August 16, 2023 By Evan Anderson 4 min read

It is not a matter of if an organization will be compromised, but when. An adept, well-resourced and experienced attacker could very well be your worst cyberthreat nightmare. Fortunately, if your organization engages a red team, an ethical hacker could also be your best friend. 

Conducting red team testing is the most realistic way to validate your defenses, find vulnerabilities and improve your organization’s cybersecurity posture. A red team engagement gives your blue team a chance to more accurately assess your security program’s effectiveness and make improvements. It’s also how more organizations bring a resilience-first mindset into their cybersecurity posture.  

Find out about the benefits of red teaming, the differences between red and blue teams and what a purple team is in my previous blog post, “Red teaming 101: What is red teaming?” 

Why red teams are important in cybersecurity 

As part of security testing, red teams are security professionals who play the “bad guys” to test the organization’s defenses against blue team defenders.  

Every bit as skilled as real threat actors, red teams probe an attack surface for ways to gain access, get a foothold, move laterally and exfiltrate data. This approach contrasts with the methodology behind penetration testing (or pen testing), where the focus is on finding sensitive information or exploitable security vulnerabilities and testing cybersecurity defenses to gain access to security controls.  

Unlike cybercriminals, red teamers do not intend to cause actual damage. Instead, their goal is to expose gaps in cybersecurity defenses, helping security teams learn and adjust their program before an actual attack happens.  

How red teaming builds resilience  

A famous quote states: “In theory, theory and practice are the same. In practice, they are not.” The best way to learn how to prevent and recover from cyberattacks is to practice by conducting red team activities. Otherwise, without proof of which security tactics are working, resources can easily be wasted on ineffective technologies and programs. 

It’s hard to tell what really works, what doesn’t, where you need to make additional investments and which investments weren’t worth it until you have the opportunity to engage with an adversary who is trying to beat you. 

During red team exercises, organizations pit their security controls, defenses, practices and internal stakeholders against a dedicated adversary that mounts an attack simulation. This is the real value of red team assessments. They give security leaders a true-to-life appraisal of their organization’s cybersecurity and insight into how hackers might exploit different security vulnerabilities. After all, you don’t get to ask a nation-state attacker what you missed or what they did that worked really well, so it’s hard for you to get the feedback you need to actually assess the program. 

Moreover, every red team operation creates an opportunity for measurement and improvement. It’s possible to gain a high-level picture of whether an investment—such as security tools, testers or awareness training—is helping in the mitigation of various security threats.  

Red team members also help companies evolve beyond a find-and-fix mentality to a categorical defense mentality. Turning attackers loose on your network security can be scary — but the hackers are already trying every door handle in your security infrastructure. Your best bet is to find the unlocked doors before they do.  

When to engage a red team  

It’s said that there are only two types of companies—those that have been hacked and those that will be hacked. Regrettably, it might not be far from the truth. Every company, no matter its size, can benefit from conducting a red teaming assessment. But for a red team engagement to provide the most benefit, an organization must have two things:  

  • Something to practice (a security program in place)  
  • Someone to practice it with (defenders)  

The best time for your organization to engage red team services is when you want to understand program-level questions. For example, how far would an attacker who wants to exfiltrate sensitive data get within my network before they trigger an alert?  

Red teaming is also a good option when your security team wants to test their incident response plan or train team members.  

When red teaming alone is not enough 

Red teaming is one of the best ways to test your organization’s security and its ability to withstand a potential attack. So, why don’t more companies opt for it?  

As beneficial as red teaming is, in today’s fast-paced, ever-changing environments, red team engagements can fall short of detecting break changes as they happen. A security program is only as effective as the last time it was validated, leading to gaps in visibility and a weakened risk posture.  

Building an internal red team capacity is expensive and few organizations are able to dedicate the necessary resources. To be truly impactful, a red team needs enough personnel to mimic the persistent and well-resourced threat level of modern cybercrime gangs and nation-state threats. A red team should include dedicated security operations members (or ethical hacking sub teams) for targeting, research, and attack exercises.  

A variety of third-party vendors exist to give organizations the option of contracting red team services. They range from large firms to boutique operators that specialize in particular industries or IT environments. While it is easier to contract red team services than to employ full-time staff, doing so can actually be more expensive, particularly if you do so regularly. As a result, only a small number of organizations use red teaming frequently enough to gain real insight. 

Benefits of continuous automated red teaming (CART) in cybersecurity 

Continuous automated red teaming (CART) utilizes automation to discover assets, prioritize discoveries and (once authorized) conduct real-world attacks utilizing tools and exploits developed and maintained by industry experts. 

With its focus on automation, CART allows you to focus on interesting and novel testing, freeing your teams from the repetitive and error-prone work that leads to frustration and ultimately burnout. 

CART provides you with the ability to proactively and continually assess your overall security posture at a fraction of the cost. It makes red teaming more accessible and provides you with up-to-the-minute visibility into your defense performance. 

Check out our video to learn more about continuous automated red teaming (CART)

Elevate your cybersecurity resilience with IBM Security Randori  

IBM Security® Randori offers a CART solution called IBM Security Randori Attack Targeted, which helps you clarify your cyber risk by proactively testing and validating your overall security program on an ongoing basis. 

The Total Economic Impact™ of IBM Security Randori study that IBM commissioned Forrester Consulting to conduct in 2023 found 75% labor savings from augmented red team activities. 

The solution’s functionality seamlessly integrates with or without an existing internal red team. Randori Attack Targeted also offers insights into the effectiveness of your defenses, making advanced security accessible even for mid-sized organizations. 

Learn more about IBM Security Randori Attack Targeted

Get started with IBM Security Randori

This blog post is part of the “All you need to know about red teaming” series by the IBM Security Randori team.

Was this article helpful?

More from Cybersecurity

Data protection strategy: Key components and best practices

8 min read - Virtually every organization recognizes the power of data to enhance customer and employee experiences and drive better business decisions. Yet, as data becomes more valuable, it's also becoming harder to protect. Companies continue to create more attack surfaces with hybrid models, scattering critical data across cloud, third-party and on-premises locations, while threat actors constantly devise new and creative ways to exploit vulnerabilities. In response, many organizations are focusing more on data protection, only to find a lack of formal guidelines and…

What you need to know about the CCPA draft rules on AI and automated decision-making technology

9 min read - In November 2023, the California Privacy Protection Agency (CPPA) released a set of draft regulations on the use of artificial intelligence (AI) and automated decision-making technology (ADMT). The proposed rules are still in development, but organizations may want to pay close attention to their evolution. Because the state is home to many of the world's biggest technology companies, any AI regulations that California adopts could have an impact far beyond its borders.  Furthermore, a California appeals court recently ruled that…

IBM named a Leader in Gartner Magic Quadrant for SIEM, for the 14th consecutive time

3 min read - Security operations is getting more complex and inefficient with too many tools, too much data and simply too much to do. According to a study done by IBM, SOC team members are only able to handle half of the alerts that they should be reviewing in a typical workday. This potentially leads to missing the important alerts that are critical to an organization's security. Thus, choosing the right SIEM solution can be transformative for security teams, helping them manage alerts…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters