When it comes to data security, it is all too easy to fall into a trap. That is the trap of perspective. You are on the inside looking out, focused on all the effort that has been expended on putting a robust security system in place; the time spent on testing; the resources used in continually reviewing and updating your plans.
Yet it is important to remember that “taking every precaution you can think of” isn’t the same as “taking every precaution”. A cursory glance at the news tells us that even the largest and most sophisticated organisation can be breached. So, what can you do?
The answer is to get a different perspective. Engage with expertise from the outside where the viewpoint may be very different.
This is what a Red Team does.
Rather than working on reinforcing existing defences, Red Team engagements simulate attacks, probing your defences to find weaknesses. By imitating a highly skilled, resourced and motivated hacker, a Red Team exercise gives internationally qualified, recognised and certified consultants license to use the same skills, tools and creative thinking that are so valuable to cyber criminals. The only difference is that they are not working for their own gain; they are working for you.
At this point, however, it is worth just taking a step back to examine what Red Teaming is. The term has its origins in the US intelligence community but is now used for the service provided by professional, ethical hackers. Usually found within top-level information security consultancies, the individuals that make up the Red Team are highly qualified experts who are skilled in all aspects of network security testing.
With prior permission from a client, a Red Team’s aim is to break through the hardened perimeter of the digital estate, using the weakest identifiable point, to gain access to the organisation’s system. The team will test the procedural, social and physical components of security in addition to technical controls. They may even physically plant devices on your premises, just as a hacker would. In all aspects, they walk in the shoes of the criminal so that they can see the opportunities from the outside looking in.
Using all the ingenuity, tools and tricks available, they seek to gain a foothold; tunnelling traffic back through ports that are commonly open within a business, usually via the web, so they can communicate with their own servers on the outside without being detected. These benign servers are then used to control devices, which have either been placed or hacked, on the inside of the client’s organisation.
This all sounds pretty scary. So, it is important to remember a couple of key points. Firstly, the object of the exercise is not to catch you out. It is to identify gaps before a hacker does so that you can take steps to plug them. It’s also crucial to note that a Red Team does not simply attack and leave. Qualified information security consultants will use the knowledge gained from a simulated attack to help you remediate the issues, develop a resilient strategy and improve policy making.
Even so, you are opening up your organisation’s entire network and allowing a third party to effectively breach your security defences. This requires a high degree of trust. So, the second consideration is to ensure that the Red Team is of the highest calibre. Check their credentials: the CREST qualification is the gold standard. Crest is an international not-for-profit accreditation and certification body representing and supporting the information security market. Check their experience. Only allow access to those you can trust.
As with any service, there is a cost to running a Red Team engagement. But the real question you should be considering is value for money. Viewed in the context of a high profile, and potentially damaging breach, the cost of bringing in external expertise is mitigated by the benefits it brings. It is not for everyone, however. In many circumstances a well-scoped penetration testing schedule will suffice. It is always worth seeking expert advice on whether Red Team engagement is right for your business.
Here is a final thought. Consider the ubiquitous life quote: “You never truly know someone until you’ve stood in their shoes and walked around in them.” Stepping into the shoes of a hacker is what the Red Team does. However, they go a lot further than that. The Red Team pushes, prods and probes; explores and exploits; identifying unforeseen vulnerabilities so that you can then take steps to further enhance your data security. And with every step you take, you are a step further away from a potential breach.
A wise man (US comedian Emo Philips) expanded the shoe-walking analogy, adding a bit of additional perspective. He said: “Never judge someone until you’ve walked a mile in his shoes. That way, when you do judge him, you’re a mile away and you have his shoes.”
Elavon can help you set up a Red Team engagement, and support you with any other PCI DSS, GDPR or Cybersecurity challenge you may face. Contact us to discuss your data security needs at firstname.lastname@example.org.