Once you end up in a situation where you have to defend your business against those who embrace the dark side, one thing becomes clear: you really need to make sure you’re prepared.
As Star Wars’ Yoda said: “There is no try: Do or do not” - you should have confidence in whatever you do, don't just try to do something.
My previous blogs have been about the more traditional ethical hacking services like web application or network testing. This blog is about what you don’t expect.
Limiting security testing may result in unpleasant surprises: “Unexpected this is, and unfortunate...”
Limitations in security testing may leave weak spots unnoticed and can result in an unfortunate security incident just when you’re not expecting it. I encountered this recently where I was told by a customer during a scoping session not to test a couple of modules (API’s) and connections to certain back-end systems. Sometimes these kind of scope limitations are introduced because the associated systems are managed by a different department or belong to another system owner. Or because then there’s no need to obtain the necessary approvals, organise test windows with other departments, and avoid discussions about the costs and time needed for performing these “additional and unneeded” tests. If it’s happening with other types of security tests as well, such as physical access control testing, social engineering to understand the awareness of your people, wireless testing, etc., you may have more weak spots than you thought.
To be in control and understand what is going on to protect your business on a daily basis, you have solid security processes and technical solutions in place. You’re using cloud services from a managed service provider who achieved ISO/IEC 27001 certification for their information security management system (ISMS). Your networks and applications are tested frequently by a CREST accredited organisation. All your suppliers have been carefully selected and are continually re-evaluated by your vendor management team. And last but not least, your people are trained and are aware of the do's and don'ts of information security. But are we really in control? Ticking the boxes, working according to best practices and trusting our instincts might just not be enough.
Never underestimate cyber criminals: “You don’t know the power of the dark side.”
Once a target is locked on by those who embrace the dark side, they don’t let go and exhibit a persistence and creativity that is incredibly difficult to defend against. Cyber criminals are running a business just like you and they too need to deliver to be successful. Among those who embrace the dark side are groups backed by nation states. Not only does that mean they are “allowed” to hack, it also means that as well as a variety of both commercial and open source tools, they might even have the budget to develop “their own” arsenal of cyber weapons. We’ve recently seen these antagonists widen their hunting grounds to target businesses, in addition to traditional targets like critical infrastructure, government bodies and agencies.
Cybercriminals can be creative and unpredictable: “Difficult to see. Always in motion is the future”.
It’s a challenge to prepare yourself against the unknown: you don’t know what is coming and when. So the actual question is: how to prepare for the unexpected? Red teaming aims to understand the preparedness of your organisation to withstand and defend attacks.
A red teaming engagement is carried out with little knowledge of what to expect. It’s a comprehensive approach against the full spectrum of your business policies, processes and defences without any boundaries and may run for months. After an initial reconnaissance phase, an attempt to obtain a foothold in your organisation is made, be that physically or via electronic means, followed by pivoting into the network searching for the crown jewels. These might be inventions, designs or company secrets, personally identifiable information concerning customers and personnel, or even share price affecting data.
When a red team effort is coordinated with your security team (“blue team”) to defend against the simulated attacks, the project is then called "purple teaming". This joint approach aims to identify possible issues in the current technology and procedures, or shortage of skilled individuals you have, to prevent an attack to your organisation. This is achieved by working closely together during the project, sharing feedback and transferring knowledge or training your team as the attacks are carried out. Simulating attacks is the most efficient means to keep pace with a threat landscape which is always in motion. The ultimate purpose of red teaming is to harden your security against real-world attacks.
Ready, are you?
Find out how we can help you to determine how prepared your organisation is to withstand and defend against an attack.