Red Team Security Validation: How to Optimize Controls Faster

In the beginning, there was pen-testing. Then, developers accelerated pen testing with automated pen-testing tools. Next came the realization that instead of just one pen tester, a full team of pen testers could be deployed. These “red teams” not only identified vulnerabilities but mimicked sophisticated cyberattacks to assess an organization’s security posture across the entire kill chain. Instead of seeking and exploiting security gaps opportunistically, they would perform reconnaissance work ahead of time, then plan and carry out a multi-step, multi-vector attack across the cyber kill chain, mimicking today’s sophisticated cyber heists and advanced persistent threats (APTs).

Adding to their creative faculties, red teams are equipped not only with pen-testing scripts, but other advanced tools, such as the ethical hacking operating system Kali Linux, which is purpose-built for ethical hacking.

So, has maturity in red team security validation been achieved? Can CISOs and SOC managers finally sleep better at night? Needless to say, not quite. While red team testing is highly effective in carrying out attacks and reporting on an organization’s weaknesses, it has limitations.

Challenges with Red Team Security Tools

1. Disparate Tools

First, performing red team exercises in-house requires using multiple instruments. Every attack vector or security control has its own testing tools. For example, challenging an email gateway, the organization’s firewall settings, and data loss prevention tools each require their own testing tools. And running commands on these tools requires some technical expertise and maintenance overhead. Every tool has its own methodology and functionality, with no consistency across the spectrum. Furthermore, minimal remediation or mitigative recommendations are provided, if any. Examples include domain and subdomain enumeration tools used in the reconnaissance phase, online vulnerability scanners used to find unpatched systems ready for the picking, and tools that locate access credentials to test lateral movement’s viability.

2. Fragmented Snapshots

If you have the expertise and bandwidth to run these discrete tools independently, you’re in good shape. Still, without assembling the pieces of the controls puzzle, you may miss the bigger picture. The effectiveness of one control affects the next control in your framework. Seeing how these tools perform together would let you see where you’re most vulnerable in the cyber kill chain and reveal how you should be prioritizing your resources.

3. Long lead time

Moreover, there’s the matter of timing. Red teaming is generally not a spur-of-the-moment gig when outsourced or performed in-house. And once an assessment is performed, it can take weeks or months to get the report you need to take corrective measures. Most security professionals would agree that relying on yestermonth’s report would be like planning their vacation according to last month’s weather. The point-in-time snapshot excludes changes made to your environment since the exercise. Configurations may have changed, hardware may have been upgraded, and software replaced. Tools may have inadvertently been turned off or switched to monitoring mode.

4. Non-Repeatability

After running an exercise and fine-tuning your controls, you would want to repeat the same barrage of tests to ensure your tweaking has worked. When performed only periodically, the intervals between red team exercises leave SOC managers and security analysts wondering if their countermeasures are, in fact, effective.

5. Missing Threat Intel

Finally, what about the latest ransomware running amok? Red teaming and red teaming tools aren’t designed to challenge your controls against the very latest threats. As new malware variants emerge daily, this means you still have to check that your controls can identify the newest attacks’ Indicators of Compromise (IoCs) separately.

Your Dream (Red) Team

So, what would the ultimate red team look like?

It would offer continuous attack simulations instead of periodic ones. It would be available on a moment’s notice, with no waiting line. It would challenge and probe each of your security controls across the kill chain, from attack delivery through system compromise to data exfiltration. And it would ensure your controls are up to speed on the very latest menaces—be they cryptominers, ransomworms, banking Trojans or botnet clients. Finally, it would give you a repeatable system to test and retest your controls, get insights on where you’re exposed and remediation steps to close each gap.

Breach and Attack Simulation (BAS) tools have emerged in recent years, offering security teams a whole army of red teamers on-demand. As succinctly put by former Gartner Research VP and Distinguished Analyst Anton Chuvakin, “Penetration testing helps answer the question ‘can they get in?’; BAS tools answer the question ‘does my security work?’”

With BAS, you don’t need to wait for your next red team exercise. You can have a whole army of red teamers on-demand, anytime 24×7.

As with most companies, large and small, Telit is required to confront cybersecurity with limited resources and is still expected to produce a tangible return on investment with whatever approach is chosen.” According to Telit, working with Cymulate’s Breach and Attack Simulation platform is like having a complete red team on board without the expense. Download the case study to learn more.