There are plenty of good tips on what to do to make a red team engagement a success.
You might have read “6 Features of Any Good Red Team Assessment” or another blog post about how to have a great red teaming engagement.
However, to ensure a successful red team engagement, you also need to know how to avoid common pitfalls.
Your 5-Step Guide to Wasting a Red Team Engagement
The worst-case scenario for any red team engagement is causing real-world damage, such as critical service downtime, irreparable reputational damages for the organisation, or failure to de-escalate situations such as someone getting arrested.
These things can happen, but fortunately, catastrophic outcomes from red team engagements are so rare they are almost unheard of.
More common is a red teaming engagement that ends up being a waste of time and resources. It is possible for a firm to hire a capable red team, go through an engagement, and end up no safer in the end than they were in the beginning.
Sometimes, a wasted red team can even leave an organisation less safe than it was before the test began. Nothing kills a security posture faster than false confidence.
So, should you still bother with red teaming? Of course. The learning that most red team engagements deliver creates fantastic security value. Delivering red team engagements is one of our core offensive security service areas.
To help you make the most of your next red team exercise, we’ve consulted our experts to reveal bad habits that lead to wasted engagements.
Companies that waste red team engagements do some or all of the following:
Tell the blue team red teaming is happening before it starts
Following a prolonged scoping period, you hire a talented red team and undergo an extensive pre-engagement process.
The red team gets to work and, after breaking into your email servers, finds an email you’ve sent your internal security team telling them, “There will be a red team engagement happening on this date.”
It's hard to say why some companies warn their blue teams like this, but this completely wastes the engagement.
Similarly, the blue team is often informed about the exercise too soon, especially after an initial detection occurs.
Organisations need to trust that their red team has contingencies in place to resume testing with other attack vectors and from different angles.
Flexibility like this means that the organisation can assess blue team capabilities in triaging and attributing attacks and responding to threats under unpredictable “real conditions.” If a blue team knows a cyber attack is not real, they will not react realistically. The red team engagement will become just another tabletop exercise.
Red teams do not do anything an actual attacker wouldn't. To see what your security posture can and cannot do, you must treat red teaming engagements like real attacks.
Telling your blue team about a red team engagement ahead of time is the opposite of realism.
Being unprepared
Red teaming engagements can sometimes hit a wall, i.e., get to a point where the attacks cannot go any further. This can mean that security controls, technologies, and processes are robust in certain areas, but it should not mean the end of a red teaming exercise.
For instance, maybe nobody clicks on a phishing email due to high-security awareness levels, or accessing a privileged account isn’t possible due to efficient account management policies.
However, a stalled red team does not mean you're safe. Cybercriminals have much more time to attack you than a red team ever will and more places to start.
To get value from a red team engagement, you need to plan ways to give the red team a “leg up” into different starting positions in case their initial plan of attack fails. For example, you might give a red team access to a workstation account or an employee's credentials for a particular application to simulate an insider threat.
The main objective of the legup is to allow the red team to continue with the exercise. It helps testers assess as many tiers of security controls as possible and, as a result, provide maximum testing value.
That said, any leg ups the red team gets should be as realistic as possible. There is no point in tampering with or impairing any policies or controls.
You should prepare to give a leg up ahead of time. Otherwise, you can end up with a red team trying the same thing for the entire engagement and getting nowhere.
You also need a central point of contact for the engagement. This needs to be someone with the ability and authority to rapidly ingest information a red team gives them, make decisions and change the operational mode of the engagement on the fly.
Self-sabotage through over-management
Just as bad as being unprepared is micromanaging a red team and ruining the realism of a red team engagement.
Whoever is responsible for managing the engagement within an organisation (the white team) must be involved in the red team engagement and trust the red team.
Questioning every part of a red team’s methodology slows the engagement’s tempo and makes it less like a realistic attack unless it is about providing valuable feedback and steering a red team in the right direction (e.g. away from a completely unfeasible scenario).
The same is true for overly restrictive rules of engagement. For example, not being allowed to reference trending geopolitical events during phishing campaigns can also dampen a red team engagement.
If you want a realistic attack, let your red team run freely. The more creativity they have, the more they think outside the box, and the more realistic the engagement will be.
Of course, attacks and target systems should always be communicated in advance and approved by the participating teams. Attacks need to reject vectors that can target out-of-scope infrastructure or cause tangible damage to the organisation.
Poor timing
You don't want to do a red teaming exercise during a major event like a migration to a new website.
Engaging a red team when your systems are in a state of flux will cause unnecessary overhead, confusion, and disruption. You won’t learn much, either.
It is much better to conduct a red team engagement when nothing major is happening within your organisation in terms of changes, deployment audits, or other types of activity.
Bad threat intelligence
Sometimes, companies that want a red team engagement will bring in a threat intelligence agency to profile threat actors and develop realistic attack scenarios. The red team will then simulate those scenarios. This is threat intelligence-led testing.
If the threat intelligence provided by an agency is accurate and customised to the company's environment, threat intelligence-led testing can be remarkably accurate.
However, in our experience, the quality of threat intelligence providers varies.
One extreme example we’ve seen is a low-quality threat intelligence provider giving intelligence (and testing scenarios) to a red team for an environment the company being tested didn't actually have. Think testing scenarios designed for a cloud environment when the company operated entirely on-prem infrastructure. The result was several days of wasted effort.
How to Make the Most of a Red Team
Our red teaming experts all agree that what makes a red team successful is a white team (and eventually a blue team) that really sees the red team as a learning opportunity.
A red teaming engagement is not a test of anyone's individual performance but a chance (likely the only one) to experience a real-world cyber attack with minimal danger.
Red teams are a success when everyone involved in them comes away with a better understanding of how cybersecurity works.
As one of our red teamers put it: “It's better to train yourself against us than, you know, a real attacker.”
Contact us to learn more about our red team engagement process.
