Deloitte’s NSE CISO, Jitender Arora, delivered a technical masterclass at CYBERUK in Belfast on April 20th on the theme of Red Teaming. This blog provides a comprehensive overview of this masterclass and provides insights on how CISOs can implement Red Teaming into their security strategies.
In the world of ever-evolving cyber threats, CISOs are faced with an array of challenges. From dealing with well-funded motivated adversaries and zero-day vulnerabilities to navigating the complexities of hybrid working and cloud environments, CISOs need innovative solutions and invest wisely to stay ahead. Red Teaming emerges as a powerful tool in the CISO's arsenal, allowing them to assess security capabilities objectively and make informed decisions on defining priorities and security strategy.
Red Teaming is a proactive approach that enables CISOs to effectively prioritise investment areas by testing an organisation's preventative, detective, and resilience controls against the latest tactics, techniques, and procedures (TTPs). It helps CISOs better understand their security posture and focus on the areas that matter most, ensuring that limited budgets and resources are allocated efficiently.
One of the biggest advantages of Red Teaming is the reality check it provides. Traditional risk assessments, security dashboards, and metrics often suffer from optimism bias, while maturity model assessments, although valuable, may lack real-world testing. In contrast, Red Teaming serves as a litmus test that reveals the true state of an organisation's security posture and helps CISOs make data-driven decisions
To get the most out of a Red Team exercise, CISOs should ensure they have a well-structured and methodical approach.
Start by gaining executive management support, as Red Teaming is intrusive and requires careful planning and oversight. Most important aspect of conducting Red Team Testing is to find a competent and trusted partner who can conduct good quality independent assessment. When choosing a partner to conduct the Red Team assessment, opt for a reliable and experienced team capable of conducting high-quality, independent assessments. Remember, this partner will have access to your organisation's vulnerabilities, so trust is crucial.
Establish a legal contract with the Red Team provider to ensure appropriate guardrails are in place to protect both parties.
Next, define the scope and objectives of the Red Team exercise. Be specific about what you want to achieve, such as targeting critical assets, gaining control of domains, accessing sensitive data, or simulating lateral movement within the organisation.
It’s extremely important to maintain a small circle of knowledge to preserve the integrity of the test. Only a limited number of authorised individuals should be aware of the exercise.
During the planning phase, create a small control group to finalise scope, approach and oversee execution of the test. Schedule control group briefings to discuss progress, challenges, and address any questions from the Red Team. Maintain confidentiality and integrity of the test through protected briefing documents and invites.
Change is an inherent part of Red Teaming depending on the rate of success. Ensure that any changes to objectives are discussed, agreed upon, and documented to maintain traceability. Also, have a well-defined exit strategy in both success and failure scenarios to guarantee proper test completion and documentation.
Following the Red Team exercise, it’s important that Red Team Test report is handled and managed carefully due to sensitive nature of the content. Establish a secure mechanism to share the Red Team report with key stakeholders on a need-to-know basis. Organise a debrief between the Red and Blue Teams to discuss the chain of events and glean valuable insights from the exercise. This is a very important step in the exercise for the Blue Team to review findings and understand details.
Next, the Blue Team, authorised by the CISO, should review the report and draft the remediation plan, while a 2LOD Risk team reviews the draft remediation plan to provide independent oversight and challenge to ensure effectiveness of remediation actions. The remediation plan should contain immediate, tactical, and strategic actions.
It’s important to secure budget and resources to focus on remediation activities, it’s not side of the desk activity. It should follow a project approach with allocated funding and a dedicated team structure to undertake the necessary remediation actions. Establish a senior stakeholder oversight committee to review progress, remove any blockers, and maintain oversight of remediation progress.
Closing a Red Team exercise is an essential phase that ensures the security posture of the organisation has been thoroughly assessed and the necessary improvements have been made. To close a Red Team test effectively, CISOs should follow these key steps:
By following these steps, CISOs can ensure that the Red Team exercise is closed effectively, and the valuable insights gained are leveraged to enhance the organisation's security posture.
In conclusion, Red Teaming is a powerful tool that enables CISOs to objectively assess their organisation's security capabilities and make informed decisions on defining priorities and developing a robust security strategy roadmap.
Red Team remediation should not be treated as a side project; it requires a well-structured approach, a dedicated remediation plan, and oversight by an appropriate committee. It's essential to remember that Red Teaming is not a one-time effort but a continuous cycle that should be an integral part of any effective security program. The goal is to make it progressively harder for the Red Team to achieve its objectives during each subsequent exercise. When the Red Team says, "it was a lot harder this time and we could not achieve all objectives," that's when the true success of a Red Teaming exercise is realised.
By incorporating Red Teaming into their security strategy, CISOs can stay ahead of the evolving cyber threat landscape and safeguard their organisation's most valuable assets.