All Hail the Red Team! The Value of Penetration Testing for a Cybersecurity Culture
By: Jason S. Cherry
While many organizations seek to monitor their cybersecurity posture with internal testing, such as table top exercises, simulated phishing attacks, and other proactive measures, the question always remains: is it enough to thwart a sophisticated threat actor?
This simple question, with its many complexities and concerns, was a daily inquiry for me as a former FBI executive in charge of the data presentation and storage for operations. Though my section was well versed in cybersecurity awareness and training, we held only an insider’s perspective on our protections and preparation measures. The faults in our network and training would not become known until an external threat provided us with better clarity.
While it is daunting to invite someone to test your network, the results can be extremely valuable. My section learned a great deal from an associated governmental agency that agreed to conduct a penetration test of our network. Like most federal agencies, a penetration test is a means to reveal issues to harden a cyber environment. See “QSMO Service Providers - DOJ,” Cybersecurity and Infrastructure Security Agency (CISA). A penetration test is a simulated intrusion or cyber-attack designed to locate unknown vulnerabilities of a digital environment. The group assigned to conduct the penetration test is sometimes called the “Red Team”.
Prior to the test, a Red Team will meet with an organization’s leaders and IT staff or vendors to discuss any concerns and identify potential areas of vulnerability in a cyber environment. Through the application of well-crafted non-disclosure agreements, scripted attacks, defined restriction zones, and other cautionary measures, the Red Team can conduct a test without major disruptions, exposing sensitive data, or other unwanted consequences. A penetration test can be customized to meet the needs of any organization. Red Teams can even be instructed to target certain systems or direct their efforts at specific capabilities, departments, and even individual users.
When my section’s penetration test was finished, we had to reflect on obstacles such as apathy, inexperience, and miscommunication. While we were not compromised and our sensitive data remained safe, the penetration test did reveal issues that needed to be addressed. However, what was essentially a challenge to our expectations became a learning moment for the section and a turning point for our cybersecurity posture. Apathy gave way to more oversight and concern for patching, configuration control, and firewall maintenance. Inexperience and the lack of expertise was replaced by additional training and a desire to gain greater competency. Miscommunication became effective and persistent communication. The Red Team’s success became our motivation to adopt a greater “culture of caution” and to streamline our efforts.
Timing is an important aspect of the penetration test. A Red Team’s intrusion attempts can be scheduled before an organization’s table top exercise, thereby creating the subject matter for relevant discussion and examination. After a table top exercise, a Red Team can test the sufficiency of the exercise’s conclusions and confidences. In either case, the Red Team’s efforts can add immeasurable value and provide a fuller picture of an organization’s cybersecurity posture for any organization, no matter the size or business type.
For more information on the topic of penetration tests, contact the author of this post. You can also subscribe to this blog to receive email alerts when new posts go up