By Charles White, FCIIS, CEO of The Cyber Scheme
An awful long time ago (thirty odd years) when I started out in the cyber security profession, I was fortunate enough to work alongside Professor Neil Barrett, a leading figure in the world of cyber and an expert witness to boot. At the time security testing was a relative novelty and there wasn’t many companies capable of providing testing services. Perceived threat was from the ‘script kiddie’ in his bedroom taking advantage of basic configuration errors or exploiting 1234 passwords. It was a different world.
At that time we adopted an approach which we called scenario testing, mimicking the activities of the real world attacker, the fundamentals of which we still deploy in our assessments at The Cyber Scheme today. It has since become abundantly clear that the rush to deploy technology has left a primarily insecure ecosystem, and it mattered not what ‘scenario’ was played out – root access was always the end result.
Move forward a few years and we have the advent of IT departments, working tirelessly to tighten security, and succeeding while the threat level was still relatively low. Legal frameworks began to emerge (DPA, PCI, CHECK etc) resulting in security testing becoming refocused on specific technologies, infrastructure or applications (much to the annoyance of testers whose scope was either limited to a box or, if ‘out of scope’ was a 30 page list of connected devices). This was evolution, a time when technologies were tested, fixed, patched, rewritten and then tested again.
The evolution has come full circle. What we now find is that there is a return to ‘scenario based testing’ – what today is described as Red Teaming. Of course today the threat is no longer the ‘script kiddie’ or the proliferation of bad passwords that any skilled amateur can exploit. Nowadays, new technology rarely gets rolled out if it’s inherently insecure (the recent PSTI Act being a prime example of how legislation is acknowledging technology advances). The amateur has been replaced by Serious and Organised Crime, crime syndicates and in some cases Nation States. These groups operate at a level which is not limited in scope or budget or time or effort but only by tradecraft. We now see testing moving back to mimicking these types of attacker and providing their methods. Companies need to understand their vulnerabilities from every angle – a penetration test with a scope limited to internet facing IP’s is useful but no measure of the true risk an organisation faces.
So here we are thirty years later, with Red Teaming on the agenda of every client and promoted by every security consultancy. What is missing is a benchmark that demonstrates that the individual leading this sort of activity is skilled, knowledgeable, understands the tradecraft, is well versed in risk and risk analysis and can manage and orchestrate a team of highly skilled security testers. This is not a role synonymous with individuals learning their craft but with senior operators who are already engaging in Red Team engagements.
Yes there are other Red Team Manager accreditations out there, most of which lend themselves to one particular scenario like CBEST, which is synonymous with threat intelligence led red team engagements into the financial sector, but Red Team assessments can and should come in all shapes and sizes:
Threat Assessment led (‘what is my threat and from who’)
Threat Intelligence led (‘what are the APTs being used by potential attackers’)
Scenario Red Teaming (‘I’ve outsourced my IT department, what does that mean for my security? Or ‘I’m a research institute, will I be a target and what might they attempt?’).
What CSRTM assesses is skills, knowledge and experience of an individual, aligned to the assessment approach adopted by the UK Cyber Security Council, the UK Government’s nominated body accountable for all professional cyber security related qualifications. The Cyber Scheme Red Team Manager assessment has been designed by leaders in the security testing arena and created so buyers can have confidence that engagements are conducted with due skill, care and ethical standards as dictated by a Chartered Institute.
In a poll we conducted two years ago the most important thing for all security testing companies was for us to bring a professional qualification for a Red Team Manager. When we recently carried out a survey of the buying community, it was highlighted that buyers struggled to differentiate between competent and skilled suppliers and others just promoting Red Teaming as a dressed up Penetration Test. That is why we have created CSRTM – industry need and evolutionary imperative.
As a final thought… Anne Keast-Butler, Director of GCHQ, spoke at CYBERUK 2024 about the cyber threat from China, as well as destabilisation caused by Iran and the ongoing conflict in Ukraine. Geopolitical cyber threats are impacting the economy, and are potentially harmful to life as we know it. It’s very clear that not everyone shares our values of liberty, or respects our rule of law. These actors cannot be allowed to prevail.
Please look at the resources on our website for further information. CSRTM will be launched in July 2024 and we will create a register of qualified Red Team Managers to further enhance our standardisation and professionalisation agenda.