Protecting a company from attack by third parties intent on stealing money, data — or both — is a constant challenge. Companies must anticipate where the threat is the most severe and defenses are the weakest and dedicate the appropriate resources there.
However, given the complexity of a company’s information technology environment, as well as its physical footprint, it is often a challenge to identify and prioritize which areas in the organization pose the greatest threat.
Understanding how the enemy views your company’s infrastructure is critical to deploying a robust defense. Companies of all sizes are asking “red teams” — a covert team of experienced professionals — to launch attacks against their infrastructure and report back on the findings. For example, companies that are interested in assessing their network security can engage a team of network intrusion analysts who have experience penetrating corporate and government networks.
Regardless of the exact makeup of the teams deployed, the primary goal of a red team is to find the weaknesses in your company’s IT and/or physical environment. Simply put, if the red team can uncover vulnerabilities, so too can attackers. Before your company deploys a red team to probe its defenses, think about the following elements of the team’s responsibilities and feedback process:
Where do you find a red team? Since red teams are frequently used in the government sector, companies that hire former government employees regularly deploy the red team approach. Although some very large companies have internal red teams, most businesses engage a third-party firm to conduct the testing. Many professional service firms provide red team services to their clients. Ask your attorney or CPA for more information. Ideally, the firm selected should have experience in both the public and private sectors as best practices can be uncovered in either arena.
Start with the end in mind. The end result of the team’s work must be actionable intelligence that places the company in a better position to combat attacks. To that end, ask the red team leader to provide an example of the report that your company will receive at the conclusion of the exercise. Unfortunately, despite the best intentions, companies can sometimes be overwhelmed with the results of the red team exercise and fail to implement a plan to bridge gaps uncovered during the process. While selecting a professional services firm to conduct the red team exercise, take time to ascertain how much experience they have helping companies address the gaps uncovered during the process.
Test the red team’s defenses. Given the highly sensitive nature of the work that red teams conduct, it is important that members of that team treat the information uncovered as highly confidential. The professional services firm must have processes and technology in place to prevent unauthorized access. Before engaging a firm, ask them how it protects customer and client data. For example, is client data shared on a central server within the company’s offices — or placed on a third-party cloud server? How will the firm ensure that only those with a “need to know” will be granted access to the data?
Convene a steering committee. In anticipation of the red team exercise, it is important that your company form a steering committee with representatives from the departments most likely to be affected by the exercise. Before sharing information regarding the red team project, require that all steering committee members sign a non-disclosure agreement. Doing so will impress upon the members that the company views the exercise as highly sensitive and that secrecy must be maintained in order for it to be beneficial. Timing is important in red team exercises. A company needs to test during a time when other important IT projects and upgrades are not going on. Further, in the event that the team triggers red flags in a particular area of the company, the department head should be able to monitor his or her department’s response without losing focus since ultimately he or she knows it is part of an exercise.
Suspend disbelief and interference. Since the red team’s approach is supposed to mimic the activity of a criminal or attacker, it is not meant to be a highly structured event that is defined by the same people and thinking that created the company’s defenses in the first place. The red team must be able to explore the company’s defenses with relatively few limitations — just as an attacker would do. Short of inflicting harm on a business and creating significant financial losses, the red team should be allowed to conduct their work unimpeded. The key concept that staff members must firmly grasp is that attackers intent on overcoming your company’s defenses are typically limited only by their imagination and the time needed to defeat your organization’s countermeasures. The same should apply to the red team’s efforts.
Share results on a need-to-know basis. At the conclusion of the exercise, your company should make sure the intelligence gathered during the process is only made available to those who have a defined business need. In addition, ensure that all meetings that take place within the organization to discuss the red team findings are controlled to prevent the introduction of individuals who have not been suitably briefed on the purpose of the exercise and the associated sensitivity of the data.
Look beyond your company’s infrastructure. Depending on the size and nature of your company’s business, employees may be asked to travel domestically as well as internationally. When they do so, they are obviously subject to an entirely different set of risks than are present in their offices. For example, if employees travel to foreign countries, has your company taken the time to determine which hotels offer the best physical security so that laptops and smart phones are less likely to be stolen? If employees use wireless networks while in the hotel, what protections can your company put in place to minimize the potential that data will be intercepted by a third party? Hotels and offices overseas can be easily overlooked if an organization’s people and assets are largely concentrated in the company’s home market.
Red team exercises are not a one-time event. As your business grows, the risks that it faces change. Periodically, your company should consider re-engaging the red team to conduct additional exercises. In fact, conducting regular tests can reduce your company’s risk exposure and the associated costs involved in remediating potential gaps. The drive and determination of “would be” attackers seldom wavers. A commitment to use red teams over an extended period can ultimately help your company deflect attackers and will help reveal system vulnerabilities. Your competitors may not be so prepared.