These days, cyberadversaries are coming up with different kinds of capabilities and objectives behind each of their new cyberattacks, which has forced organizations to do a deeper, more introspective evaluation of their existing cyberdefense mechanisms. The SolarWinds attack is an example of the kind of targeted attack that can affect hundreds of enterprises worldwide. 1 Red, blue and purple teams are often used for strengthening the cyberdefense mechanisms of organizations against these advanced attacks. 2 In particular, red team exercises are a useful method of gauging the effectiveness of a variety of cybersecurity controls.
Red teams consist of consultants and team members who wear the hats of adversaries and try to emulate real-life cyberattack scenarios on client organizations based on mutual agreements.
An organization’s in-house IT security and security operations center (SOC) team members who fight against cyberattacks are considered blue team members. Blue team members need to ensure that the critical information assets owned by the organization are secured from various kinds of targeted attacks against it that may be targeted by adversaries and red team members who mimic the adversaries.
A purple team is a team of cybersecurity professionals playing the roles of both the red team and blue team in an ongoing and integrated manner to provide reliable cyberassurance to organizations that employ them. As a red team, they collect the intelligence on tactics, techniques and procedures (TTPs) used by adversaries. Then, as a blue team, they analyze the TTPs and configure, tune and improve the incident detection and response capability of the organizations who employ them.
Enterprises should consider setting up a cybersecurity team staffed by red, blue and purple team members who work together to improve the enterprise’s cyberresilience capabilities using their offensive, defensive and mixed cybersecurity skills. In addition to red, blue and purple teams, global enterprises have introduced the concept of yellow, orange, green, black and white teams, all of which work together using their respective skills and capabilities to strengthen the enterprise’s cyberresilience; these are called rainbow teams. 3 Each team’s role is outlined here:
A red team exercise is a formally approved, planned, risk-managed and objective-driven cybersecurity assessment that simulates targeted attacks against an enterprise, with the goal of overpowering its existing cybersecurity controls and penetrating its IT network. Red team exercises use the same TTPs employed by real-life adversaries such as hackers. The outcome of these exercises can help an enterprise measure its cyberresilience and its ability to defend against a variety of cyberattacks. The objective of a red team exercise is not just to identify vulnerabilities that can be exploited, but to actually exploit those vulnerabilities and showcase the failure of the enterprise’s cybersecurity controls. Figure 1 depicts the desired layers of cybersecurity controls in an enterprise.
In addition to red teaming, enterprises may conduct a variety of other security assessments, such as vulnerability analysis and penetration testing (pen testing). The objective of vulnerability analysis is to identify potential vulnerabilities in a targeted system. Automated tools are available for this type of analysis. The objective of pen testing is to find and exploit vulnerabilities in a targeted system. The objective of a red team assessment is to test the enterprise’s incident detection and response capabilities. Figure 2 depicts the major differences between red teaming and conventional pen testing.
Red team exercises can be planned and delivered based on the cyber kill chain. 4 Figure 3 depicts an example of the various phases of a cyberattack on Society for Worldwide Interbank Financial Telecommunication (SWIFT) infrastructure driven by this cyber kill chain framework.
To plan and deliver red team engagements in an effective manner, enterprises should consult best practices; several guidelines and frameworks are available. 5, 6, 7, 8 Most global enterprises hire specialist service providers to carry out red team exercises; some do it internally, which may not achieve the desired results. Hence, it is advisable to hire an independent third-party security consultant to plan and execute the three phases of red teaming:
The third-party consultant, along with the client, defines the attack scenarios to be considered and the ROE. As an example, figure 4 uses the COVID-19 pandemic and the business disruptions it created to outline the scenarios for a red team exercise specific to the banking sector.
Next, the client and the consultant need to discuss and agree on the ROE. These rules define the agreed-on targets and how they will be attacked, the boundaries of the exercise and the processes that must be followed, the permissions required to carry out the engagement and the legal responsibility in the event of unexpected system outages, business disruptions or financial losses resulting from team members’ negligence. This ROE document must be signed by representatives of both the client enterprise and the third-party consultant, and it should be preserved in a secure manner for future reference. The ROE must be established before initiating the red team exercise, as they help an enterprise determine the acceptable level of risk that may be introduced during the exercise. In addition, the ROE should answer the following critical questions:
Execution
After finalizing the attack scenarios and ROE, execution of the engagement can begin. The exercise is carried out in the following stages:
Reporting
At the end of the red team exercise, a detailed assessment of the enterprise’s cybersecurity posture and cyberresilience is issued. The report should include details such as:
Red team exercises need to be conducted periodically to help enterprises ensure that their rainbow teams are ready to defend against and respond to dynamically emerging cyberattacks. Most red team assessments identify a number of weaknesses in the design and implementation of a variety of cybersecurity controls. Based on the findings reported by red teams, rainbow team members should discuss countermeasures to mitigate these weaknesses. Having the support of senior management is critical, and the outcome of the red team assessment should be reviewed and discussed by technology and management teams to identify areas that need improvement. In general, red team assessments help enterprises:
Periodically carrying out red team exercises enables enterprises to assess their ability to defend against newly emerging cyberattacks. Given the increased number of staff working remotely due to the COVID-19 pandemic, it is more important than ever that enterprises protect their information and communications technology (ICT) supply chains and network architecture from cyberattacks. Red teaming helps identify potential gaps and weaknesses before adversaries can exploit them. Performing a red team exercise once per year can be highly beneficial, especially if it is well aligned with the enterprise’s overall cybersecurity program and risk posture. Cybersecurity leaders should leverage the collective experience and capabilities of their rainbow team members and, on an ongoing basis, identify and implement the TTPs and training required to improve those capabilities. The result will be greater improvements in the enterprise’s cybersecurity posture.
Is the head of the information security department at Bank of Sharjah. He is responsible for the bank’s end-to-end cybersecurity program, coordinating cybersecurity efforts within the banking operations spread across the Middle East. Mani is also responsible for coordinating bankwide cybersecurity strategy and standards; leading periodic security risk assessment efforts, incident investigations and resolution; and coordinating the bank’s security awareness and training programs. He is an active member of the ISACA ® Dubai (UAE) Chapter. He can be reached at vimal.consultant@gmail.com.
