In the beginning there was pen testing. Then, developers accelerated pen testing with automated pentesting tools. Next, came the realization that instead of just one pen tester, a full team of pen testers could be deployed. Instead of seeking and exploiting security gaps opportunistically, they would perform reconnaissance work ahead of time, then plan and carry out a multi-step, multi-vector attack across the cyber kill chain, mimicking today’s sophisticated cyber heists and advanced persistent threats (APTs).
Adding to their creative faculties, red teams are equipped not only with pentesting scripts, but other advanced tools, such as the ethical hacking operating system Kali Linux, which is purpose-built for ethical hacking.
So has maturity in red teaming been achieved? Can CISOs and SOC managers finally sleep better at night? Needless to say, not quite. While red teaming is highly effective in carrying out attacks, and reporting on an organization’s weaknesses, it has its limitations.
First, performing red team exercises in-house requires using multiple instruments. Every attack vector or security control has its own testing tools. For example, challenging an email gateway, the organization’s firewall settings, and data loss prevention tool each require their own testing-ware. And running commands on these tools requires some technical expertise and maintenance overhead. Every tool has its own methodology and functionality, with no consistency across the spectrum. Furthermore, minimal remediation or mitigative recommendations are provided, if any. Examples include domain and subdomain enumeration tools used in the reconnaissance phase, online vulnerability scanners used to find unpatched systems ready for the picking, and tools that locate access credentials to test for the viability of lateral movement.
If you have the expertise and bandwidth to run these discrete tools on your own, then you’re in good shape. Still, without assembling the pieces of the controls puzzle you may be missing the bigger picture. The effectiveness of one control affects the next control in your framework. Seeing how these tools perform together would let you see where you’re most vulnerable in the cyber kill chain and reveal how you should be prioritizing your resources.
Moreover, there’s the matter of timing. Red teaming is generally not a spur-of-the-moment gig, neither when outsourced nor when performed in-house. And once an assessment is performed, it can take weeks or a month to get the report you need in order to take corrective measures. Most security professionals would agree that relying on yestermonth’s report would be like planning their vacation according to last month’s weather. The point-in-time snapshot excludes changes that have been made to your environment since the exercise. Configurations may have changed, hardware may have been upgraded, software replaced. Tools may have inadvertently been turned off or switched to monitoring mode.
After running an exercise, and fine tuning your controls, you would want to repeat the same barrage of tests of make sure your tweaking has worked. When performed only periodically, the intervals in between red team exercises leave SOC managers and security analysts wondering if their countermeasures are in fact effective.
Finally, what about the latest ransomware running amok? Red teaming and red teaming tools aren’t designed to challenge your controls against the very latest threats. As new malware variants emerge daily, this means you still have to check that your controls can identify the newest attacks’ Indicators of Compromise (IoCs) separately.
So, what would the ultimate red team look like?
It would offer continuous attack simulations, instead of periodic ones. It would be available on a moment’s notice, with no waiting line. It would challenge and probe each of your security controls across the kill chain, from attack delivery through system compromise to data exfiltration. And it would ensure your controls are up to speed on the very latest menaces—be they cryptominers, ransomworms, banking Trojans or botnet clients. Finally, it would give you a repeatable system to test and retest your controls, get insights on where you’re exposed and remediation steps to close each gap.
Breach and Attack Simulation (BAS) tools have emerged in recent years, offering security teams a whole army of red teamers on-demand. As succinctly put by former Gartner Research VP and Distinguished Analyst Anton Chuvakin, “Penetration testing helps answer the question ‘can they get in?’; BAS tools answer the question ‘does my security work?’”
With BAS, you don’t need to wait for your next red team exercise. You can have a whole army of red teamers on-demand, anytime 24x7.
As with most companies, large and small, Telit is required to confront cybersecurity with limited resources and is still expected to produce a tangible return on investment with whatever approach is chosen.” According to Telit, working with Cymulate’s Breach and Attack Simulation platform is like having a complete red team on board without the expense. Download the case study to learn more, or check out our brochure.
Cymulate blog articles by Mor Ahuvia.