CISO Forum Summary – Best Practices for Red Teaming

Every month, Fortify Experts holds CISO Round Tables discussing the latest trends and topics.  Recently, we discussed how these successful security leaders have been able to improve their security programs through the use of red teams.  Here is a summary of their top tips or suggestions on how to select and create better red teaming engagements.

Selecting a Red Team:

Here are some perspectives on how to select a red team.

  • One CISO said his current employer (large health care), outsources pen testing to the big consulting firms which he believes do not have the right people.  He feels small boutiques are the way to go with 20 people or less.  They usually have come out of the industry and are diverse and have specialists.
  • He says to get on the phone and talk to the companies to see what they know and based on his experience he could decipher the best one to choose.  The key is asking the right questions to determine who the best pen-testing companies are.
  • One leader said he picks a different vendor every year to show the executive board how they compare to their peers.  After 3 years of annual tests, they could anticipate what they were going to find because they kept running into systemic issues that come up mostly with change management and third-party risk.
  • One CISO prefers small pen testing companies over large ones because they usually have a more mapped-out plan for diverse attacks and do not try to sell them services afterward. Also, as soon as the small companies get bought, he usually drops them.
  • Another CISO said he would not use the same red team twice in one year because they would do their attack the same way and he needed a variety of attacks.

Scoping/Contracting a Red Team:

Here are some perspectives on how to scope out and contract a red team engagement.

  • It is critical to define the rules of engagement for a pen test.
  • Have a detailed attack plan that is memorialized because in you can’t have systems going down.
  • Evaluate the company’s Modus operandi for each attack vector to monitor if there is any recourse or downtime as a result of their activities. That way you will know what they are doing if something goes wrong – then it’s on them.
  • The scoping exercise is the most critical, and figuring out where each vendor’s strengths and weaknesses are very critical.
  • One CISO said the philosophy at his company was to sit down and see what was important to test that they had not looked at before. They would target where the business is trying to grow because this is where the investments are in the business. They figured that where it is new, that is what they would target for pen testing.
  • Another CISO says, he does pen testing every 2 years, uses both small/large third-party vendors to keep things diverse, and tries to focus on key business risk areas

Why you SHOULD NOT do Red Teaming:

  • One leader explicitly forbade red teaming and hunting internally.  Here’s why:
    • Not allowed because it was a luxury, they could not afford from a resource’s perspective.
    • His team focused on automation containment in SOAR.
    • They don’t go hunting for needles in the haystack.  Instead, automate the needles that we know we need to find.
    • However, they did conduct annual pen-testing.
  • Another leader said they are going with attack surface profiling and attack surface management instead of red teaming.
    • They wanted to see how to get real-time visibility of the business surface/internet facing to see where there might be vulnerably based on the attack tools that everyone uses
    • Red teaming is “sexy” but has very low ROI
    • He feels you do not need to spend money on an internal pen-testing team, and most external teams are just a compliance check box.
    • He says, the only thing red teaming adds value in is application pen-testing.

Why you SHOULD use Red Teaming:

  • To prove to customers that they are serious about security and having a third-party pen test is collateral that they can waive to prospective clients to reduce sales friction around being a secure company.
  • Red-Teaming is proactive instead of reactive.
  • Pen-testing forces groups to be more diligent in administration, policies, procedures, coding, clean-up, and maintenance.

Simulation instead of Red Teaming?

  • One recommendation is to start moving away from traditional pen testing and Red Teaming, and get involved in cyber test ranges and attack modeling and simulation (i.e SafeBreach, Verodin, AttackIQ, Cymulate, etc.), so you can remain prepared.  Although the simulation is not as good as pen-testing, it is getting close.  The industry needs to support these vendors to help mature the attack modeling simulation space.

Different Approaches:

  • One CISO is using O365 hunting to show that he is continuously pen-testing and continuously mitigating attacks.
  • Consider using indicative compromise, which is a pen test that checks the pen tester’s ability to get through indicators of compromise.
  • Another CISO said he leveraged red teaming on accounts payable to justify red teaming tactics. They would work with him and do both a social/cyber-attack with the red team and identify risks. The rule of thumb with this tactic is that no one could get in trouble because this was a tool for training. Through this tactic, he was able to avoid ROI issues while still spending 2 million on red teaming.

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to improve your Red Teaming activities.

If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.

About Tim Howard

Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST-based security assessments

In addition, he has a passion for helping CISOs develop Higher Performing Teams through coaching, by creating interactive CISO Forums, and by helping them create highly-effective team cultures.

With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.

He also teamed up with Lyndrel Downs to launch Cybersecurity DIVAS to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.

Tim is married with 3 kids. He is an avid runner and has completed two IRONMAN Texas events. He is also a graduate of Texas A&M University. 

Invite Tim to connect: