Detecting security gaps in order to be able to close them afterwards – that is the goal of the so-called Red Team at TÜV TRUST IT GmbH, TÜV AUSTRIA Group. André Zingsheim is head of the “Technical Security” department and has already been working for the company for ten years. He reveals which methods and goals are used to perform a Red Teaming attack and what he particularly likes about this job.
Mr Zingsheim, you are Head of Technical Security at TÜV TRUST IT. What exactly are your tasks and responsibilities?
In addition to the conventional IT security consulting, the optimisation of the security concept, including network security, is a priority. And here we proceed in parallel offensively and defensively. On the offensive side, we conduct penetration tests or red teaming assessments, for example. The defensive side involves working on the resilience of corporate networks against cyber attacks.
You mention Red Teaming. What exactly do you mean by this?
This involves simulated cyber attacks by our Red Team, which tries to penetrate a system and achieve a predefined goal here. For example, a supplier in the automotive industry wants to know if and how it is possible to penetrate one of its plants and endanger production there. That is then exactly our goal and we try to proceed as realistically as possible. That means we do what real attackers would do to penetrate the company. Of course, there are ethical limits. Among other things, no one may – to put it exaggeratedly – be coerced at gunpoint into handing over access data. And even business partners must not be attacked randomly, although attackers would do so. And of course we do not aim to cause real damage. But a residual risk always remains here. After all, the attack should and must be as realistic as possible.
Which methods do you use to reach the defined goal?
All methods that would also be available to real attackers. The most efficient is still classic phishing. Another possibility is to smuggle own hardware into the company or to specifically search for vulnerabilities that may also be located outside, for example an externally hosted supplier portal. An overall goal of this extensive approach is to coach the company’s security analysts, the so-called Blue Team, which is supposed to detect and defend against attacks. Accordingly, only a small circle of people at the customer’s site knows about the situation in advance, usually the management and the CISO, but not the Blue Team. So the security analysts can and must react to us as they would to a real attacker.
Assuming the Red Team is successful. What happens afterwards?
Regardless of how successful the simulated attack was, the assessment is then reviewed together with the Blue Team. We explain our approach, which weaknesses we were able to exploit, what went well and what did not. And in the next step, Red and Blue Team together identify measures that have resulted from the evaluation. Ideally, these are then also implemented. Of course, this cannot be done in one afternoon. Such a Red Teaming project usually runs for six to twelve months.
And is therefore quite extensive and requires a lot of commitment on both sides. What do you like most about this job?
The diverse work and the contact with the customer. Our work is very practice-oriented and we experience constant change in terms of technology and methods. The attackers are constantly evolving and we have to keep up. This requires a good portion of curiosity and the will to constantly educate oneself and also to convey this current knowledge to the customer. In the course of this project, we are in constant exchange for months. That’s why good communication skills are just as important here as general IT know-how and specialised expertise. I am very happy when I can pass on newly acquired knowledge to our customers and thus contribute something to cyber security in the company. One thing is for sure: It never gets boring.
Thank you very much for the interview Mr. Zingsheim!