Organisations frequently operate under the assumption that as long as their computer systems are secure, information is secure. In an effort to strengthen the security of their computer systems, they often perform penetration tests – simulated attacks on computer systems aimed at identifying vulnerabilities that could materialize into real risks. However, in reality attackers do not limit themselves to abusing the systems singled out for penetration tests or even any IT system in general. Rather, attackers today are much more sophisticated. They combine different elements that go beyond computer systems, with the objective of finding the path of least resistance. As a consequence, due to their limited and fixed scope, penetration tests alone do not adequately address the risk posed by attackers, and leave organisations vulnerable to realistic attacks.
A realistic attack generally addresses three elements of information security that are linked together.
These are:
The vast majority of cyber breaches in the recent years were caused by human behavioural issues – one of the weakest links that cannot be identified by penetration testing. Red teaming not only tests technical preventative controls, but also the human defence capabilities, which are not tested by traditional penetration tests.
An important aspect of a real attack is the reconnaissance. During this phase an attacker uses various tools and techniques to gather as much information as possible about a victim, in order to make an attack more successful. For example an attacker could use open source intelligence, whereby the web and dark web are being searched for relevant information on an organisation (e.g. user names, passwords, business rules, etc.). Frequently traditional penetration tests do no take this into account, due to their limited and pre-defined scope, and hence could leave an organisation vulnerable.
Red Teaming Operations enable organisations to assess the readiness and awareness against realistic attacks through scenario based controlled incidents that take all elements (human, physical & cyber) within an organisation into account.
Successful Red Teaming Operations require thorough planning to create realistic adversarial simulations for an organisation. Random attacks with random objectives will not deliver adequate benefits. The best planning comes from an in-depth understanding of the business and the organisation, which then translates into realistic scenarios, combining risk and threat management approaches. As part of the planning phase it is important to identify the key risks of an organisation. These are unique to each organisation and serve as a basis to create realistic scenario-based controlled incidents.
Our experience shows that successful Red Teaming Operations are built upon three principles.
How often do we get to watch how an actual cyber-attack happens, and see the consequences unfold before our eyes in real-time? Hopefully never. We developed two videos to provide a sneak-peak of what you could face. Experience the speed and intensity of a cyber-attack; as the plot unfolds, learn how companies can defend themselves, take control of the situation, and effectively fight back.
If you would like to have an initial conversation about Red Teaming Operations and Deloitte’s approach to making it a success, please get in contact with our team.