The Red Team Is Here to Help
Companies can strengthen their response capabilities by pitting internal cybersecurity staff against trained security experts.
by Christine Neff
In Cybersecurity, a Strong Defense Sometimes Requires a Real Attack
What information, if stolen, sold or publicly leaked, could bring down an organization?
Customer credit card numbers? Patient healthcare records? Board meeting minutes? Intellectual property? A private email that would irrevocably damage the brand and introduce legal repercussions?
In today’s digital world, it’s fair to say that the odds are not in favor of enterprises that collect sensitive information and try to keep it completely safe from cyberattacks. The number of cyberattacks has increased dramatically in recent years — 2015 saw 781 recorded data breaches in the United States; by the end of August 2016, 741 had already occurred, according to the Identity Theft Resource Center.
“Customers and organizations need to realize today that they are going to be breached. It’s going to happen,” says Ryan Broadfoot, StrikeForce managing consultant at DXC.
With this knowledge comes a certain level of responsibility. The typical enterprise approaches cybersecurity by adopting more cyberhardware, increased vulnerability testing and vendor security patch deployment — but industry experts understand that far more needs to be done to ensure that effective cybersecurity controls are being implemented.
The focus, says Broadfoot, should be more on data, less on technology. Enterprises should evaluate all cybersecurity realms, including the people and processes that make up their security apparatus, and make strategic improvements to holistically improve their cybersecurity posture.
“It’s just too hard to keep up with patches and updates,” agrees Jason Hoerner, managing consultant at DXC’s StrikeForce. “Instead of telling the customer or organization what is wrong or broken, you need to start to bring in their defensive layers and work with their team to make their response capabilities stronger.”
The way to do this? By allowing organizations to evaluate their cybersecurity program against real-world threats through a digital attack simulation service.
Black-hat simulations by the Red Team
DXC is on the forefront of this approach with a StrikeForce offering called Digital Attack Simulation. The process pits the “Blue Team” — a client’s internal cybersecurity staff — against the “Red Team” — a group of trained security experts — in a cyberattack simulation designed to mimic real-world threats with extreme accuracy.
After much planning and with the organization’s blessing, the Red Team attacks the client’s systems, deploying the same tactics, techniques and procedures that real-world cyberthreats follow while conducting their own cyberattacks. “We start performing recon and attacking the client as if we’re a real attacker,” Hoerner says. “We try to identify their attack surface exposed to the Internet, their key targets of value and find the easiest point of entry into their network.”
If the Red Team finds no network vulnerabilities — score 1 for the Blue Team — it escalates the simulation to social engineering tactics — attacks that rely on exploiting psychological weaknesses in people — in an attempt to gain access to the organization’s environment. Once access has been achieved, the Red Team scours the organization’s systems to locate sensitive information that would quantifiably affect the client’s business, all before the Blue Team realizes the cyberattack has taken place.
Detection can take some time for organizations with immature cybersecurity teams, Hoerner says. In a recent engagement, the Red Team spent several months inside a target network without being detected and uncovered highly sensitive information, including screenshots, that would have “brought the entire company down,” he says.
Instead of an actual cyberthreat conducting the same attack and causing significant damage, the client and DXC worked together to build up the cybersecurity team and prevent real-world attacks of the same nature in the future. This involved improving log visibility for a better audit trail, detection of previously ignored attack patterns, and a response plan that revealed choke points when put into action.
The goal, then, goes beyond penetration testing, which proves a client’s vulnerabilities, to actually improving the client’s response capabilities.
And the results are noticeable: An organization that participated in a 14-month project with four attack simulations reduced its own detection and response time from an initial 42 days during the first attack to 13 days during the second, 3 days during the third and just 4 hours during the fourth attack simulation.
“If the organization is serious and takes the lessons learned from this, it’s going to foster a Blue Team that understands its defensive strategy and is better prepared to face an inevitable attack scenario,” says Hoerner.
How Does the Red Team Attack?
“Red Team” members — the cybersecurity experts who test clients’ defenses — have signed nondisclosure agreements, follow strict chain-of-custody policies and, in Australia, work out of a secure facility. In other DXC locations, the team uses secure devices and best practices to ensure security. It sets up the infrastructure to support the operation and, as with real cyberattacks, conceals the team’s presence and movements through multiple, anonymous command- and-control servers.
The Red Team infiltrates the client’s systems and, once in, sets up persistence, moves laterally to infiltrate the network deeper, locates and captures sensitive information, and collects evidence of compromise for the post-attack debriefing.
As soon as the organization’s Blue Team detects the malicious activity and manages to contain the cyberattack, the attack simulation concludes, and the debriefing is scheduled. The Red Team shares its observations, exposes the weaknesses identified, discloses the information that was accessible, and coaches the Blue Team toward a more efficient and effective incident response plan for future simulations and, indeed, real cyberattacks.
CHRISTINE NEFF is a content editor with DXC’s global content team.