says Matt Rodgers, head of security strategy, E8 Security, "Especially around phishing and vishing, is the ability to understand what types of controls exist in their environment. I've seen people finding controls in their network as they go through an exercise."
2. Make sure you can collect and analyze the data
Because blue teams base their function off their ability to collect and make use of the data they collect, log management tools, like Splunk, are important tools. Rodgers says, "Another piece of the puzzle is understanding how to collect all the data of what the team has done and record it in a high enough fidelity in postmortem exercises to determine what they did right or wrong and how to do it better."
3. Use the tools appropriate for the environment
The tools that blue teams need is determined by their environments. "They need to ask 'What is this program doing? Why would it try to format your hard drive?' and then add technology that blocks unanticipated actions. The tools to test whether that technology was successful come from the red team," said Michael Angelo, chief security architect, Micro Focus.
4. Have experienced members on the team
For the blue team, what is most valuable is the knowledge that people have in addition to tools. Angelo said, "As you get used to doing these things, you start to think, ‘I’ve seen that, I’ve seen that, they do this, they do that, but I wonder if there isn’t a hole.’ If you only prepare for the things that are known, then you won't be prepared for the unknown."
5. Assume there will be failures
Asking questions is an invaluable tool that will encourage exploration into the unknown. Angelo said, "Don’t stop at preparing for the things that exist today. Assume there will be failures in your infrastructure."
That assumption, that there will be failures, that nothing is 100 percent secure, that we can no more create perfect children than we can perfect security might be the greatest tool anyone can find.