We’ve all had those moments where we spend hours looking for something – turning our surroundings upside down – to eventually find it in the most obvious place we never thought to look. Or worse, someone else steps in and finds it in seconds.
Put simply, that’s what a cybersecurity red team can do. Red Teams are designed to uncover vulnerabilities that may be hidden in plain view. But what’s the psychology and history behind them?
Why We All Need a Second Pair of Eyes
Each of us processes information and solves issues in our own unique way as humans. Our knowledge and personal experiences have a significant impact on how we interpret the world and the judgements we make. As a result, we develop “cognitive biases,” – unintentional faults in our thinking – as our brains try to simplify complex ideas and situations.
These biases are why we need others to provide a second set of eyes or to play devil’s advocate. They challenge our thinking by helping us see things we couldn’t see before, and then force us to think critically about the other side of that issue. That has the effect of broadening our perspective of the world and, hopefully, preventing damaging blunders. Red teams were formed with the goal of putting assumptions and plans to the test in order to make teams more robust.
The Importance of Alternate Analysis through Red Teaming
Red teaming was an exercise first used by the military to help people examine tactical exercises from a different perspective. Often this led red teams to play the role of the opponent in a simulated war game, employing various strategies and technologies to try to breach fortifications.
These origins led to the term being defined by the US University of Foreign Military and Cultural Studies (UFMCS) as “a function executed by trained, educated, and practiced team members that provides commanders with an independent capability to fully explore alternatives in plans, operations, concepts, organisations, and capabilities in the context of the operational environment and from the perspectives of our partners, adversaries, and others.”
Clearly the methodology has evolved beyond this initial military context and is now deployed in myriad other scenarios outside of the theatre of armed combat. But throughout that time, the four key ‘pillars’ of red teaming – i.e. the four behavioural impacts that it has on an organisation – have remained consistent. Typically they’re defined as: self-awareness and introspection; cultural empathy; groupthink mitigation and decision support; and applied critical thinking. Taken together, these are indicative of the extent to which red teaming is a cultural exercise as much as it is logistical.
This emphasis on culture is important because cognitive bias affects everyone and every organisation. Teams in both the public and private sectors alike can benefit from the fresh perspective that red teaming offers. In fact, such tactics are now commonly used by law enforcement and legal teams to find flaws in their cases and improve trial advocacy.
It’s therefore easy to see the potential value of red teaming methodology in a security context. Businesses today face an onslaught of cyber attacks, testing every part of their so-called ‘attack surface’, and many are responding by undertaking independent red team exercises to get insight into attackers’ thought processes while also road testing their own cybersecurity defences.
Using Simulations to Find Flaws before Cyber Attackers Do
Security operations teams typically use red team adversary simulations to find vulnerabilities, evaluate response skills and identify areas for improvement in a safe and controlled environment. That gives them the green light to employ whatever means they wish to imitate a real-world attack while posing no risk to the company. In many cases, such teams are hired by organisations not only to bring advanced expertise, fresh perspectives and objectivity to the table, but also the element of surprise, which is difficult to achieve with an in-house group.
Every red team collaborates closely with organisations to establish the programme’s objectives based on their specific concerns and unique security requirements. Most tend to test against known threats using the MITRE ATT&CK framework, which replicates indicators of compromise (IoCs) associated with a specific threat actor, or unknown threats by creating bespoke tools to breach the environment, pivot within the network and exfiltrate data.
The spate of ransomware outbreaks across the world shows no sign of abating and demand for Red Teaming is surging as businesses enlist their help to uncover technology and process gaps, and strengthen their cyber resilience against, for instance, various new ransomware variants. These exercises usually see red teams create and run specialised defence analysis programmes with the goal of encrypting local system files and evading various security technologies such as anti-virus, endpoint detection and response solutions, as well as special-purpose ransomware prevention tools that the organisation may have in place. The organisation’s security team – which in these exercises are labelled ‘the blue team’ is then challenged to respond by launching an incident response procedure to contain the infected host, prohibit further execution, and retrieve the compromised files.
The Value of Two-Part Takeaways
At the conclusion of most exercises, learnings tend to be split out into two different sets of takeaways based on the actions an organisation needs to take in response. One report is typically targeted towards the executive team and is intended to give them a bird’s-eye perspective of the organisation’s overall security posture, including risk-prioritised suggestions based on how the findings might change the business’ overall risk posture. The second is often a more technical study, which includes information on the vulnerabilities discovered, as well as recommended repair measures for security teams to lessen their risk. These reports are incredibly useful because they establish better security strengths and weaknesses, highlight where organisations need to strengthen their defences and also allow them to set a baseline from which future security improvements can be measured.
Many cyber attacks start off as a tiny annoyance that goes unnoticed until they do harm. Red team exercises force cybersecurity teams to think differently and see things sooner by exploiting flaws in systems and processes, as well as in human nature itself, no matter how uncomfortable the process may be. It’s easy to forget that every problem starts small, but these empowered teams have the foresight to predict future problems and work to prevent them before they occur, helping businesses exert more control over their own security instead of leaving it to attackers to decide.
By David Higgins, EMEA Technical Director, CyberArk.
