How to test your incident response using red teaming

Request a quote
27 May, 2020

How to test your incident response using red teaming

Security experts across the globe often emphasize that absolute security is a myth. Organizations must not fall into the oblivion that since they have implemented all possible security measures, they cannot be attacked. Considering the ever-evolving threat landscape, this state of oblivion can do more harm than good. Maintaining the security of IT infrastructure is a continuous process, and as BreachLock experts say, organizations shall strive to achieve the highest level of security possible, and then maintaining it consistently. It becomes imperative for organizations to ensure that the required procedures, policies, and protocols have been implemented so that their cyber resiliency increases.

As we discussed in our previous post, an organization must adopt a multi-fold strategy to enable its IT infrastructure to defend against sophisticated threats constantly. In this article, we will be elaborating on what is red teaming and how can it help your organization in testing its incident response plan.

What is red teaming?

A red teaming exercise goes beyond a traditional penetration testing exercise by exactly replicating the Techniques, Tactics, and Procedures (TTP) of a real-life attack in the same manner as it would be carried out by an actual adversary. It is believed that the value of a red teaming exercise can only be realized when the least number of individuals know about such an exercise being conducted. This means that the organization at large is not informed about an ongoing red team exercise.

A red team is mostly independent of an organization, but there can be a dedicated internal team responsible for red teaming exercises. Unlike the red team, the blue team is on the other side of the spectrum, which is responsible for defending an organization against cyberattacks, irrespective of whether they are simulated or not. Blue team is generally referred to as the internal security team. Though collaboration is recommended in many IT services, the red team and blue team must function in isolation with each other, so that test results are useful for an organization.

The primary objective of a red team exercise is to perform a real-life attack scenario to identify potential threats to an organization’s IT ecosystem from a broader perspective, rather than being confined to a specific set of identified assets. When a red team is conducting its exercises, the effectiveness of its counterpart blue team in defending against an attack can be analyzed. If they fail to defend an attack, how quickly they respond to a security incident is another valuable result for an organization.

The red team members are expected to have specialized skills and proven experience in areas such as system architecture, software development, penetration testing, and social engineering. Every team member in a red team must be capable of thinking outside the box so that complicated and sophisticated attack vectors that cannot be easily detected by automated tools are designed and used to carry out attacks.

Red teaming and incident response

Before the red teaming exercise starts, the red team carefully plans how they will be launching their attack. Their arsenal of tools may include automated as well as manual testing tools. Red teams combine the power of tools with human intelligence to identify the weakest links in an organization’s IT infrastructure. Further, a red team may be provided with information such as user behavior data of employees, the organization’s current security posture, and recent incidents of information security policy defaults made by employees.

Using this information, a red team can devise an appropriate attack plan so that the target organization is hit at its lowest. The focus of a red team is to manually create a plan that is going to have maximum impact on the organization’s IT infrastructure. BreachLock experts believe that if an organization is found to be resilient when it is hit at its lowest, it can be considered to be capable of dealing with advanced attack vectors employed by real-life adversaries.

When a blue team (or the internal security team) detects that an attack is being carried out, the organization’s incident response plan will come into motion. Red team exercises test the expectations and preparedness of the blue team to deal with a security incident. On one end, the red team attempts to use its tactics to launch an offense, the blue team, on the other hand, defends against the attack while at the same time ensuring that downtime is minimum and effects on usual business operations are minimized.

While implementing an incident response plan or testing it in controlled settings may give perfect results; however, the loopholes are only identified when a real attack is detected. While the red team is carrying out an attack that is defended by the blue team in real-time, the question of whether the organization’s incident response is working or not is answered over the course of an attack. Here, if the red team is provided with various pieces of information, their attack can be considered as one of the worst attacks the organization may face as they are aware of an organization’s technical infrastructure. At the same time, the same may not be the case with most adversaries.

To conclude, there is no red team without the blue team and vice versa. No team is more important than the other as both have to work in tandem to protect an organization from adversarial attacks. A blue team uses threat profiling, detection systems, SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation and Response), and system hardening techniques for defending against the attacks. In contrast, the red team tests resiliency by performing an attack that would be most likely launched by an actual adversary. By conducting red team exercises, an organization is not only able to find vulnerabilities and weak points in its IT infrastructure, but it can also utilize the results by improving its incident response plan after every exercise. As stated earlier, security is a continuous process, and hence, the incident response plan must evolve as threats evolve with time. Read here to know more about how BreachLock helps its clients in conducting red team exercises and improving their incident response plans.