Menu

Articles & Blogs

WHY DO YOU NEED RED TEAMING?

December 8, 2023 | By Accorian

Written By: Premal Parikh

Over the past decade, companies have increasingly recognized the need to protect themselves against cybersecurity risks. This awareness can be attributed to various factors:

  • The growing popularity of Software as a Service (SaaS) products has led to the storage of confidential data outside a company’s control.
  • The prevalence of cloud services has introduced shared responsibilities.
  • The increase in ransomware attacks has turned cybercrime into a seemingly profitable industry.
  • The escalation of cyber threats, marked by sophisticated and high-profile attacks, has underscored the dual risks of commercial and reputational damage.
  • The introduction of stringent cybersecurity legislation has compelled companies to enhance their protective measures. Regulations such as the New York Department of Financial Services (NY DFS) cybersecurity regulations, the General Data Protection Regulation (GDPR), and the new cybersecurity risk management rules by the Securities and Exchange Commission (SEC) have imposed legal obligations on organizations to fortify their cybersecurity posture.
  • Growth of security compliance standards and industry-specific frameworks like SOC 2, ISO 27001, HITRUST, HIPAA, NIST CSF, etc., have become benchmarks for boards, clients, and partners to ascertain an organization’s security posture. The rise of supply chain attacks also fuels this growth in adoption. Hence, it’s critical to an organization’s 3rd party risk management.

Challenges Despite Increased Compliance and Security Investments

In response to the increasing awareness of cybersecurity risks, there’s been a surge in obtaining compliance certifications and investing in additional security products and services.

Notably, more companies are achieving SOC 2 compliance this year than ever, with reports anticipating a 40% increase in SOC 2 attestations in 2023 compared to 2022. The United States alone boasts over 3,500 security product and services companies, which is on the rise. Despite these efforts, the frequency of reported breaches and ransomware attacks hasn’t diminished.

To illustrate, here are some attacks from November 2023:

This isn’t an exhaustive list, but it highlights that no industry or company size is immune to this issue.

Despite increased spending on compliance and products, there are several reasons for this:

  • Compliance as a Marketing Tool

    With the advent of "New-Age" Governance, Risk, and Compliance (GRC) tools that promise compliance in weeks by automating controls, there's a tendency to prioritize quick fixes over developing tailored policies.

    Many adopt cookie-cutter policies, especially with the prevalent SOC 2 standard, which lacks prescription compared to robust standards and frameworks like HITRUST. For instance, if your policy doesn’t mandate multi-factor authentication, its absence isn’t a control gap. While compliance standards and audits enhance security practices, their implementation should be driven with the right intent rather than solely as a marketing strategy.

  • Reliance on Security Products

    There’s a belief that deploying numerous security products ensures security without clearly understanding how they collaborate or the insights they offer. A study reveals that large enterprises now use an average of 76 security tools, up from 64 in 2019. However, the manual production of reports has also risen from 40% to 54%. It’s crucial to comprehend the synergy of these tools and avoid assuming security simply because of their quantity.

  • Perpetual Vigilance Against Cybercriminals

    Cybercriminals (let’s not call them bad actors or hackers) are persistently motivated to breach security. While company leadership may experience security fatigue, criminals don’t share this sentiment. The reality is that security is an ongoing process – you are never done with security.

What is the Solution?

  • Don’t just treat your compliance program as a marketing tool. Ensure your policies are effective and aligned with the right framework per your business needs. The compliance program should be the starting point for your security efforts, not the endpoint.
  • Evaluate and streamline your security products to ensure they complement each other. While products are essential, relying solely on a “set it and forget it" approach is insufficient.
  • Prioritize technical assessments and testing. Occasional Penetration Tests are not enough. Regularly utilize Red Teaming to understand your true susceptibility to a breach and enhance security measures.

When targeting you, criminals won’t just try once and give up. They continue to probe and look for weaknesses. We must adopt their mindset and conduct ongoing testing to boost a company’s security. Incorporating Continuous Red Teaming is crucial for improving overall security measures.

What is Red Teaming?

Red Teaming in cybersecurity is an assessment where ethical hackers emulate real-world attackers’ tactics, techniques, and procedures (TTPs) on an organization’s infrastructure. Unlike traditional Vulnerability Scanning or Penetration Testing, which focuses on specific vulnerabilities, a Red Team assessment takes a holistic approach, aiming to compromise the organization’s security posture. This was devised as hackers aren’t looking for all the vulnerabilities, but the one avenue that allows them to pivot ‘in’ and is undeterred till they find this avenue – whether through a phone call to the help desk, social engineering to gain access from the finance team, exploiting an endpoint to gain higher privileges, or inserting a backdoor in the git repository.

Red Team assessments are focused, goal-oriented, and one of the few security tests that mimic the real world by conducting realistic cyberattacks on business-critical workflows and risks. It assesses procedures, people, and products together to evaluate their collective effectiveness. These tests are typically performed in a ‘low and slow’ manner to avoid easily triggering alerts, making them more expensive than regular penetration tests.

