CYBERUK Blog: Red Team - The CISO's Not So Secret Silver Bullet

Deloitte’s NSE CISO, Jitender Arora, delivered a technical masterclass at CYBERUK in Belfast on April 20th on the theme of Red Teaming. This blog provides a comprehensive overview of this masterclass and provides insights on how CISOs can implement Red Teaming into their security strategies.

In the world of ever-evolving cyber threats, CISOs are faced with an array of challenges. From dealing with well-funded motivated adversaries and zero-day vulnerabilities to navigating the complexities of hybrid working and cloud environments, CISOs need innovative solutions and invest wisely to stay ahead. Red Teaming emerges as a powerful tool in the CISO's arsenal, allowing them to assess security capabilities objectively and make informed decisions on defining priorities and security strategy.

The Value of Red Teaming

Red Teaming is a proactive approach that enables CISOs to effectively prioritise investment areas by testing an organisation's preventative, detective, and resilience controls against the latest tactics, techniques, and procedures (TTPs). It helps CISOs better understand their security posture and focus on the areas that matter most, ensuring that limited budgets and resources are allocated efficiently.

One of the biggest advantages of Red Teaming is the reality check it provides. Traditional risk assessments, security dashboards, and metrics often suffer from optimism bias, while maturity model assessments, although valuable, may lack real-world testing. In contrast, Red Teaming serves as a litmus test that reveals the true state of an organisation's security posture and helps CISOs make data-driven decisions

Implementing Red Teaming Effectively

To get the most out of a Red Team exercise, CISOs should ensure they have a well-structured and methodical approach. 

Start by gaining executive management support, as Red Teaming is intrusive and requires careful planning and oversight. Most important aspect of conducting Red Team Testing is to find a competent and trusted partner who can conduct good quality independent assessment. When choosing a partner to conduct the Red Team assessment, opt for a reliable and experienced team capable of conducting high-quality, independent assessments. Remember, this partner will have access to your organisation's vulnerabilities, so trust is crucial.

Establish a legal contract with the Red Team provider to ensure appropriate guardrails are in place to protect both parties.

Next, define the scope and objectives of the Red Team exercise. Be specific about what you want to achieve, such as targeting critical assets, gaining control of domains, accessing sensitive data, or simulating lateral movement within the organisation.

It’s extremely important to maintain a small circle of knowledge to preserve the integrity of the test. Only a limited number of authorised individuals should be aware of the exercise.

Planning and Execution

During the planning phase, create a small control group to finalise scope, approach and oversee execution of the test. Schedule control group briefings to discuss progress, challenges, and address any questions from the Red Team. Maintain confidentiality and integrity of the test through protected briefing documents and invites.

Change is an inherent part of Red Teaming depending on the rate of success. Ensure that any changes to objectives are discussed, agreed upon, and documented to maintain traceability. Also, have a well-defined exit strategy in both success and failure scenarios to guarantee proper test completion and documentation.

Post-Red Team Activities

Following the Red Team exercise, it’s important that Red Team Test report is handled and managed carefully due to sensitive nature of the content. Establish a secure mechanism to  share the Red Team report with key stakeholders on a need-to-know basis. Organise a debrief between the Red and Blue Teams to discuss the chain of events and glean valuable insights from the exercise. This is a very important step in the exercise for the Blue Team to review findings and understand details.

Next, the Blue Team, authorised by the CISO, should review the report and draft the remediation plan, while a 2LOD Risk team reviews the draft remediation plan to provide independent oversight and challenge to ensure effectiveness of remediation actions. The remediation plan should contain immediate, tactical, and strategic actions.

It’s important to secure budget and resources to focus on remediation activities, it’s not side of the desk activity. It should follow a project approach with allocated funding and a dedicated team structure to undertake the necessary remediation actions. Establish a senior stakeholder oversight committee to review progress, remove any blockers, and maintain oversight of remediation progress.

Closing the Red Team Test Effectively

Closing a Red Team exercise is an essential phase that ensures the security posture of the organisation has been thoroughly assessed and the necessary improvements have been made. To close a Red Team test effectively, CISOs should follow these key steps:

1. Remediation Verification: As the organisation implements the remediation plan, it's important to verify that each action has been effectively executed and that the vulnerabilities discovered during the Red Team exercise have been addressed. This process should be performed with the help of the Blue Team and, in some cases, involve the Red Team to retest the specific vulnerabilities.
2. Conduct Purple Teaming: To validate the effectiveness of the remediation actions, conduct Purple Teaming exercises during the remediation process. This collaborative approach between the Red and Blue Teams allows for the testing and validation of the implemented security measures. Purple Teaming also helps identify any remaining gaps or areas for improvement.
3. Update Security Policies and Procedures: The insights gained from the Red Team exercise should be used to update security policies and procedures, ensuring that the lessons learned are integrated into the organisation's security posture and BAU processes. This may involve revising access controls, incident response plans, or employee training programs.
4. Final Report and Stakeholder Debrief: Prepare a comprehensive final report detailing the Red Team exercise, including the initial findings, remediation efforts, and results of the Purple Teaming. Share this report with key stakeholders and conduct a debrief to discuss the outcomes, lessons learned, and any further actions that need to be taken.
   
5. Knowledge Sharing and Continuous Improvement: Encourage a culture of continuous improvement by sharing the knowledge and insights gained from the Red Team exercise throughout the organisation. This can help create awareness of the importance of cybersecurity, foster collaboration between teams, and encourage proactive security measures.

By following these steps, CISOs can ensure that the Red Team exercise is closed effectively, and the valuable insights gained are leveraged to enhance the organisation's security posture. 

Securing Success: Embracing the Continuous Cycle of Red Teaming

In conclusion, Red Teaming is a powerful tool that enables CISOs to objectively assess their organisation's security capabilities and make informed decisions on defining priorities and developing a robust security strategy roadmap. 

Red Team remediation should not be treated as a side project; it requires a well-structured approach, a dedicated remediation plan, and oversight by an appropriate committee. It's essential to remember that Red Teaming is not a one-time effort but a continuous cycle that should be an integral part of any effective security program. The goal is to make it progressively harder for the Red Team to achieve its objectives during each subsequent exercise. When the Red Team says, "it was a lot harder this time and we could not achieve all objectives," that's when the true success of a Red Teaming exercise is realised. 

By incorporating Red Teaming into their security strategy, CISOs can stay ahead of the evolving cyber threat landscape and safeguard their organisation's most valuable assets.

Contact us to find out how Deloitte can help you conduct a Red Team Test and/or implement a Red Teaming remediation project.