An article from James Mason, Enterprise Cyber Security, QinetiQ
As the world’s oldest, formally dedicated, pen testing team and founders of the CHECK accreditation scheme, it was highly appropriate for QinetiQ to feature on the technical advisory panel with The Cyber Scheme, to discuss red teaming. More clear and robust guidelines in this area are long overdue and it’s been great to work with the group, to help standardise and shape the future of (cyber) red teaming.
As we all know, penetration testing has been much more closely regulated, accredited and mandated over the years, but red teaming and attack simulation less-so. Red teaming is by no means a new type of testing; QinetiQ’s Attack Simulation Team have been exercising the latest threats and attacks for approximately 25 years. We have of course seen the increased use of CBEST and GBEST type assessments, but attack simulation should be accessible to all, just as the threats we all face are applicable to all.
It’s no secret that there are some red team horror stories in the public domain. Consultants breaching the wrong premises for example – again, demonstrating the importance of guidelines and standards with attack simulation, from both cyber and physical perspectives. Working with a reputable team is key, which will be validated with The Cyber Scheme’s red team certifications, as is not losing sight of the aim of our industry: to make an organisation and its staff more resilient, and essentially their end customers more secure.
Contrary to popular belief a red team exercise should turn into a collaborative exercise for the customer. It’s great to see the light-bulb moments when this becomes apparent during exercises, replacing previous fears.
Post-COVID, red teaming has unfortunately attracted some negative press, predominantly when an exercise hasn’t perhaps been carried out correctly or by the right expertise. Instead of focusing on the negatives or the challenges facing the industry, let’s focus on the positives:
- As well as a more robust and resilient organisation, we’ve experienced CISO’s/Heads of InfoSec feeling more secure in their positions once we’ve worked together.
- We’ve also witnessed InfoSec team members gain promotions from a single exercise and importantly an increase in security budgets once the findings have been independently evidenced and presented to senior management/boards. New budgets allocated are then pointed to exactly where needed. There are not many InfoSec teams who are happy with their security budgets and in a post-COVID world, we’re typically being told by CISO’s that they’re being tasked with “How can you make us more secure, with no extra spend?” While threats/attacks increase year-on-year, this is a really tough ask for CISO’s/Heads of InfoSec and exercises can help lightbulb moments from those controlling the budgets.
- Red Teaming provides rapid and accurately simulated results based on real risks and the latest attacks, evidencing what a very bad day could look like, in an ethical and controlled manner to an organisation. We often find – resulting from a red team exercise – that there are simple misconfigurations within an organisation, which can rapidly increase security postures and very often doesn’t cost any extra £, apart from time. This is also key when using a third party, or MSSP, are you getting what you pay for? How else is this tested?
- Remedial actions can potentially be applied enterprise-wide, again improving security postures, which a traditionally scoped or compliance-type penetration test, typically wouldn’t give this over-arching coverage.
- Finally, a reputable red team is a chance to learn, remediate and improve security cultures enterprise-wide, and very much not a single person blame exercise.
Strengthen your teams by training them like they need to operate.
James Mason heads up Enterprise Cyber Security at QinetiQ, and was involved in the creation of our CSRTM Red Team Manager Assessment.