Furthermore, the Red Team’s primary objective is to leverage available intelligence, uncover vulnerabilities and weaknesses, create an attack path, and possibly go undetected by conventional security testing methods. This assessment provides organizations with a more accurate evaluation of their overall security posture by assessing their susceptibility to a breach. Thus highlighting true areas where additional security controls are required.

What is Continuous Red Teaming? Why Do You Need It?

Continuous Red Teaming is a proactive and dynamic defense strategy that establishes a continuous cycle of testing, learning, fixing, and evolving tactics to create a resilient security framework that effectively identifies and addresses vulnerabilities. It involves regular testing of the environment by emulating different potential threat actors, thus pursuing diverse objectives every time. This approach of employing different TTPs in each test ensures a comprehensive evaluation of defense mechanisms against existing as well as emerging threats.
These assessments help assess the preparedness of internal teams to handle incidents, fostering an adaptive cybersecurity approach. Typically performed in a ‘low and slow’ manner, these assessments avoid triggering alerts easily, making them more expensive than regular penetration tests.

Furthermore, Continuous Red Teaming assessments will also aid in answering the following questions:

  • Can we determine if a persistent and skilled attacker can achieve the flag using the TTPs?
  • Do internal detection and reporting capabilities meet the required standards?
  • Have we adequately assessed the effectiveness of our Incident Response practices and Blue Team capabilities?
  • Have internal teams and external service providers fulfilled their Service Level Agreements (SLAs)?

Accorian’s Methodology

At Accorian, we follow a 6-phase methodology for Red Teaming:

Accorian utilizes the F3EAD methodology integrated with the MITRE ATTACK framework, employing a systematic approach consisting of distinct phases. Each stage is vital to successfully executing a red team assessment and realizing the objectives:

1. FIND

In the Find phase, reconnaissance activities aim to identify targets and crown jewels. This phase sets the stage for the subsequent steps in the assessment by laying the groundwork for target selection and strategic goal-setting discussions with the organization.

2. FIX

In the Fix phase, the focus involves intense reconnaissance and intelligence collection against the selected target, delving into the intricacies of the target’s systems, networks, and potential points of exploitation. This step is vital in the red team assessment process, aiming to attain a level of familiarity with the target that facilitates informed decision-making in subsequent phases of the F3EAD methodology.

3. FINISH

In the Finish phase, the focus shifts to setting plans into action by deploying TTPs in a decisive and coordinated manner. This phase integrates various elements, including toolsets, intelligence, capabilities, and human expertise, amalgamating into a comprehensive and potent weapon system. It’s the focal point where planning and reconnaissance transition into practical, impactful actions. MITRE ATTACK TTPs are pivotal in shaping the attack path and enhancing the red team’s ability to navigate and exploit vulnerabilities effectively.

4. EXPLOIT

In the Exploitation phase, Accorian acts as the red team actor and operationalizes the detailed attack plan into action to achieve mission objectives. This phase represents the culmination of strategic planning and the initiation of exploits to realize red team objectives.

5. ANALYZE

In the Analysis phase, the team gains insights into the systems’ responses. They can adjust their tactics and techniques accordingly. This phase involves continuous updates, revisions, and modifications to the attack path and exploitation strategies. Whether an exploit succeeds or fails, the iterative nature of the phase ensures that our testers remain agile and responsive to evolving conditions.

6. DISSEMINATE

In the dissemination phase, raw assessment data is transformed into actionable intelligence, acting as a vital link between the red team’s activities and the broader organizational context. This documentation provides:

  • A comprehensive record of the assessment’s results
  • Guides organizations with the next steps, empowering leadership for strategic decision-making
  • Fortifies the overall security posture

The Accorian Advantage

Accorian’s Red Team has an over 90% success rate in achievement of the flags. We’ve maintained this due to our certified Red Teamers, top-of-the-line tools, custom tools and scripts, and detailed methodologies.

We are a leading cybersecurity firm, distinguished by its CREST accreditation and renowned for unparalleled expertise. Our team comprises technology and cybersecurity leaders, ensuring proficiency that exceeds industry standards. What truly distinguishes us is our commitment to tailor-made solutions. Each red team service assessment, backed by our remarkable 100% success rate, is meticulously customized to meet an organization’s unique needs, ensuring relevance and effectiveness in today’s business landscape.

Accorian is also a HITRUST assessor, SOC 2 auditor, PCI QSA and PCI ASV.

Tagged: Red Teaming, Continuous red teaming, red team in cybersecurity, red teaming security, red team service

