Nathan Sherlock is VP Managed Services Client Advocacy for Herjavec Group who will be moderating a track at the April CIO Peer Forum in Vancouver. He has worked within the Managed Services field for over 10 years and is passionate about SIEM and security monitoring. Nathan holds various certifications including CISSP, CEH, GCIH, GSLC, and always strives to advance his security knowledge, while improving the security posture for Herjavec Group’s managed clients.
In our recent Cybersecurity Conversations For The C-Suite 2018 report we highlighted five areas of cybersecurity that should be the focus of board-level conversations this year. It’s time to get proactive and test your systems in 2018. One thing I always encourage is proactive testing of systems – test your back up plans, test your alerts, test us as your service provider! If you haven’t already, it’s time to work with your service providers and incorporate proactive penetration testing, also known as “Red teaming” into your cybersecurity programs.
Organizations that take the time to find vulnerabilities in their networks will be better prepared to handle a cyber attack than those who don’t.
- How are attackers able to move laterally within the network?
- How are they able to penetrate through the security controls set in place?
These are the questions a Red team can help answer.
So how does Red-teaming work?
Red-teaming, a subcomponent of a Vulnerability Assessment, is a security consulting practice designed to expose security weaknesses by simulating cyber attacks against an organization. A key component of successful Red team is research. The team leverages common attack patterns utilized by threat actors and helps to identify risks based on the type of threats the organization will face. As the organization gets better at defending against simulated cyber attacks, the sophistication of the Red team must increase as well. Therefore, Red teams must be able to leverage research in their practices to hone the organization’s defensive techniques.
In order to be effective in their exercise, the Red team must be able to identify the types of countermeasures that the organization has in place to better understand the environment instead of rapidly moving from system to system. These countermeasures can be provided by the Blue team, which exists to play a defensive role in these exercises. The Blue team is responsible for monitoring, detecting, and defending against the ‘attacks’ of the Red team.
We recommend that Red teams should be external to the organization while the Blue team should be the organization’s internal IT or security team. External Red teams may have higher-level capabilities, a larger knowledge of the industry trends, and different perspectives on threat assessments.
A Red team exercise must have a clear definition of success. Success must include measuring how technology, people and processes appropriately respond to the exercise. This means documenting what assets, use cases, solutions and services are in-scope for testing and validation. Key questions prior to the exercise must include:
- What corporate assets will be touched as part of the red team exercise?
- Are these assets logging to a SIEM and are relevant alerts configured on the SIEM specific to these assets?
- Will the red team exercise access in-scope assets by passing traffic through any security solutions such as IPS or firewalls? Are these security solutions logging to a SIEM?
- What detective or preventive outcomes are expected from the security solutions – SIEM alerts triggered, IPS signatures blocked, firewall traffic denied?
- Are we running two red team tests? One to prove the detective and/or preventive technology works, and the other to prove the SOC monitoring works? It is important to test the technology before we test the people/process side of the equation.
- How will we prove that detective-only security monitoring technology (such as SIEM) produced the appropriate response to the red team exercise. More specifically, what SIEM alert use cases are expected to trigger a notification? Who will receive this notification during the red team exercise and confirm validation?
- How will we prove the preventive technology works? Who will validate?
- How will we prove that the SOC monitoring works? Who will validate?
I often encourage customers to perform organized Red teams and then do additional blind testing. Once we know the systems work it’s important to surprise the service providers at play and truly test the operation. Based on the results garnered from the exercise, the Red team will be able to compile a list of recommendations that the client organization should fulfill in order to strengthen their overall security infrastructure.
Red-teaming practices are critical for large organizations due to the complexity of their architectures and the confidential data stored on corporate networks. These exercises demonstrate which data has a higher risk of being exposed and help drive recommendations in order to prevent and reduce the risks of data compromise.
Purple-teaming, which can help heighten the organization’s incident response planning, takes the Red-teaming approach one step further. The Purple team (which is more of a concept, as opposed to a separate team), acts as an integrator, maximizing the efforts of the Red team and Blue team by ensuring that the defensive tactics of the Blue team adapt and scale to the threats exposed by the Red team. The Purple team drives communication, integration of defense techniques and helps maximize security efficiencies throughout the test process.
To learn more about testing your environment and to review Herjavec Group’s other Cybersecurity Conversations for the C-Suite, download the full report below. I hope you’ll also join my cyber security track at the 2018 CIO Peer Forum on April 10, 2018.
In Security,
Nathan Sherlock