Hiring red teams — good-guy hackers that probe both the physical and virtual security of a company — are an increasingly popular method that many organizations use to test their cyberdefense posture.
These penetration tests, or pen tests as they are also known, have been a staple of planning since the Cold War. Governments and militaries would enlist what were designated as red teams to identify blind spots in their security routines. (The term came into vogue because U.S. officers took the Soviet or “red” perspective.) Fast forward to the present and a host of organizations ranging from the U.S. Department of Justice to Palantir Technologies are turning to red teams to conduct pen tests to help improve their security.
The basic idea is to task an outside group to challenge the institutional bias that often grows up over time in an organization. When they succeed, red teams can help recognize the shortcomings that might leave an organization unprepared to defend against potential attack.
But make no mistake: Red-teaming can turn out to be a very painful experience for the targeted institution, raising questions about people's’ effectiveness in their jobs as well as the performance of their departments. Of course, that’s the point. The exercise is designed to present clients with an unbiased - and contrarian - view of the state of their network defenses and supply management with a fresh look into the effectiveness of their tactics and strategies.
It pays to think like the enemy
Security executives may find it hard to think like the enemy, let alone try to act deviously or maliciously. Ergo the need for an outside group that can do just that and assume the role of an adversary scoping out a potential target.
During the starter conversations, red teams learn what assets the organization deems most valuable or most critical. They can then get to work figuring out what methods to deploy against the defense system and hunt down the blind spots in the strategy.
But red teams are only as effective as the targeted institution allows them to be. Their success depends on being fully independent and fully in stealth mode. Nobody should know in advance about their activities. If the IT department gets tipped off, they inevitably will adopt measures that make it harder for the pen team to demonstrate vulnerabilities in the system.
At the same time, senior management must be willing to seriously consider the red team’s findings. The IT or security executives inside the organization are not going to like being embarrassed or shown to be less than competent.
To be sure, this is an unconventional way to design a cyberstrategy but conventional wisdom in a world of always changing cyberthreats easily leads to trouble. Who knows but a red team might have helped Target avoid getting breached by identifying issues with password protection and the HVAC system that the attackers would later exploit.
Red teaming isn’t a silver bullet. But it can provide a needed nudge to management to rethink the assumptions behind its security practices.
Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.