Red team vs. blue team exercises are a very effective way to evaluate the security stance of your business. However, red teaming, due to its unfavorable approach, carries some risks which must be taken into consideration for both the red team and the target business.
The world of ethical hacking was shaken in September 2019 when Iowa State had two outsourced penetration testers. Arrested on charges of robbery When entering the physical security check of the judicial building. To make matters worse, this misunderstanding has not been resolved for months. Fortunately, in 2020Complaint dropped. This case clearly shows that things can go seriously wrong for a red team or any kind of offensive security professional during a real-world attack.
However, it is not just Red Team operations and / or external ethical hackers that are at risk during security tests. Target systems that have been compromised during testing may suffer potential damage as part of a cyber attack. Therefore, it is important to keep the following in mind when performing fully red and blue team operations, but also general penetration tests and vulnerability assessments.
1. The Red Team agrees to the detailed terms of engagement
When outsourcing pen testers or red timers, be sure to go into as much detail as possible. If there are some areas of your security program that you haven’t tested at the moment (probably because they aren’t secure enough yet), be sure to clarify. Remember that a good penetration tester will think of strange ways to bypass your security controls. If not explicitly stated before the test, they may try an attack situation using malware, phishing, social engineering, or disabling physical security during real-life attack simulations.
Take the utmost care with resources that may cause potential damage during the penetration test. For example, if part of the Red Team’s practice is to go beyond cybersecurity and examine your physical security vulnerabilities, be sure to make it clear that you do not want the team to test whether the glass door can be broken without tripping. Whether it is possible to cut the wires in the alarm or alarm system.
Also, do not assume that such problems do not apply if the red team test is internal, not outsourced. Your insider may be interested in testing your security in a very imaginative way. Make sure they know exactly what you expect and what is acceptable.
2. Keep everything in writing
Whether your red team exercise is performed by your own employees or by an outside company, make sure both parties are legally protected if something goes wrong. A detailed contract / agreement will protect both the pen examiner and you.
For example, if any type of law enforcement is involved during the penetration test, your team might avoid a lot of hassle if they can immediately present documents that make it perfectly clear that their actions have been requested and are legal. For example, you can issue an identity / entry card which they can use to prove that they have legal access to the premises they are entering. They will obviously not use this type of card as part of the test.
In the case of non-physical testing (for example, network security or web security), access to an external IP address associated with your business will help a lot. Thus, if a law enforcement is involved (for example, because of the Internet provider’s detection of abnormal activity), intruders will be able to show that the IP from which they carried out the attacks was actually an IP that belonged to the same target. Was being attacked.
3. Learn local law
Penalty testing laws, both when it comes to physical security and information security, can vary greatly between countries or even between territories (as in the case of the United States). Professional contractors will be aware of this type of law, but you may not have internal security teams.
If your red team assessment is completely internal, make sure your pen examiners are fully informed by your legal department that they may be considered legally risky. If your red teaming practice is conducted by a contractor, make sure your legal department is involved. The reason is simple: it is much easier to prevent problems than to force them to correct them later.
4. Inform potential stakeholders
When conducting a realistic intrusion test, especially if it involves testing the “human condition” (for example, physical safety skills), those who are directly involved cannot be informed because it will ruin the test. For example, if security personnel know they are going to be attacked on a given day, they will greatly strengthen their efforts to detect and prevent it in the first place.
However, keeping people in the dark can have serious consequences. For example, if intrusion testing involves physical security and your business works with an external physical security company, employees of that company may detect and respond to intrusion attempts, possibly physically harming pen testers in the process.
There is no easy solution in such situations. Therefore, you must solve it on a case-by-case basis, finding a perfect balance between the information that needs to be shared and the information that needs to be retained in order for the test to be realistic.
5. Expect something to go wrong
Red teasing and pain testing are aggressive by nature. Even if team members are perfectly professional and alert, accidents can happen and sensitive information can be endangered. Therefore, in both cyber security and physical security, make sure that you protect the resources involved in intrusion testing. Never check for intrusions unless you have a complete backup of all systems, sensitive data, and configurations. Of course, you should have a full backup even without an intrusion test, but during such high-risk activity, something is much more likely to go wrong.
In general, when practicing such offensive real-time, you should expect the worst – just as in the case of a real attack but worse because the attackers are also part of your team! For example, if your pen examiner tries to physically enter your company, expect law enforcement to catch them and be prepared to respond accordingly. Some of the other consequences that you can expect are the temporary unavailability of critical systems or protective measures, so make sure your remedial and incident response capabilities are top notch.
Despite the potential risks, penetration testing and red team security are a great way to verify that you should not be discouraged because of these risks.
Get the latest content on web security
In your inbox every week.
Author
Senior technical content writer
Tomasz Andrzej Nidecki (also known as Tonid) is a senior technical content writer working for Aquinatics. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz was the managing editor of hakin9 IT Security Magazine in his early years and ran a major technical blog dedicated to email security.