Recent Blog

Article

Adobe's Common Controls Framework of Industry-acclaimed security standards

Today’s world is an ever-changing scenario with changes to the technology sector happening more frequently than ever due to emerging technologies. The case is quite similar in the field of Cyber Security. There are a few industry-acclaimed cybersecurity standards for governing the processes and execution of these standards. These standards are usually built upon a framework of control objectives that need to be implemented by the organizations to comply with these standards. Compliance is measured in terms of control objectives meeting the compliance criteria and also other regulatory and statutory criteria. Since most of these Cybersecurity standards speak of similar control objectives or lay emphasis on similar control areas, it is advisable to have the ‘Adobe’s Common Control Framework’, which means that if we are able to comply with a single requirement from a particular framework, in theory, we should be able to use the adherence of that requirement for ALL the similar frameworks. There are several approaches to achieving this Adobe's Common Controls Framework both in theory and in practice and will be discussed in detail later on in this article. The most relevant security and privacy frameworks are ISO 27001, NIST, PCIDSS, GDPR, SOC Type 2. There is a significant overlap of controls contained in these standards as all of these standards primarily deal with one requirement which is the protection of data. Protection of information from unauthorized disclosure, compromise, and theft forms the backbone or the building blocks of an Adobe's Common Control Framework. This leverages the fact that similar controls or that the essence of the controls is the same across standards and can be used to gauge the adherence or compliance of an organization to the standard. In actual execution, while gauging the compliance of an organization, the Adobe's Common Controls Framework is not only holistic but can reduce the effort and cost otherwise required by the organization to comply with individual standards. There are two methods of developing the Adobe's Common Control Framework for an organization and there are very subtle differences between the two methods. They are Controls harmonization and Controls Mapping. Controls Harmonization: Harmonization is the creation of a brand-new control language set from several source languages of standards taking into consideration content & context. In theory, the intent and meaning of the words and sentences remain intact, but the language and actual words of the individual standards have been changed with a new harmonized meaning defined. To achieve the usage of a single language as an industry, globally, it would have significant benefits and it would be the most efficient way to operate not only as security professionals but also as humans. Adobe’s Common Control Framework is an example of this type of construct. The benefits of having a single operating language can truly be amazing in terms of effort reduction and cost reduction. Control Mapping: Today, most brilliant and forward-thinking security professionals are using the control mapping method. The main idea behind this method is to keep the original language intact as much as possible while mapping and matching the intent and meaning of each sentence and word. This is the most practical and realistic approach because this is how humans fundamentally interact with each other globally. One can see this working in real life where two different languages are being spoken by individuals and kept mainly intact, but an interpreter or linguist is translating between the two — the map is developed in the mind of the linguist. Some real-life examples of mapping for cybersecurity frameworks can be seen in HITRUST Framework, Cloud Security Alliance Framework, and even the U.S. Government formally...

View More

Article

Risk Management Framework – Managing & Measuring what matters

A risk management program allows you to manage overall information security risk.  It is an approach to identify, quantify, mitigate, and monitor risks.  The reason to look at risk in a comprehensive manner is to make sure no one area is getting too much attention or, too little. Frameworks also help you identify the bigger elements of risk that need review and mitigation. Additionally, it help you to prioritize the treatment of certain risks. The adherence to risk frameworks also helps give your customers comfort that a standard risk management is in place and hence, reduce your audit burden.  Typically, a Risk Management program comprises of the following phases: Risk identification Risk analysis Risk evaluation Risk treatment Risk Monitoring A good risk management framework will have the following characteristics: Comprehensive in types of risks it covers Practical for an organization to implement Updated with current real-world risks Based on controls that can be reviewed and audited Reliable so that your vendors and customers can accept it There are many risk management frameworks that one can choose from and it important to understand the advantages of each. Common risk management frameworks include: NIST CSF SOC 2 ISO 27001 HITRUST NIST (National Institute of Standards and Technology) framework is a comprehensive cybersecurity framework (CSF).  It is very widely accepted across different company sizes and business domains. Most cyber-security professionals are well aware of this framework as it is readily available.  Although widely available and very popular there is no certified third-party audit mechanism. Hence, it can only be self-assessed.   SOC 2 Type 2 is an internal controls report based on the scope you define.  It is widely used in the United States to show the maturity of your controls.  A CPA firm that is part of the American Institute of CPAs (AICPA) conducts the audit & issues an assessment report.  The AICPA does not audit/review the assessment for completeness or quality.  HITRUST CSF is a framework that came leverages NIST, SOC, and ISO along with others to create a more comprehensive standard.  It is widely implemented in the United States by organisations in the healthcare space.  Unlike others, although there are external assessors that are involved in the certification process, HITRUST reviews all assessments and issues the certificate. Additionally, among all the frameworks above it tends to be the most expensive to implement.  It is important to choose a framework that matches your long-term security goals & needs.  At Accorian, we work with all of the above frameworks. We help organizations choose the right framework and aid with the implementation. This is done by augmenting our team into your security team to help steer the rollout, aid with query resolution, choosing of the right controls & workaround during mitigation advisory, facilitating the selection of vendors & products and end to end program management. 

View More

Ready to Start?

Security Compliance & Assessment Services

CONSULTING & ASSESSMENT SERVICES

PENETRATION TESTINGRed TEAM ASSESSMENTS
TECHNOLOGY STAFFING

Contact Info

E. info@accorian.com

T. +1-732-443-3468

Contact With Us

Office Address

Accorian Head Office

6,Alvin Ct, East Brunswick, NJ 08816 USA

Accorian Canada

Toronto

Accorian India

Ground Floor,11, Brigade Terraces, Cambridge Rd, Halasuru, Udani Layout, Bengaluru, Karnataka 560008, India

Ready to Start?​

Drop your CVs to joinourteam@accorian.com

Interested Position

Download Case study

Download SOC2 Guide