Gold teaming is a tabletop engagement which can help you prepare for even the worst cybersecurity incidents.
If your organisation experiences a significant data breach or another kind of cyberattack, there will be some very tough questions.
Questions like:
- How do we inform the regulator(s)?
- How do we tell clients and customers about the cyber incident?
- How do we deal with downtime?
- Do we need to pay any fines?
- How do we claim insurance?
Gold teaming is how proactive organisations answer these and other cyber crisis management questions. Executing a gold team exercise allows an organisation to realistically test incident response processes against likely cybersecurity scenarios.
While red teaming mostly helps test and improve blue team capability, security processes, and technologies, gold teaming tests how other, non-security-orientated parts of the organisation respond to cyber incidents.
Gold teaming matters because cyber-attacks impact not just IT systems but also the organisation as a whole.
The fallout from a mismanaged cyber incident response can cause years’ worth of damage. We’ve seen breached companies lose their market reputation and operational capacity and even take major hits to stock prices. According to the Harvard Business Review, publicly traded companies see an average decline of 7.5% in their stock after a cyber attack. For smaller organisations, the proportional damage can be even higher.
This blog post explains how gold teaming works, when you might need to conduct one, and how this concept fits within the various cybersecurity frameworks. It was written with input from SECFORCE’s expert compliance and offensive security teams, including Nikos Vassakis, Thanos Polychronis, and Antonio Quina.
What Is a Gold Team?
A gold team assessment is a tabletop simulation of a security incident. Its goal is to assess the capability of an organisation to minimise the impact of the incident and assess its crisis management capabilities.
A gold team is a group of business leaders from inside an organisation brought together to simulate the response to a possible cyber incident.
Gold teaming exercises are typically led by the CISO’s team, but they also involve leaders of other departments, such as risk, finance, and communications/public relations.
Generally speaking, a gold team should include PR leaders who would lead the communication strategy following an attack, the legal team who will deal with reporting obligations, IT leaders tasked with remediation and so on.
On a gold team, there might be:
- CISO or another security leader.
- IT manager(s).
- Legal counsel representatives.
- CFO.
- CEO.
- Chief Compliance Officer.
- Chief Operating Officer.
As a rule, a gold team will feature management-level stakeholders in an organisation’s incident response plan.
Cybersecurity gold teams need to represent real-world crisis management teams (CMT). Who’s on that team can be different depending on the scenario being simulated. For example, if a company is simulating a broad incident that would lead to regulatory breaches, they will need more input from compliance and legal teams than with smaller, more contained incidents.
During the engagement, SECFORCE will facilitate the gold teaming exercise by preparing the workshops and scenarios (typically informed by prior red teaming or threat intelligence) and guiding everyone through the exercise.
3 Tips for Preparing for Gold Teaming
Before gold teaming happens, some variation of threat intelligence and red teaming exercises will typically take place.
Gold teaming can occur without a red team (as an ad hoc exercise) but usually takes place after a red teaming engagement to provide realistic information about potential attacking paths. The results from a red team assessment tend to inform scenarios a gold team explores.
To make the most of gold teaming, we recommend that organisations:
- Inform gold teaming scenarios with a high-quality red teaming assessment. We cover what a good red teaming assessment looks like in detail in our ”6 Features of Any Good Red Team Assessment” blog post.
- Get the right people involved in the gold team. Ensure that the individuals responsible for various impacted departments are in the room for the gold teaming exercise. The stakeholders present in gold teaming need to be prepared/able to give realistic answers.
- Allocate enough time and resources. Preparing the scenarios that will be used in gold teaming might take several weeks in parallel to red teaming (as outlined in the ART framework), but the actual gold teaming workshop itself will take place over a time ranging from a couple of hours (for a simple walkthrough) to one or possibly two working days for a simulation-driven exercise.
Gold Teaming Is Getting Increasingly Important
When a major cyber attack succeeds, the fallout can be massive.
Organisations might need to inform regulators like the General Data Protection Regulation (GDPR) if consumer data is impacted. Financial institutions whose business continuity is impacted might need to report to the relevant authorities under the Digital Operational Resilience Act (DORA).
Impacted customers should be told and, depending on the scenario, advised on how to mitigate their own risks.
There may also be legal repercussions. For example, the Irish Health Service Executive (HSE) is facing 473 data-protection lawsuits as a result of the 2021 cyberattack.
