According to Gartner, global spending on enterprise security will top $96 billion this year, representing an 8% rise from 2017. A primary driver behind the burgeoning investment in security services – and the trend towards outsourcing to specialists – is undoubtedly the rising fear of data breaches and cyber attacks. Cyber crime is reaching new levels of sophistication at the very time when consumers are becoming more aware of the value and security of their data. Combined with the new EU General Data Protection Regulation (GDPR) and its threat of financial penalties, it’s clear that the security stakes are high for today’s digitally-driven enterprise.
It’s no surprise, then, that companies are keen to explore the latest tools and techniques to test their security posture and help them avoid a data security lapse that could prove costly from a financial, reputational and commercial point of view. In my experience, security testing is rising swiftly up the corporate agenda, driven in part by the GDPR, with senior executives taking a more strategic approach to ensuring their critical information assets are secure. It is increasingly recognised that traditional methods such as penetration testing (PT) and vulnerability scans simply do not deliver the breadth in scope needed to provide assurance. Red teaming (RT), however, is growing in popularity as it provides comprehensive testing across your organisation, exposing vulnerabilities at all levels and helping you to better understand how you would respond to a cyber attack.
The term itself originates from the military, where a red team would play the role of an adversary and act as attackers, and a blue team would act as defence. In cybersecurity, red teaming has come to refer to a team of ‘ethical hackers’ who simulate a cyber attack. It is already widely used in financial services and defence, and its usage is expanding across a wider range of industry sectors as more organisations seek ways of addressing the risks associated with their data.
RT is able to provide insights that cannot be achieved with a traditional PT approach. This is because their objective and scope is far wider. PT is usually limited to testing a particular network, system or application, with the objective of identifying as many vulnerabilities as possible, within the scope of the test, and trying to exploit them. RT goes beyond system-specific tests and instead focuses on your organisation’s broader information assets; analysing, for example, whether intellectual property can be stolen; whether customer contact lists, personally identifiable information and payment details are adequately secured. Although RT conducts some similar exercises to PT, they are not aiming to uncover every single vulnerability, just those that will enable them to access the critical information.
RT tests an organisation’s defences by using any means necessary to attempt to compromise the asset, mimicking hackers by applying the same tactics and techniques that they would use. Aside from using technical means to simulate the attack, RT spans social engineering and physical security. Can a member of staff be persuaded to share their password with a stranger posing as an auditor? Will employees hold the door open for someone wearing an ID badge that appears to be authentic?
In a RT test, the objective is to remain completely undetected, providing a more realistic simulation of how a real attacker would attempt to access and steal information. You will discover whether an attack can go undetected (or for how long), and how well your response processes function under pressure. This is a valuable exercise to pinpoint where defences need to be tightened up.
Choosing the right strategy
RT therefore plays a key role in providing insight into a company’s capabilities to withstand a potential cyber attack and to identify the steps they need to take to mitigate risk effectively. But is the approach right for every business?
The right testing strategy for your organisation will depend on your objectives, risk level, security maturity and budget:
Objectives: If your objective is to understand if your most critical assets are secure then a real-world approach to testing is essential. A RT approach will identify the threats to which you are vulnerable and highlight blind spots that are unlikely to be identified through traditional PT techniques.
Risk level: What information assets do you hold? What are the threats, vulnerabilities, likelihood and impact of these assets being compromised? For instance, if personal or sensitive data is stolen what will be the financial and reputational consequences? If these are significant, you need a proactive approach to managing them. RT testing delivers insight that will help to improve risk management strategies and processes, ultimately designed to mitigate your risk.
Security maturity: How sophisticated is your security program? Have you conducted extensive PT and patched vulnerabilities? An RT approach is most likely to benefit an organisation with a more mature security program but there are exceptions. RT can also be useful if you have not yet embarked on your security journey; it can provide visibility of your weaknesses and risks, and help shape the requirements of your ongoing security program. Equally, significant changes to your organisational structure may require another evaluation of testing strategy to ensure it meets your evolving business needs.
Budget: Is your organisation committed to investing in cyber security? What percentage of your budget is allocated to IT security? RT testing requires a higher level of investment than other testing methods; it is delivered by a larger team than typical PT, it takes longer to complete, and is most beneficial when integrated into an ongoing testing program rather than conducted as a one-off initiative.
In-house or consultancy?
Building an in-house red team, although highly desirable, is a luxury very few organisations can afford. Acquiring and retaining a team with the diverse and specialist skillsets required can be challenging and expensive.
Bringing in highly-qualified security consultants is often a way for companies large and small to create the necessary spread of skills, experience and expertise to make their project a success. Choosing to work in this way with consultants can deliver numerous benefits, enhancing the diversity, skills and experience of your team and giving you access to a holistic service combined with the latest research into emerging threats and solutions.
In summary, it’s important to identify the right testing strategy for your organisation, based not only on the scope and objectives of your test but also the maturity of your security journey and your in-house capacity. Testing remains the cornerstone of your security posture, and with your customers, the media and the regulators placing increasing scrutiny on the way data is handled, now is not the time to fall behind.
Rob Embers, Chief Commercial Officer at Dionach
Image Credit: BeeBright / Shutterstock