Articles & Blogs
WHY DO YOU NEED RED TEAMING?
Written By: Premal Parikh
Over the past decade, companies have increasingly recognized the need to protect themselves against cybersecurity risks. This awareness can be attributed to various factors:
- The growing popularity of Software as a Service (SaaS) products has led to the storage of confidential data outside a company’s control.
- The prevalence of cloud services has introduced shared responsibilities.
- The increase in ransomware attacks has turned cybercrime into a seemingly profitable industry.
- The escalation of cyber threats, marked by sophisticated and high-profile attacks, has underscored the dual risks of commercial and reputational damage.
- The introduction of stringent cybersecurity legislation has compelled companies to enhance their protective measures. Regulations such as the New York Department of Financial Services (NY DFS) cybersecurity regulations, the General Data Protection Regulation (GDPR), and the new cybersecurity risk management rules by the Securities and Exchange Commission (SEC) have imposed legal obligations on organizations to fortify their cybersecurity posture.
- Growth of security compliance standards and industry-specific frameworks like SOC 2, ISO 27001, HITRUST, HIPAA, NIST CSF, etc., have become benchmarks for boards, clients, and partners to ascertain an organization’s security posture. The rise of supply chain attacks also fuels this growth in adoption. Hence, it’s critical to an organization’s 3rd party risk management.
Challenges Despite Increased Compliance and Security Investments
In response to the increasing awareness of cybersecurity risks, there’s been a surge in obtaining compliance certifications and investing in additional security products and services.
Notably, more companies are achieving SOC 2 compliance this year than ever, with reports anticipating a 40% increase in SOC 2 attestations in 2023 compared to 2022. The United States alone boasts over 3,500 security product and services companies, which is on the rise. Despite these efforts, the frequency of reported breaches and ransomware attacks hasn’t diminished.
To illustrate, here are some attacks from November 2023:
- 60 credit unions report ransomware attacks
- Two North Jersey hospitals continue to turn away patients in the wake of a cyberattack
- Ransomware at Fidelity National Financial stops people from paying their mortgages
This isn’t an exhaustive list, but it highlights that no industry or company size is immune to this issue.
Despite increased spending on compliance and products, there are several reasons for this:
-
Compliance as a Marketing Tool
With the advent of "New-Age" Governance, Risk, and Compliance (GRC) tools that promise compliance in weeks by automating controls, there's a tendency to prioritize quick fixes over developing tailored policies.
Many adopt cookie-cutter policies, especially with the prevalent SOC 2 standard, which lacks prescription compared to robust standards and frameworks like HITRUST. For instance, if your policy doesn’t mandate multi-factor authentication, its absence isn’t a control gap. While compliance standards and audits enhance security practices, their implementation should be driven with the right intent rather than solely as a marketing strategy. -
Reliance on Security Products
There’s a belief that deploying numerous security products ensures security without clearly understanding how they collaborate or the insights they offer. A study reveals that large enterprises now use an average of 76 security tools, up from 64 in 2019. However, the manual production of reports has also risen from 40% to 54%. It’s crucial to comprehend the synergy of these tools and avoid assuming security simply because of their quantity.
-
Perpetual Vigilance Against Cybercriminals
Cybercriminals (let’s not call them bad actors or hackers) are persistently motivated to breach security. While company leadership may experience security fatigue, criminals don’t share this sentiment. The reality is that security is an ongoing process – you are never done with security.
What is the Solution?
- Don’t just treat your compliance program as a marketing tool. Ensure your policies are effective and aligned with the right framework per your business needs. The compliance program should be the starting point for your security efforts, not the endpoint.
- Evaluate and streamline your security products to ensure they complement each other. While products are essential, relying solely on a “set it and forget it" approach is insufficient.
- Prioritize technical assessments and testing. Occasional Penetration Tests are not enough. Regularly utilize Red Teaming to understand your true susceptibility to a breach and enhance security measures.
When targeting you, criminals won’t just try once and give up. They continue to probe and look for weaknesses. We must adopt their mindset and conduct ongoing testing to boost a company’s security. Incorporating Continuous Red Teaming is crucial for improving overall security measures.
What is Red Teaming?
Red Teaming in cybersecurity is an assessment where ethical hackers emulate real-world attackers’ tactics, techniques, and procedures (TTPs) on an organization’s infrastructure. Unlike traditional Vulnerability Scanning or Penetration Testing, which focuses on specific vulnerabilities, a Red Team assessment takes a holistic approach, aiming to compromise the organization’s security posture. This was devised as hackers aren’t looking for all the vulnerabilities, but the one avenue that allows them to pivot ‘in’ and is undeterred till they find this avenue – whether through a phone call to the help desk, social engineering to gain access from the finance team, exploiting an endpoint to gain higher privileges, or inserting a backdoor in the git repository.
