It’s common to hear the phrase “never leave security to chance” in business. Given the rapid advancement and persistence of cybercrime, chief information security officers (CISOs) need the ability to deploy offensive security measures to protect their networks. One way to do this is to employ a team of hackers to proactively protect the organization’s data and infrastructure.
A capable offensive hacking team can conduct advanced penetration testing and bug discovery within the organization and deliver technical leadership when executing tactical, comprehensive assessments. Members of this team of hackers should have an affinity for advanced attack techniques and a passion for spotting vulnerabilities.
Encouraging Information Sharing
In organizations that have a security operations center (SOC), a red team is deployed to continually prod the organization’s security posture. This can also be a specialized third-party entity tasked to emulate cybercriminal behaviors and techniques as realistically as possible. In return, the red team shares intelligence with the blue team, which defends against these mock attacks.
Due to the attitudes and practices inherent to each role, there are many challenges surrounding the relationship between red and blue teams. Here are a few examples:
- Red and blue teams have ideological differences. Often, neither team is properly trained to share information with the other, thus defeating the purpose of the exercise. Moreover, blue teams tend to be risk-averse, while red teams are typically more reckless.
- Red teams are absorbed within the organization and limited in their ability to conduct assessments, which diminishes their charter and value considerably.
- Red on blue exercises are not always seen as integral to the organization’s ability to combat vulnerabilities. As a result, metrics are commonly not shared between the teams and management.
To address these challenges, security leaders should consider installing a purple team to act as a crucial bridge and facilitate information sharing between the red and blue teams.
Assembling the Right Team of Hackers
When building red and blue teams, it’s important to ensure that candidates are willing to work in harmony and share ongoing metrics related to their activities. It is not enough to simply conduct routine penetration testing in lieu of hiring a red team to go against your blue team defenses. CISOs should take the following steps to overcome these obstacles:
- Chose teams members carefully. Candidates should be highly skilled in discovering vulnerabilities and defending against attacks. Above all, these team members must be willing to share information with their counterparts.
- Get the teams together. At the onset, gather the team members to get consensus and buy into the overarching strategy. Instruct them to conduct a thorough analysis of risks and vulnerabilities and then devise a response plan. The overall goal is for the teams to practice discovering vulnerabilities and reporting metrics to management.
- Spread awareness. People are the weakest links in any security program. Even with the strictest controls over your data, adversaries can exploit employees’ behaviors. Red teams should conduct unannounced exercises, such as staging phishing email campaigns to determine which users might click on a malicious link or open a malware-laden document.
- Go beyond your perimeter. Cloud solutions introduce additional security challenges. It’s important to consider all the legal implications, such as service-level agreements (SLAs), to determine whether the red team has the right to test against the provider’s defenses.
Seasoned CISOs understand that information security is always a moving target. Adversaries are extremely sophisticated and will stop at nothing to breach your organization. Moreover, the organization’s network infrastructure, applications and employees are always changing and adding complexities to your security program. Each one of those changes presents a far different attack footprint, and teams of hackers are well-equipped to discover those vulnerabilities and predict unintended consequences before they can damage the organization.