Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12:45 AM
Connect Directly

Getting The Most Out Of A Security Red Team

Justify security expenses and improve defenses through the use of an internal red team

When used effectively, a working red team doesn't just help IT security organizations find vulnerabilities in their environments. Red teams can also help organizations prove the need for increased budget in focused areas, substantiate claims of security improvements, and generally sharpen the skills of IT defenders called on to regularly defend against real-world attack simulations carried out by these in-house "bad guys."

"One of the best things I've done when starting new [security organizations] is starting a red team first," says John Walton, principal security manager at Microsoft, in charge of the Office 365 security engineering team, who uses red teams to test the efficacy of the service's security. "A red team will tend to justify additional resources. A red team can actually prove out why you need that additional investment, and can also help get the management aware of what the risks are specifically." According to Maranda Cigna, senior IT security manager at financial services firm FIS, her organization has similarly helped her counterparts in the network and technology teams justify head count and better tell the story of the true risks faced by their assets when they aren't properly manned. In her organization, the red teams focus their work within the data center.

[Are you missing the downsides of big data security analysis? See 3 Inconvenient Truths About Big Data In Security Analysis.]

"We've got pen testing, in general, happening against network devices and our Web applications, but I have a specific red team that just targets and attacks our data centers, and we're spinning through that on an annual basis," she says, explaining that beyond setting certain bounds around the data center, it is crucial to let the teams be creative in how they probe their targets. "We let them organically go through, see what they find, go down whatever rabbit holes that they want. When targeting a large data center, there's no way we could actually hit every single asset in there. But it’s a good depiction of how an attack against that data center would actually happen."

Whereas many external penetration tests can be gamed by organizations limiting the parameters in which the pen tester can operate or can simply be ineffective in thoroughly examining an environment, red teams frequently find more success. According to Scott Erven, manager of information security for Essentia Health, he believes internal red teams are more effective than penetration testing services.

"One example: We just finished an external pen test and went through all our internal Web applications and got a big report," he says. "Then I brought in one of my interns, sat him down for four weeks, typing IP addresses. He was an internal guy, knew a little bit about healthc are, and he came out with a new list of 300 additional applications that they didn't find in that external report."

That's just a small example of what Erven's team does, as his organization is one of the few in health care that is fully red-teaming all of its biomedical equipment production systems, he says.

"I have not found anyone else who is doing that, in production, hooked up to patients and still exploiting them," he says, explaining his conviction that the only way to truly learn from red team activity is to conduct it live.

It's equally important to Walton, who explains that production systems are always different than test systems, and red teams will find a set of issues that it would never see anywhere other than in that environment.

"Your attackers are primarily going to go after that anyway," he says. "You should be aware of what your true risk is there. If you've got a good red team, where they're careful about how they approach it, I think that risk [of taking down systems] can pretty much be minimized."

One of the biggest lessons his red team has taught his organizations is how to prioritize defense of assets to defend against breach attacks. Rather than just focusing on front-end assets that are traditionally viewed as the organization's most risky assets, his red team has shown how advanced attacks are penetrating much deeper into the environment.

"So those assets that you may have deprioritized because they're back-end systems or because you thought the perimeter was secure, those things are just as important for us to maintain patches on," he says. "Our red team likes them just as much as any other asset."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...