Red Team assessments are focused, goal-oriented, and one of the few security tests that mimic the real world by conducting realistic cyberattacks on business-critical workflows and risks. It assesses procedures, people, and products together to evaluate their collective effectiveness. These tests are typically performed in a ‘low and slow’ manner to avoid easily triggering alerts, making them more expensive than regular penetration tests.
Furthermore, the Red Team’s primary objective is to leverage available intelligence, uncover vulnerabilities and weaknesses, create an attack path, and possibly go undetected by conventional security testing methods. This assessment provides organizations with a more accurate evaluation of their overall security posture by assessing their susceptibility to a breach. Thus highlighting true areas where additional security controls are required.
What is Continuous Red Teaming? Why Do You Need It?
Continuous Red Teaming is a proactive and dynamic defense strategy that establishes a continuous cycle of testing, learning, fixing, and evolving tactics to create a resilient security framework that effectively identifies and addresses vulnerabilities. It involves regular testing of the environment by emulating different potential threat actors, thus pursuing diverse objectives every time. This approach of employing different TTPs in each test ensures a comprehensive evaluation of defense mechanisms against existing as well as emerging threats.
These assessments help assess the preparedness of internal teams to handle incidents, fostering an adaptive cybersecurity approach. Typically performed in a ‘low and slow’ manner, these assessments avoid triggering alerts easily, making them more expensive than regular penetration tests.
Furthermore, Continuous Red Teaming assessments will also aid in answering the following questions:
- Can we determine if a persistent and skilled attacker can achieve the flag using the TTPs?
- Do internal detection and reporting capabilities meet the required standards?
- Have we adequately assessed the effectiveness of our Incident Response practices and Blue Team capabilities?
- Have internal teams and external service providers fulfilled their Service Level Agreements (SLAs)?
Accorian’s Methodology
At Accorian, we follow a 6-phase methodology for Red Teaming:
Accorian utilizes the F3EAD methodology integrated with the MITRE ATTACK framework, employing a systematic approach consisting of distinct phases. Each stage is vital to successfully executing a red team assessment and realizing the objectives:
1. FIND
In the Find phase, reconnaissance activities aim to identify targets and crown jewels. This phase sets the stage for the subsequent steps in the assessment by laying the groundwork for target selection and strategic goal-setting discussions with the organization.
2. FIX
In the Fix phase, the focus involves intense reconnaissance and intelligence collection against the selected target, delving into the intricacies of the target’s systems, networks, and potential points of exploitation. This step is vital in the red team assessment process, aiming to attain a level of familiarity with the target that facilitates informed decision-making in subsequent phases of the F3EAD methodology.
3. FINISH
In the Finish phase, the focus shifts to setting plans into action by deploying TTPs in a decisive and coordinated manner. This phase integrates various elements, including toolsets, intelligence, capabilities, and human expertise, amalgamating into a comprehensive and potent weapon system. It’s the focal point where planning and reconnaissance transition into practical, impactful actions. MITRE ATTACK TTPs are pivotal in shaping the attack path and enhancing the red team’s ability to navigate and exploit vulnerabilities effectively.
4. EXPLOIT
In the Exploitation phase, Accorian acts as the red team actor and operationalizes the detailed attack plan into action to achieve mission objectives. This phase represents the culmination of strategic planning and the initiation of exploits to realize red team objectives.
5. ANALYZE
In the Analysis phase, the team gains insights into the systems’ responses. They can adjust their tactics and techniques accordingly. This phase involves continuous updates, revisions, and modifications to the attack path and exploitation strategies. Whether an exploit succeeds or fails, the iterative nature of the phase ensures that our testers remain agile and responsive to evolving conditions.
6. DISSEMINATE
In the dissemination phase, raw assessment data is transformed into actionable intelligence, acting as a vital link between the red team’s activities and the broader organizational context. This documentation provides:
- A comprehensive record of the assessment’s results
- Guides organizations with the next steps, empowering leadership for strategic decision-making
- Fortifies the overall security posture
The Accorian Advantage
Accorian’s Red Team has an over 90% success rate in achievement of the flags. We’ve maintained this due to our certified Red Teamers, top-of-the-line tools, custom tools and scripts, and detailed methodologies.
We are a leading cybersecurity firm, distinguished by its CREST accreditation and renowned for unparalleled expertise. Our team comprises technology and cybersecurity leaders, ensuring proficiency that exceeds industry standards. What truly distinguishes us is our commitment to tailor-made solutions. Each red team service assessment, backed by our remarkable 100% success rate, is meticulously customized to meet an organization’s unique needs, ensuring relevance and effectiveness in today’s business landscape.
Accorian is also a HITRUST assessor, SOC 2 auditor, PCI QSA and PCI ASV.
Tagged: Red Teaming, Continuous red teaming, red team in cybersecurity, red teaming security, red team service