Maybe it should.
As security-minded but business-forward individuals, it’s all too easy to fall into a vulnerability management rut.
Does this situation sound familiar?
On a routine basis, you or your company hires a security firm to perform penetration testing on the latest server/application/network or other important doo-dads to ensure it’s not exposed to unnecessary risks from security vulnerabilities and meets all pertinent industry regulations or guidelines. The testing completes but fails to find any new or significant issues. You or your company address the remaining lower severity issues, often through risk transference or risk acceptance, and move on to the next project. When the next compliance due date circles around, the cycle repeats with similar results.
If so, it’s time for a change. And a meaningful change at that.
Forget chasing an unending cavalcade of vulnerabilities, or listening to those snarky, profess-to-know-it-all pundits who hypothesize, usually from the sidelines or the comforts of an extra-plush chair, that penetration testing is dead and adds little to no value. You know the ones – the ‘let’s just let the attackers inside because they are going to get in anyhow’ crowd. They are all very dramatic and often involve very time-consuming efforts, not to mention tend to be ineffectual, misdirected, and unhelpful reactions. They will also always be there. Unlike your enervated outlook.
Instead, breathe new life into your security and project by moving to the proactive. Consider a Red Team engagement in place of your next scheduled penetration test.
Think you know what a Red Team is, or maybe you’ve never heard of one? Read on.
Red Team often means different things to different people, particularly when technical acumen and nuance are inflected. Regardless of one’s definition, the goal of a Red Team is almost always the same – to attack and gauge the target’s ability to detect and defend against said attack. Does this sound too far-fetched for your penetration testing requirements? Or wondering how this has a bearing on the next round of compliance testing and quarterly scanning? The reality is, it’s closer to the actual mark than you might think.
Replacing your next penetration test with a Red Team engagement can help you directly determine what is possible with the vulnerabilities present in the asset(s) to be tested (e.g., server, application, network, etc.). The benefit of a Red Team engagement is that it’s designed to take advantage of the vulnerabilities and exploits present by actively circumventing security controls similar to how a traditional penetration test operates. But where a penetration test often stops at the technical level, a Red Team engagement extends to encompass attacks against people (e.g., think phishing and social engineering here), process (e.g., breakdowns or gaps in procedures and policies) and utility (e.g., physical aspects such as location, facility, and physical security) that provides a more holistic, and thereby more realistic, view of the target’s security posture and the controls deficiencies present. An added upside to Red Teaming is the benefit of testing company defenses and Blue Team (i.e., teams tasked with defending company assets and resources, including people, process, and utility along with technology) preparedness along the way.
If it sounds too expensive, rest assured it isn’t much more than what you or your company may already be paying for traditional penetration testing today. In some cases, it may even be cheaper or more cost-effective when extrapolated over time. From a business perspective, Red Team engagements often have the effect of silencing critics and bringing security to the tangible forefront, both in the board room and the break room. Red Teams tend to be ‘where the rubber meets the road’ differentiators, as they demonstrate not guessing at what is possible. Gone is the level of speculation and “what if” that accompanies most penetration tests, or the quick dismissal from enclave defenders that there are security controls in place to prevent such attacks, and at a minimum would detect these activities.
Next time you encounter the above response, or better yet, before you do – challenge yourself and your company to put its security money where its mouth is, and procure a Red Team engagement. Sure, Red Teams can be set up internally, but as with anything internal, they are subject to the whims, fancy, and bias of their internal masters and purse-string holders. Companies and the people who run them, or who are placed in charge of their security are fooling themselves if they don’t practice active exploitation and emulate real-world attack scenarios by conducting externally-procured Red Team engagements. Table-top and mock exercises are wonderful, but they’re often prepared, drafted, run, and/or participated in solely by Blue Team personnel. Worse yet, they may be cordoned off to another related but wholly separate group such as Business Continuity or Disaster Recovery. These folks are good at their jobs, but their focus tends to be primarily on one of the four vectors: people, process, technology or utility - generally people, and typically more inclined toward the physical sense (i.e. terrorism, natural disasters, loss of life, etc.)
Still not convinced a Red Team engagement is right for you or your organization? Shop around. There are security firms like Emagined Security that offer what we like to call Red Team Flash Exercises that generally last two weeks or less and focus on a “smash and grab” style approach where the initial goal is to penetrate security controls on one or multiple fronts to gain as much data and/or access in the time allotted. For those companies looking to move beyond the penetration testing pale, this is most often the easiest next step in vulnerability management evolution. Concentrate your remediation efforts on the vulnerabilities that actually lead to compromise by seeing Red.