The concept of red teaming has been in existence since the early 1960s. It was used heavily in national defense before it was adopted in the field of cybersecurity. The question is, does it still make sense to use red teaming when purple teaming and other advanced penetration testing solutions are already available?
New cybersecurity platforms integrate red and blue team perspectives along with a host of other tools and approaches. However, many continue to point out the importance of red teaming. It is even cited as one of the proactive solutions CISOs can use to address new threats that emerge with the advent of quantum computing.
Red teaming remains relevant
Red teaming is essentially the simulation of a cyber attack usually without the knowledge of the organization whose security posture is being tested. It aims to emulate real-world attack scenarios wherein organizations do not have time to prepare or bolster defenses in certain aspects in anticipation of an attack. The security posture being tested is the same security posture an actual attack would impact.
Red teaming is an important technique for identifying weaknesses in an organization’s defenses and improving overall security posture. As mentioned, it is a proactive cybersecurity solution, as it tests the actual state of an organization’s cyber defenses to provide the appropriate insights toward improvement.
No CISO or cybersecurity expert worth their salt would regard red teaming as unimportant, obsolete, or irrelevant. However, it is important to put this in context. Red teaming remains relevant because it has evolved with the times.
Conventional manual red teaming is no longer applicable in most cases because it is extremely costly, tedious, and prone to mistakes. Red teaming is relevant now in its advanced form: continuous automated red teaming (CART).
Why continuity and automation are crucial
CART typically consists of these main steps: attack surface analysis or reconnaissance, the launching of the attack simulation, vulnerability discovery, initial foothold, and lateral movement. Other red teams may have other steps aimed at meticulously weeding out all potential security vulnerabilities. The entire process, undertaken conventionally, can cost in the range of $10,000 to $85,000. A full red teaming exercise may be completed within a day or in a few months, depending on the complexity of the security posture of the organization being tested.
Not many organizations have deep pockets to cover these costs, especially if the process must be repeated continuously. In modern cybersecurity, it is not enough to conduct security tests periodically, even when it is undertaken often. CART needs to be a continuous process because of the changing nature of the IT assets and security systems of organizations and the rapidly evolving methods used by threat actors. The cyber defenses that work now may no longer be as effective after a few days, weeks, or months. It is important to ascertain that security controls always work as intended to leave no attack opportunity for threat actors.
This emphasis on continuous testing is in line with the rationale of the establishment of the OWASP Continuous Penetration Testing Framework, which acknowledges that “the landscape of web application security is ever-changing and evolving.” Everything is changing, from an organization’s information security and application security to the attack methods and tactics used by cybercriminals. It would be inexpedient to assume that security tools and mechanisms will remain effective through and through or that the cyber-attacks used by threat actors will be the same. Hence, it is advisable to continuously evaluate all security systems to ensure dependable cyber protection all of the time.
When it comes to the need for automation, it is important to emphasize that manual red teaming is not cheap. An overwhelming majority of organizations cannot sustain conventional penetration testing done manually and continuously. This is where automation comes in. Many aspects of red teaming can be automated to reduce human involvement and enable continuous testing. Additionally, automation significantly reduces the mistakes usually encountered when doing security tests manually. As such, tests can be conducted continuously while drastically reducing testing costs and also without performance degeneration.
Not an all-in-one solution
It is important to bear in mind that automated red teaming is not a miracle cybersecurity solution. It does not resolve all cybersecurity problems and provide comprehensive protection. It is basically a method to test the integrity of cybersecurity systems and provide insights on how to improve defenses.
Continuous automated red teaming is rarely a standalone solution. It is usually a part of a robust security validation platform that includes a number of other tools and integrates other solutions and best practices including the MITRE ATT&CK framework. CART is used to help blue teams in focusing their efforts on vulnerabilities and threat exposures of great urgency and high likelihood of exploitation.
Automated red teaming is only a part of the bigger security posture management efforts of an organization. However, perfecting it practically means that an organization’s security posture is reliable enough. Red teaming effectively reveals security weaknesses and vulnerabilities. It also provides valuable insights on how to address these vulnerabilities. If organizations appropriately respond to the findings of continuous automated red teaming, they will most likely be able to plug all security loopholes and the weaknesses that allow threat actors to bypass or disable security controls.
Keeping up with the times
There may be questions about red teaming’s applicability in the modern cybersecurity situation because of the rise of more advanced cybersecurity technologies and security validation tools. Red teaming, after all, is a very old concept dating back to the same era as the Civil Rights Movement.
However, the fact that many security firms continue to offer red teaming solutions until now shows that red teaming remains relevant. The difference is that modern red teaming is tied to continuous security testing, as it helps ensure the integrity of enterprise cyber defenses at all times to prevent any chance for threat actors to take advantage of security weaknesses that may appear in the wake of changes in an organization’s security system or IT assets. Also, modern red teaming is automated to address the limitations of manual security validation, especially in view of the ongoing cybersecurity skills shortage.