Due to the increasing digitalisation in companies, technical IT security checks are no longer a specialty and are now part of everyday life. They are usually carried out as classic penetration tests, in which selected systems and networks are checked for weak points. However, a company’s IT security depends on more, such as how employees behave when dealing with information and data.
In addition to targeted penetration tests, comprehensive red teaming assessments should therefore be carried out, especially in medium-sized and larger companies. A Red Teaming Assessment is a simulated cyber attack against a company’s infrastructure that tests the resilience and defense mechanisms against professional cyber attacks. The attackers (Red Team) try to gain access to company information and data with all available and ethically justifiable means.
TÜV TRUST IT has put together 10 success factors for Red Teaming Assessments:
1. Management commitment
As part of Red Teaming Assessments, only a very small group of people is informed about the project (e.g. GF, CIO, DSB, works council). It should be ensured that all relevant decision-makers are behind this project, but do not inform any other employees about the planned project.
2. Trust in the Service Provider
As in any project that is carried out with external support, trust in the respective service provider is of great importance. For Red Teaming Assessments, however, it should be particularly emphasised, since the service provider as a “red team” generally acts very freely. Before the start of the project, it is determined where the limits of the attempted attacks lie and what the goals should be. Nevertheless, the choice of the individual measures ultimately lies with the Red Team in order to ensure that the tests gain as much knowledge as possible.
3. Know-how and versatility of the Service Provider
A Red Teaming Assessment is a very comprehensive project that uses a wide variety of methods and attack scenarios. This requires a lot of expertise, versatility, experience and tact from the service provider.
4. Operate flexibly and agile
Red Teaming Assessments are carried out dynamically and flexibly, there is no fixed time. If, for example, details become known about new vulnerabilities that affect the company, the Red Team can also take advantage of the temporarily increased attack surface.
5. Use all Red Teaming instruments
To get the most accurate picture of the security situation, as many Red Teaming tools as possible should be used. “Real hackers” also act in this way. Social engineering attacks are an extremely important component here, but must be used with sensitivity and consideration for employees.
6. Limitations of productive systems
In contrast to traditional penetration tests, Red Teaming Assessments are not only attempted during peak business hours, but also on weekends and at night in order to act as undetected as possible. Likewise, not only test systems are tested, but above all productive systems. Productive systems should not be endangered if possible. However, a residual risk that there are system-related restrictions remains, so that the client should take precautions.
7. Use unknown auditors for social engineering measures
Classic penetration tests are usually carried out several times a year with different Service Providers. Especially in the case of social engineering assignments as part of Red Teaming Assessments, care should be taken to use unknown examiners. This ensures that the inspector is not recognised by anyone on site and the result is not falsified.
8. Effective error culture
Red Teaming Assessments are carried out to uncover security gaps. Nevertheless, it must be clear that the company is not looking for a “scapegoat” for identified deficits, but that the weak points are dealt with constructively.
9. Determine the rules of the game
What is allowed? Which systems and applications are excluded? Even though the entire company is always the focus of the assessment, there are cases in which systems and applications should be excluded from the examination. These “rules of the game” and the specific goals must be clearly defined at the beginning.
10. Lessons Learned & Coaching
All knowledge about security gaps gained during the Red Teaming Assessment should flow into a downstream Lessons Learned phase. The detailed documentation and reproduction of the individual test steps enable the tested company to close its own gates effectively and sustainably.
Red Teaming Assessments extend over a longer project period and represent a not inconsiderable investment for companies. However, the project experience of TÜV TRUST IT shows that if the 10 success factors mentioned are taken into account, a sustainable and measurable increase in the level of security can actually be achieved goes far beyond the improvement of purely technical security measures and also pays off noticeably in terms of business.