I recently had the privilege of presenting at CodeBlue in Tokyo, a renowned technical security conference in Japan. It was a pleasure to share insights and engage with the vibrant security community there. For those who couldn’t attend, I’m summarizing the key points of my presentation on building effective internal Red Teams.
The evolving digital threat landscape requires a proactive security posture. Internal Red Teams, simulating real-world attackers, are a vital tool for continuously evaluating and improving an organization’s defenses. However, their effectiveness relies on a strategic approach, emphasizing collaboration and storytelling, beyond the underlying technical skills.
What’s in a name
While the information security space is famously not very aligned on terminology, having some shared understanding what constitutes red teaming in an internal setting is essential. Redteaming differs significantly from security reviews and penetration tests. It focuses on achieving specific adversarial goals via the path of least resistance, not necessarily broad vulnerability discovery.
- Goal-Oriented: Red Teams simulate an attacker’s objective as well as their intent for said objective, highlighting weaknesses that facilitate that goal. This differs from penetration testing which aims to find all vulnerabilities broadly across a scoped target set of systems in an environment (again, definitions vary, but for the sake of the discussion we’ll go with this).
- Beyond Coverage: Unlike security reviews, which aim for comprehensive issue identification, Red Teams prioritize the attacker’s journey, simulating realistic attack chains.
- Means to an End: Finding vulnerabilities is a tool for the Red Team, not the primary expectation. The focus is on the attack path, and how that path can be exploited.
Value Proposition and Limitations
Red Teams offer significant value:
- They test and evolve detection and response capabilities, acting as a “sparring partner” for the Blue Team focused on Detection and Response to threats.
- They create awareness for tangible risks by demonstrating the full attack chain, and the potential impact.
- They identify vulnerabilities along critical attack paths, and highlight the most dangerous areas.
However, they also have limitations:
- They can be time-consuming and expensive, with costs potentially increasing as security improves.
- Outcomes are less predictable, and they do not provide a holistic view of system risk.
- They require significant trust and buy-in from stakeholders, due to the potentially disruptive nature of exercises.
The Power of Narrative: Storytelling in Red Teaming
Technical findings alone often fail to drive comprehensive change. Red Teams create shared experiences that resonate across different organizational levels by crafting an “Attacker Narrative.”
- Beyond Technical Details: Adding an “Attacker Narrative” dramatically increases engagement, and remediation efforts.
- Creating Shared Understanding: Stories help share the attacker’s viewpoint, making risks more approachable for everyone, including non-technical audiences.
- Illustrative Impact: The plasma globe exercise, as I illustrated in my CodeBlue presentation which can also be found in the Hacking Google series, demonstrates the real-world implications of known risks, such as USB drive security, far more effectively than a generic security warning.
Elements of a Red Team story include:
- Intent and Motivation: Clearly define the simulated adversary’s goals, such as espionage or financial gain.
- Capabilities: Align the team’s actions with the simulated adversary’s resources, and operational security considerations.
- Journey: Document the steps, challenges, and adaptations made during the exercise, including what did not work, to provide a realistic, and insightful narrative.
Collaboration: The Antidote to Red Team Isolation
An isolated Red Team is often misunderstood, viewed as confrontational, and ultimately ineffective. Collaboration is crucial for building trust, and driving meaningful security improvements.
Consequences of isolation include:
- Failure to build an “attacker mindset” beyond the Red Team itself.
- Work is often misunderstood, potentially leading to the team being perceived as a threat.
- Delivering cost without benefit if findings are not translated into actionable improvements.
- Lack of trust can lead to restrictions and concerns about touching critical systems.
Benefits of partnership include:
- Helping prioritize both known and unknown risks through dialogue with internal teams.
- Fostering a blameless culture by openly discussing adversary struggles, and blind spots.
- Encouraging an attacker mindset across the organization by sharing the thought process behind attack chains.
Key partnerships include:
- Detection and Response Teams: Essential for real-time feedback, incident triage, and shared learning.
- Product Area Security Champions: Help navigate organizational structures to find the right people to address identified issues, and act as advocates.
- Threat Intelligence Teams: Provide crucial feedback on the realism of simulated adversaries, and benefit from insights into attack paths used in exercises.
- Legal and Compliance Teams: Crucial for navigating potential legal risks, and enabling exercises that might otherwise be blocked.
Rules of Engagement (RoE): Clearly defined RoEs are vital for setting boundaries, gaining leadership buy-in, and providing transparency into the Red Team’s processes, and precautions.
Sustaining the Team: Avoiding Burnout, Focusing on Impact
Red Teaming is demanding work, and the pressure to succeed can lead to burnout. Maintaining a healthy team requires a conscious effort.
- The Paradox of Success: As the Red Team improves security, its own task becomes harder.
- Reframing Success: Goals should not exclusively focus on the attacker achieving their objective. Improving detection and controls is a success, even if the Red Team is “caught.”
Mitigating burnout:
- Psychological Safety: Cultivate a culture where questions, and learning are encouraged.
- Encourage Breaks: Allow team members to work on other projects, such as tooling, or take time off to avoid constant high-pressure exercises.
- No Heroes: Avoid incentivizing unsustainable efforts. Long-term team health outweighs short-term gains.
- Building a Diverse Team: Look for curiosity and creativity across a broad range of backgrounds rather than identical skill sets to simulate diverse adversaries effectively.
Clear definition, compelling storytelling, robust collaboration, and sustained team health all help organizations to harness the potential of internal Red Teams, saving them from turning into potential disruptors and helps them to become indispensable partners in building a more secure future and providing essential checks and balances for security engineering efforts.