Almost every day, there are new stories of cybersecurity breaches wreaking havoc with the reputation and finances of yet another organization. Red team penetration testing is one of the most effective ways to proactively uncover vulnerabilities in your organization, from IoT flaws to social engineering and more. Here’s a quick primer on how red team penetration testing works, tips for managing your test and why it’s important for your organization’s bottom line.
What is Red Team Penetration Testing or Red Teaming?
Red team penetration testing is conducted by a group of highly skilled cybersecurity professionals who are given the freedom to “think like hackers”, and search for vulnerabilities in your people, processes, facilities and technologies. It provides an overview of your real risks and vulnerabilities from different attack vectors and combined attacks, as well as insights into the speed and effectiveness of your cybersecurity breach response.
Sadly, many of today’s threats bypass traditional antivirus and intrusion detection solutions. While both of these are important security measures that quickly identify common issues, red team exercises take cybersecurity testing a step further, to show the breadth and depth of a potential attack.
After a red team test, you may learn:
- Network vulnerabilities
- How far the red team was able to travel in the network and which data “flags” they could capture
- Physical facility or employee training vulnerabilities that enabled a breach
- How quickly the breach was spotted and how effectively the attack was blocked
Rules of the Road
Typically, you will have the opportunity to establish your own, customized “rules of engagement” for your red team test. Consider the following important topics:
- Testing parameters: How far into the network can teams venture and what types of attacks are allowed? For example, you may decide that phishing and vishing attacks are OK, but pass on attempts to bypass security in a physical building. (Just for fun, if you’d like to learn more about the experiences of LMG’s CEO, Sherri Davidoff, as she began her career in the early days of red team penetration testing, check out Jeremy N. Smith’s book, Breaking and Entering: The Extraordinary Story of a Hacker Called “Alien”.)
- Knowledge of the test: Decide which internal team members know about the testing and how many details are shared.
- Goals: You can create testing targets (a.k.a flags) that simulate specific types of data or information in selected locations. Alternatively, you can establish specific computers or types of data for your red team to target.
- Communication: Decide how often you would like updates, when you require the red team to get approval, and who should be notified when/if your red team obtains access.
How Often do Companies Conduct Red Team Penetration Testing?
A recent poll at Black Hat 2019 found that of the 72% of respondents that conduct red team exercises, monthly testing is now the most common strategy. The numbers are as follows:
- Monthly red team exercises: 23%
- Quarterly red team exercises: 17%
- Annual red team exercises: 17%
- Biannual red team exercises: 15%
With increasingly complex cybersecurity stacks and constantly evolving threats, a growing number of companies are opting to conduct red team exercises more frequently to reduce the risk of a data breach.
What to Look for in Red Team Penetration Testing
Red team penetration testing is one of those areas where experience and creativity makes a big difference. Most junior or internal teams don’t have the training or experience to accurately simulate a cyberattack by an experienced hacker. Here are some tips for selecting the right team:
- Know your testers. Ask for consultant bios during the selection process. A red team penetration test is only as good as the consultants conducting it, so don’t be shy about asking to see qualifications.
- Look for certifications relevant to red team penetration testing, such as the SANS GPEN or Offensive Security’s OSCP.
- Make sure that the consultant(s) assigned to your test are qualified, and that the company you hire doesn’t perform a bait-and-switch for a less-experienced consultant after you sign.
- Review report samples. Look for a testing company with detailed, easy-to-understand reports, and vendor-neutral remediation recommendations.
- Ask for references. Make sure your testers have a history of providing superior customer experiences.
The Bottom Line
Red team exercises protect more than just your cybersecurity and data—they also reduce your financial risk. With the average total cost of a data breach reaching $3.9 million, the financial implications are staggering. The costs of a breach and remediation may be lower for small organizations, but 48% of SMBs still said it was likely that a major data breach would permanently shut down their business.
While it is impossible to eliminate all risk, an experienced red team test uncovers vulnerabilities that cybersecurity technologies don’t find. It shows you how well or poorly your breach defense plans and cybersecurity defenses perform in a cyberattack. This proactive approach enables you to reduce risks, while protecting your organization and your bottom line.
If you need help finding and closing security gaps with your people, processes, technologies and facilities, LMG Security offers expert red team penetration testing. We offer customizable testing solutions and comprehensive reports that not only help you identify the problems, but also recommend efficient and effective solutions. Contact us for more information.