Red team exercises are like vaccination against attacks?

Yesterday, I have been asked what exactly RTEs are and why are they useful?

As I believe a good analogy worth a thousand words, I tried to find one than can be understood by any layman. The vaccine principle stroked me as the perfect one.

Baby was receiving his scheduled vaccine injection in his right

Red Team Exercises principle is to launch an attack against your organisation like a vaccine will do to your body. The mechanisms used by the vaccine are exactly the same as the real virus except it doesn’t destroy or weakened your body. Instead it allows your body to learn how to fight it in order to be better prepared when he will face the real deal.

That’s exactly what RTEs are about: boosting your company’s immune system by allowing your white cells (your security personnel) to learn how to fight the intruder.

How often did we hear that a risk assessment was extravagant because the system administrators thought the system was not so sensitive for the company business? How many times have we been told that a kind of attack was difficult to carry or that we had view too many James Bond like movies? Rarely does that happen after an RTE as vague threats become concrete and evidenced. It allows your operational teams to better understand that the reality of this “war” against criminals is not about isolated risks but systemic risks. It is about preventing viruses to enter your body. Any breathing, any wound, any contact with an external source can be start of a chain of events that will lead to your infection. And sometimes, infection means death if you don’t threat it well on time.

As there is as many vaccines as there are viruses, there are as many RTE scenarios as possible attacks and threats: Cyber-attacks, credit-card fraud, identity fraud, espionage, theft, industrial espionage and so on.

So, what disease are you the most afraid of?

Are Red Team exercises close enough to reality?

A red team is a team of highly skilled professional with extended and varied skills (e.g. think about « Mission: Impossible ») acting has the opponents, challenging your plans, your controls, your security governance, your people. As a red team, we must think and behave as the « bad guys ». The goal is to emulate the critical thinking of your « official » security teams. To achieve that, we challenge all the false assumptions that makes you vulnerable. We spot all the weaknesses and find creative ways to exploit the slightest vulnerability. As will any skilled attacker do. (Luckily, they are not all that good)

The question that came to me while discussing a red team exercise with a customer was this one: Are red team exercise close enough to reality?

gun

For sure, we are not as real as the criminal organization targeting you. We could be, as we have the skills, but we have something that makes a huge difference: ethics, rules. A red team as boundaries. Even if we take it to the most realistic level, a red team exercise will never lead us to threaten someone’s family, or its life or even to kill someone. We won’t blow a building to cover our tracks. We won’t release the ultimate virus to wipe all data. Unfortunately, criminals don’t have such boundaries.

Our client told me that the red team was not supposed to use information that would have been provided in confidence. While red teams exercises are often « black hat » exercises (meaning, we start with just a few information on the target), it is never impossible that attackers have an inside knowledge of your organization. Seriously, in real life, there is no rules. If there is enough return on investment, criminal organizations will spend a lot of money to get your crown jewels, lot of time and means. They will use any technique: blackmailing, kidnapping, bribery, infiltration. The colleague next to you could be working for a criminal organization, posing as a good guy, even as a security specialist. How would you know?

The latest incidents reported in the press involving banks or the SWIFT network mentioned takes in tens of millions: 21, 80 or even 120 millions Euro of booty for these heists. Quite a motivation isn’t it? How much will you be ready to invest to get such reward?

Cyber criminality generate approximately a trillion USD every year. 1000 billions! Law enforcements and security firms around the world reports that group of hackers and criminals are now working together to reach bigger targets with higher stakes. Imagine that an organization that get 1/1.000 of the worldwide revenue might have 1 billion USD of money for its operation. That’s a lot of cash. People get killed for less.

So, no, our red team exercises are not as real as they could be but it is likely close enough to achieve its primary goal: challenge your team and organization to make it better. Red team exercises won’t provide assurance nor will it cover all your weaknesses but it will for sure stimulate your teams to achieve their best.