Gold teaming puts your management into the post-cyber attack situation and gives the organisation a unique opportunity to test and practise crisis response.
As cyber attacks continue to do more damage than before, and the chances of experiencing one increase, gold teaming is something that almost every organisation should do at some level.
Red Teaming versus Gold Teaming
Red teaming tests your organisation’s security defences. Gold teaming builds on red teaming and focuses on business continuity.
Compared to a gold team, whose job is to simulate, through a tabletop approach, the business response to a cyber crisis, a red team is a realistic simulation of a sophisticated attack against the organisation, focusing on technical risks, processes and people.
The outcome of a red teaming exercise includes a remediation plan, which outlines a number of recommended steps to prevent the success of the simulated scenarios.
Gold teaming is a preview of how an organisation will respond to the complex crisis that can result from a cyber attack.
Gold teaming helps companies identify gaps in responsive processes and procedures that span all organisational functions.
It also helps organisations develop and assess communication plans for public incident disclosures and make sure they’re able to keep critical services online during and after an incident.
After a gold teaming exercise, an organisation should have some idea of the costs and impacts of cybersecurity disaster recovery. Additionally, after simulating the scenarios, the organisation will likely identify weaknesses, deficiencies, and business misalignments that may require amending.
Gold Teaming Is a Feature of These Cybersecurity Frameworks
Gold teaming, as a standalone offensive security engagement, is a relatively new concept in offensive security.
While we expect to see gold teaming become part of more cybersecurity frameworks and possibly even regulations, as of this writing, it is only starting to enter security frameworks.
Frameworks that currently include gold teaming are:
The Cyber Operational Resilience Intelligence-led Exercises (CORIE)
The Australian framework Cyber Operational Resilience Intelligence-led Exercises (CORIE) released in 2020 (updated in 2022) includes the concept of gold teaming (a tabletop crisis simulation) as one of its three exercises.
Advanced Red Teaming (ART)
Advanced Red Teaming (ART) is a 2024 cybersecurity testing framework that includes gold teaming as an optional module. In ART, there are three gold teaming variants: A walkthrough session (WS), a tabletop exercise (TTX), and a simulation (SIM).
Designed to fit organisations with different amounts of crisis management experience, each gold teaming variant has a different degree of complexity:
- WS is a relaxed session that takes only a couple of hours and is led by a facilitator.
- A TTX goes into a lot more detail and brings in time pressure.
- A SIM is a highly involved exercise that can bring in an active adversary and happen unannounced.
The De Nederlandsche Bank (DNB), the organisation behind ART, has released a guide to gold teaming. If you are considering gold teaming, it is well worth a read.
SECFORCE’s Gold Team Consultancy Service Support
SECFORCE is a trusted, CREST-approved, offensive security service provider.
Contact us today to learn how we can help you conduct a gold teaming exercise.
Gold Teaming FAQs
Below, we go through some of the most common gold teaming-related questions.
What is gold teaming?
Gold teaming is how you use a gold team. It is a cybersecurity exercise that helps you find out how your entire organisation, not just the IT department, would react to a plausible cyberattack and its aftermath.
Gold teaming also shows you possible business outcomes from cyberattacks.
Practically speaking, gold teaming is a crisis management exercise that follows threat intelligence (TI) and red teaming (RT) exercises.
The TI maps relevant cyberattack scenarios for the organisation, and RT simulates said scenarios.
How long does gold teaming take?
Gold teaming is a tabletop exercise that can take as little as a few hours (for a limited version) to a day or two.
What does the gold team actually do?
During a gold team exercise, your team will work with a gold teaming consultant to find out the likely organisational responses to various scenarios.
Typically, this occurs in a question-based interview approach, such as asking questions like “What do you do when this (security breach scenario) happens?” The relevant stakeholders will then respond in as realistic a manner as possible.
Gold team participants will go through the plans and initial steps for containment, management, and mitigation of particular scenarios.
How are gold teaming scenarios created?
Gold teaming scenarios are most often based on the threat intelligence and the technical findings/gaps identified during the red team phase.
Who takes part in gold teaming?
Gold teaming is a collaborative workshop involving senior people from IT and non-IT departments, including legal, PR, and finance.
When does a gold team start working?
A gold team usually happens shortly after the end of the red teaming phase. This way, the crisis management exercise is based on realistic and plausible attack conditions.
