The Impact of Red Team Drills on Your Information Security Program

Practice doesn’t make perfect it… it makes us better at something. If we’re not hardening our craft and finding our weaknesses we’re doomed to fail. This is why athletes put in time at the gym, review old game film and focus on opponents’ tendencies. It should be no different when it comes to information security.

As information security professionals, we need to take the time to practice drills regarding our dreaded security breach scenarios. We need to understand our vulnerabilities and security weaknesses before they’re exploited. It’s much better that we find the soft spots first, instead of an attacker doing so for us.

This is why “red team” drills are so valuable to an organization trying to protect their assets. Many people in information security are very interested in “pushing buttons” and leave the soft skills out. Without running red team drills, you’ll never know if your technology is working. These are the tests that put the rubber to the road and many times prove that there’s quite a bit of improvement to be worked on. Here are a few examples of red team drills that might be of interest.

• Test Your Systems
  Many companies overlook, or at least water down, the dire need of penetration tests. Having a skilled white hat in your network showing you what an attacker can do is like giving you a crystal ball. These people are invaluable to your security posture. If you’re large enough to have a full time pen tester or if you’re hiring them when needed, they will show you things that make your jaw drop. All the confidence of the work you’ve done securing your network will quickly go out the window. Make sure you do your homework when hiring someone to attack your network. They will essentially have all your dirty laundry and you wouldn’t want that information in the hands of an inexperienced pen tester.

• Attack Your Users
  The largest point of weakness in any company is the people that work for them. These people need to be educated, of course, but how do you know if all the hours spent with security education was absorbed? We test of course and this happens to be my favorite part. Creating phishing emails to see if the users will click on them is a good test. USB/CD media drops around the building with beaconing software helps determine if they’re following instructions about not putting random media in their workstations is another. But the best type of test is when you can actually speak with end users. Calling into call centers, or getting the name of someone off social media that works in the finance team is always a good bet. Here you can determine firsthand if they’re following procedures and give you better insight into further education training that is needed. Impersonating what an attacker would do and how the users respond to these types of attacks is great data to have in your metrics and toolkit. This is a must that is often overlooked – educate your users test them too.

• Live Your Nightmare
  Picture the worst thing that could happen to you as an information security professional. Maybe you wake up one morning and hear that all of your customer data has been exposed. You’ve been owned, now what. We’ll if this wasn’t already thought of, you’re starting at ground zero in the worst possible case. If you have procedures in place to stabilize the destruction, you might still be able to weather this storm. Creating a list of incidents, both internal and external, to your network will give you a starting point of where to start breaking out your scenarios. After you have your top nightmarish issues, bring people from all over the business and discuss what they would do? For an example, if customer data was found on a website based in a foreign country, what would marketing do? How are they going to handle Twitter responses to your site? What will customer support say when angry customers call up asking about their data? How will the internal investigation occur within IT? Who will lead this effort? So on and so forth. Without having these ideas and scenarios worked out already you’re going to be in a lot more trouble than you might think.

What it comes down to is that if we put up just a little more time in the back-end, we can both educate our staff and prepare ourselves on how to handle real world incidents. It’s better to have these incidents lived and created by your own hand, than by someone looking to hurt you.