Red Teaming Operations
A holistic approach to information security assessments
Organisations frequently operate under the assumption that as long as their computer systems are secure, information is secure. In an effort to strengthen the security of their computer systems, they often perform penetration tests – simulated attacks on computer systems aimed at identifying vulnerabilities that could materialize into real risks. However, in reality attackers do not limit themselves to abusing the systems singled out for penetration tests or even any IT system in general. Rather, attackers today are much more sophisticated. They combine different elements that go beyond computer systems, with the objective of finding the path of least resistance. As a consequence, due to their limited and fixed scope, penetration tests alone do not adequately address the risk posed by attackers, and leave organisations vulnerable to realistic attacks.
A realistic attack generally addresses three elements of information security that are linked together.
- Physical: Buildings, desks, safes and the physical IT infrastructure.
- Cyber: The online world, the Internet as well as corporate Intranets and their interconnectivity with other supplier and business partner networks.
- Human: This denotes the employees, customers, clients and third parties that are handling information within an organisation.
Finding the weakest link
The vast majority of cyber breaches in the recent years were caused by human behavioural issues – one of the weakest links that cannot be identified by penetration testing. Red teaming not only tests technical preventative controls, but also the human defence capabilities, which are not tested by traditional penetration tests.
An important aspect of a real attack is the reconnaissance. During this phase an attacker uses various tools and techniques to gather as much information as possible about a victim, in order to make an attack more successful. For example an attacker could use open source intelligence, whereby the web and dark web are being searched for relevant information on an organisation (e.g. user names, passwords, business rules, etc.). Frequently traditional penetration tests do no take this into account, due to their limited and pre-defined scope, and hence could leave an organisation vulnerable.
Red Teaming Operations enable organisations to assess the readiness and awareness against realistic attacks through scenario based controlled incidents that take all elements (human, physical & cyber) within an organisation into account.
Success factors and our recommendation
Successful Red Teaming Operations require thorough planning to create realistic adversarial simulations for an organisation. Random attacks with random objectives will not deliver adequate benefits. The best planning comes from an in-depth understanding of the business and the organisation, which then translates into realistic scenarios, combining risk and threat management approaches. As part of the planning phase it is important to identify the key risks of an organisation. These are unique to each organisation and serve as a basis to create realistic scenario-based controlled incidents.
Our experience shows that successful Red Teaming Operations are built upon three principles.
- Knowledge Mix: Red teaming exercises need to combine the right amount of technical and business understanding to become useful and representative.
- Understanding of Adversary: A successful red teaming exercise requires a thorough understanding of a potential attacker. Meaning, that aside from possessing the skills and knowledge of a potential attacker, the team needs to have the ability to think like one as well. In short, the attacker’s objectives need to match the risks to the organisation and have to be incorporated into the defined scenarios driving the red teaming exercise.
- Joint teams: Teaming is key: a successful exercise outcome comes from working together and combining efforts and expertise of both, the red and the defending team. Working in such a collaborative setup enables outstanding red teaming exercises that matter, are focused, agile, cost-effective and as a result enhance defensive capabilities.
And here is how a cyber-attack happens
How often do we get to watch how an actual cyber-attack happens, and see the consequences unfold before our eyes in real-time? Hopefully never. We developed two videos to provide a sneak-peak of what you could face. Experience the speed and intensity of a cyber-attack; as the plot unfolds, learn how companies can defend themselves, take control of the situation, and effectively fight back.
If you would like to have an initial conversation about Red Teaming Operations and Deloitte’s approach to making it a success, please get in contact with our team.
Gianni Crameri, Assistant Manager
+41 58 279 6413
Gianni is a cyber security specialist at Deloitte in Switzerland and leads the product security proposition. He has helped clients design and implement security controls across different industries with a focus on manufacturing and life sciences. His expertise includes ICS and IoT security, security architecture, data protection, and strategic security transformation.
Latest developments, potential impact and recommendations