What does it mean to hire the “best” red team?
The choice between a bad red team and the best red team you could possibly hire is one of the steepest risk/reward situations you will ever find yourself professionally involved in.
Hire an unprofessional red team, and you will increase the risk of:
- Damage occurring to your business as a result of red teamers exposing your organisation’s critical data and assets to unnecessary risk.
- A significant waste of company resources, time and money due to:
- A red teaming firm not having enough experience to manoeuvre an exercise when they run into obstacles. This could lead to inefficient use of resources and prolonged engagement timelines.
- Not achieving enough coverage of security controls and simulated attack scenarios. Often caused by lack of experience, expertise and required simulation capabilities (custom tooling, adaptability) and, as a result, could undermine the thoroughness of the assessment and compromise the accuracy of findings.
- Poor reporting, replay and communication practices. Even if the testing itself is conducted competently, deficient post-engagement practices can diminish the value derived from the engagement. Inadequate documentation and communication of findings hinder the company's ability to effectively mitigate identified vulnerabilities and make meaningful improvements to its security posture.
But how do you avoid this and assess whether you’ll get the best red team possible? The TIBER-EU Framework selection guide is an excellent place to start. It outlines basic requirements like insurance and background checks that you should look for in a red team.
But to hire the best red team on the market, you need to go beyond these essentials.
Since we started helping clients with offensive security in sectors ranging from fintech to IoT in 2008, the SECFORCE team has conducted hundreds of successful red team engagements.
Here’s a comprehensive rundown of what we would look for if we were trying to hire the best red team on the market.
6 Things the Best Red Team Will Have
You won't find all these attributes explicitly spelt out in a tender response or on a red team service provider’s website, so we'll also tell you how to find them.
Accreditation
Look for accreditations like TIBER-EU (Europe) and from industry bodies like CREST for any red team provider. These accreditations are challenging to get and maintain and will, at a minimum, make sure you are getting a good standard of delivery for your red teaming engagement.
Don't just take a company’s word for it, though. Always check databases like this CREST list of accredited service providers. For example, you can see SECFORCE’s listing here.
Technical expertise
The best red team provider you can hire will be doing their own research into malware development and will be active in the red team arena in some way.
Look for vendors who work hard to excel technically. Check out their recent research and blog content and see if their team members participate in Capture the Flag (CTF) competitions and conferences. These are all signs that the team you are hiring is up-to-date and passionate about offensive security.
At SECFORCE, we are proud to see our team members participate and do extremely well in these kinds of exercises.
Experience
If you are going in for surgery, you don’t just want the surgeon who got the best exam results in medical school. You want someone who has successfully done the same operation hundreds of times. With red teaming, the same logic applies.
The best red team for the job will be made up of individuals who have done a lot of red teaming engagements.
A good way to check if this is the case is to look at:
a) The company’s track record, i.e., have they been doing red teaming for at least five or ideally more than ten years;
and
b) The individuals in the company. Can you find offensive security professionals on Linkedin who have been with the company for several years? If you can, this is usually a good sign. Good staff retention shows that the team functions well, and that's what a red team is all about: a team working towards common objectives.
Risk management and test planning
Professionalism keeps you safe and delivers value.
In red teaming, professionalism means not only being able to contain risks and design attacks with the appropriate safety precautions. It also means anticipating problems and planning leg-ups so that exercises are not halted when something doesn't go as planned (like a red team failing to gain a foothold or losing one very early on).
It's essential to ask your preferred red team vendor to formulate a test plan. Once they do this, ask them to talk you through what might happen and what they would do if something you were worried about happened.
The test plan needs to outline a risk framework in which each simulated scenario is thoroughly considered and effectively managed in terms of risk.
Communication
Perhaps the most essential part of a professional red team engagement is communication.
You want your red team to be opting into communication and looking for permissions/reporting proactively. This dramatically cuts the risk for you. In addition, the red team should seek to have daily calls with you to go over the actions of the day before and the day ahead and discuss attacks and potential risks, as well as mitigation and de-escalation steps.
Look for a red team that uses more interactive communication methods (for example, chat platforms), which can help relay information between the red and the white team quickly and efficiently.
At the same time, any suggested communication channel should safeguard the confidentiality and integrity of the exchanged information as well as the secrecy of the engagement.
Versatility
A red team exercise is broad and unpredictable by nature. A red team must have enough skills to be versatile and tackle whatever technologies or environments they encounter, such as cloud systems, bespoke software, and mainframe systems.
For example, a car manufacturer that wants to do a red teaming exercise would have their own custom software and would need a red team equipped with the right people and skill sets to reverse engineer binary code and attack it like a cybercriminal might.
In this case, you should look for red teaming providers specialised in testing particular technologies such as IoT.
Hiring the Best Red Team
The act of red teaming is not systematic. Hiring a great red team isn't, either.
Some of the world’s leading organisations continue to trust SECFORCE to test their systems because they have seen us excel in complex environments with variable conditions. Our experienced and accredited testers are committed to delivering professional, ethical, and value-driven red teaming engagements.