How Red Teaming Gain Greater Immediate Traction Over Auditing

The most obvious outcome of being 'attacked' is the creation of awareness about the converged nature of sophisticated threats and APTs as well as the interdependencies that exist under the surface of organisation's functional structure. A Red Team process often does this by taking a holistic approach to assessing and exploiting security vulnerabilities particularly once the 'perimeter' is breached through a phishing attack, which is characteristic of the large majority of advanced attack scenarios. The topic of human-related risk and the dangers of social engineering are not really engaged at board level, which is often also true of cyber risk, so the outputs from the red team exercise provide a demonstration of reality that will be very quickly absorbed into organisational perceptions from the basement to the boardroom. Both tend to be exposed as weaknesses to social engineering, physical intrusion, and transitory infiltration.

The first outcome of a red team exercise is instinctive, and typically mirrors the response to a real breach: the board dictates that the firm needs a change of approach. This is partly because they see that the current approach is inadequate, but also to rebuild confidence which inevitably is hit hard once vulnerabilities are demonstrated through the simulation of real-world. While this leads to two main consequences in changes to business practices, and a complete reappraisal of security investment and board focus on protecting the organisation, it also leads to a complete review of the company's risk agenda to realign it with the proven reality of threats that could have severe implications. This batch of outcomes already represents a seismic shift for many firms and a final transition that many previous efforts had not achieved.

To most this represents 90% of the solution to cyber security. To the different management teams involved in security, operational risk, business continuity, or crisis management, there is a huge incentive in this wholesale realignment in different levels of management, particularly with board participation around a security roadmap that is designed to address the fears that many hold. The only way this is really achieved is by translating the security reality into a business risk equation that CEO and CFO can read in monetary terms, or the CMO can see as brand equity and reputation. This risk-informed recalibration of appetite is the key factor in effecting change from top-down, and a unique aspect of Red Team workshop outputs when built on scenario outputs.

To most firms a real-world attack simulation is as much a 'game changer' as actually being targeted. In both cases, firms can expect to learn hard lessons but the Red Team process ensures that the organisation is ready to absorb the lessons, and identify the benefits without the pain or damage of an actual breach. This point cannot be underestimated. In a real event there is invariably a catalogue of human and management failures consistent with the inability to think clearly under pressure. This, despite the fact that the realisation of a breach is usually long after the first penetration occurred. In reality, most lessons are only learnt after a real event, even when the overriding climate is negative or less orientated towards learning.

Red Teaming aims to provide lessons before an event, and a wargame, which simulates a prolonged attack, allows lessons to be learnt during an attack or tests a firm’s ability to interpret and apply experience into real-time learning. The 'learning by doing' opportunity that security exercises provide, is crucial to identifying failures in breach incident response as well as failures in security. So the appropriate design of a Red Team process will ensure that a balance is achieved between reinforcing security, and preparing the appropriate response. While this will offer managers a list of immediate tactical priorities for remediation, and short term imperatives for change; it will also pick up previously peripheral issues that had not been addressed or prioritised specifically because they may have been proven to be more critical to the overall security apparatus than previously recognised. Often these are 'human' aspects known to be weaknesses, though not recognised and addressed at an organisational level.

By establishing the right Red Team framework, particularly when integrating a wargame process, the learning objectives are set at the top of the agenda if the organisation is astute enough to accept that a breach will occur, and the success is measured by how it deals with this. Hence, one key facet of security exercises is that they create an atmosphere in which staff are prepared to accept the need for changes that the exercise will highlight. More specifically they recognise the rationale for the introduction of new and more restrictive policies, or the need for different physical security protocols, or a higher profile security regime.

To support this shift in perspective, the end-of-exercise workshop and masterclasses provide a vehicle for delivering the understanding that was previously lacking, and the opportunity to build consensus around priorities from board level down through risk, business continuity, and security teams. The iterative process of the workshop also offers a forum for planning that integrates investment and priorities between prevention, defence, and response doctrines, and a shared understanding of the converged nature of both vulnerability and defence to cyber threats.

In most organisations there is an element of compartmentalisation around responsibilities and budgets, but the collaborative process that the wrap-up of a converged security exercise provides, will force the different managers to consider how the delivery of change requires the joint consideration of process, policy and management, and harmonisation in order to achieve the collective objective of organisational security.

In this respect, the value of engaging with a red team methodology rather the dispersed or fragmented outcomes from penetration testing is paramount and proven. For more information about Red Team exercises or War Games go to www.optimalrisk.com.
Posted: 28 March 2014 by Optimal Risk Admin | with 0 comments
Filed under: convergence, cyber, games, red, risk, team, vulnerabilities, war