Are Red Team exercises close enough to reality?

A red team is a team of highly skilled professional with extended and varied skills (e.g. think about “Mission: Impossible”) acting has the opponents, challenging your plans, your controls, your security governance, your people. As a red team, we must think and behave as the “bad guys”. The goal is to emulate the critical thinking of your “official” security teams. To achieve that, we challenge all the false assumptions that makes you vulnerable. We spot all the weaknesses and find creative ways to exploit the slightest vulnerability. As will any skilled attacker do. (Luckily, they are not all that good)

The question that came to me while discussing a red team exercise with a customer was this one: Are red team exercise close enough to reality?

gun

For sure, we are not as real as the criminal organization targeting you. We could be, as we have the skills, but we have something that makes a huge difference: ethics, rules. A red team as boundaries. Even if we take it to the most realistic level, a red team exercise will never lead us to threaten someone’s family, or its life or even to kill someone. We won’t blow a building to cover our tracks. We won’t release the ultimate virus to wipe all data. Unfortunately, criminals don’t have such boundaries.

Our client told me that the red team was not supposed to use information that would have been provided in confidence. While red teams exercises are often “black hat” exercises (meaning, we start with just a few information on the target), it is never impossible that attackers have an inside knowledge of your organization. Seriously, in real life, there is no rules. If there is enough return on investment, criminal organizations will spend a lot of money to get your crown jewels, lot of time and means. They will use any technique: blackmailing, kidnapping, bribery, infiltration. The colleague next to you could be working for a criminal organization, posing as a good guy, even as a security specialist. How would you know?

The latest incidents reported in the press involving banks or the SWIFT network mentioned takes in tens of millions: 21, 80 or even 120 millions Euro of booty for these heists. Quite a motivation isn’t it? How much will you be ready to invest to get such reward?

Cyber criminality generate approximately a trillion USD every year. 1000 billions! Law enforcements and security firms around the world reports that group of hackers and criminals are now working together to reach bigger targets with higher stakes. Imagine that an organization that get 1/1.000 of the worldwide revenue might have 1 billion USD of money for its operation. That’s a lot of cash. People get killed for less.

So, no, our red team exercises are not as real as they could be but it is likely close enough to achieve its primary goal: challenge your team and organization to make it better. Red team exercises won’t provide assurance nor will it cover all your weaknesses but it will for sure stimulate your teams to achieve their best.