Testing the Levees Before the Storm - Red Teaming and Pen Testing

Although a levee can save lives and property during a flood, as is the case with any man-made object, it has limitations and a lifespan. Its design is never foolproof and its readiness can deteriorate over time. Therefore, it’s critical that levees are tested frequently to ensure they will do their job when needed. 

The concepts of red-teaming and pen-testing in cybersecurity are quite similar to testing a levee before a flood.

Without a doubt, government agencies are assigning strategic importance to cyber security. They’re recruiting talented personnel (and attempting to overcome the cyber security employment gap), constantly refining defense-in-depth strategies, and fighting the daily battles in the trenches. But does that mean their readiness is top notch? Does it mean they have taken the time to think as an adversary, to scour the network for potential weaknesses that can be exploited, and to ultimately put the levees to the test before the storm? A reading of headlines involving successful breaches at the local, state and federal levels over just the past year indicates that the answer to those questions is a resounding ‘no.’ In fact one of the largest breaches in 2015 was a government breach at the Federal level.

It has become imperative that government defenses be put to the test before they are tested by the adversary, and red-teaming and penetration testing is a great step forward.

We discuss both of these concepts in an on-demand webinar.

The term ‘red team’ is generally believed to have its origins from the military. It involves putting defenses to the test and finding pathways to assets using the same tactics, techniques and procedures as an adversary. While the term red teaming isn’t actually that old, the concept of evaluating and knowing one’s own weaknesses has been at the core of war fighting since its earliest days. The concept is referenced in one of the cyber world’s most quoted texts from Sun Tzu’s The Art of War.

 ‘If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

The point is that in order to understand how an enemy may engage in combat and how they may be victorious, organizations need to understand their own vulnerabilities and how to mitigate them. Doing so provides an enormous advantage over the adversary – failing to do so could result in a break in the levee, which results in the most sensitive information flooding into the hands of the adversary.

Today, most government agencies are waging a constant battle in the cyber domain. Adversaries ranging from criminals to nation states to hacktivists are constantly challenging defenses with continuous attacks focused on every agency connected to the Internet. If these agencies don’t know their own vulnerabilities – as well as focus on an intelligence-led approach to security that sheds light on the motives, intent and capabilities of attackers – then they are in the fight at a significant disadvantage.

Simply hoping to never be attacked is not a successful strategy, and hoping that current resources will be able to stand up to attacks isn’t any better. In order to be successful in mitigating the impact of an attack, preparation is key. To ensure the levee can weather the continuous storm, FireEye recommends using an external red team to test the organization and its operations at least annually.

As part of the exercise, an authorized and skilled team of experts will attempt to break into the enterprise to find unpatched operating systems, holes in applications, misconfigured security controls and any route that an adversary could take to achieve their goal. Red-teaming should involve close coordination with the Security Operations team, with dedicated incident responders being added to existing security teams during a Red Team Assessment to oversee detection and response processes and provide guidance afterwards. This can greatly enhance an organization’s prevention, detection, and response capabilities.

Additionally, it is important to have an external team conduct a penetration test against the enterprise to identify complex security vulnerabilities across any software, hardware, or connected network connected.

When completed, both of these services should provide thorough mitigation information so that reports are useful and don’t simply go into a filing cabinet. In fact, the National Institute of Standards and Technology (NIST) recommends security assessments and penetration testing as part of security controls when building a security plan. NIST even signifies its importance by aligning it with high-impact information systems.

Every enterprise has important information, and as such, they should be testing to see if an adversary could get to it. Red-teaming and pen-testing can help tremendously to ensure that when the flood hits, the organization’s levee will withstand the deluge.