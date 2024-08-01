Many mistakenly assume that a complicated network means attackers will struggle to get up to speed on how to target an internal system. For example, a bank with a capital markets division may think that its complex networks make it too hard for a cyber criminal to steal trading algorithms or access trade data.

“Red teaming challenges these assumptions on how well protected a network is. It also tests if the security controls that are in place are configured and operating correctly as well as whether the monitoring teams are effective,” says Thompson.

Red teaming, which typically takes one to three months, depending on the complexity of the objectives, simulates an advanced adversary and validates if the key elements of the network are working correctly. The team starts by evaluating the threat actor groups that are typically targeting the industry and interested in a certain subset of data or disruption of service. Next, the team ensures that they can detect the least sophisticated threat actors likely to be targeting the company.

This happens by simulating a threat actor at various levels of sophistication to get a feel for the maturity of the sophistication level and the effectiveness of the controls. The results of these simulations show where the team needs to focus remediation efforts and how to proactively identify gaps not receiving telemetry from a portion of devices on your network.

Thompson says that his team commonly sees miscommunication between MDR vendors and the internal blue team. With a realistic end-to-end attack, they can show that a team didn’t hand off the alert properly or the team didn’t configure event logs to be correctly ingested. He finds that proactively identifying the gaps revealed in a simulated attack can prevent vulnerabilities from leading to serious real-world issues in the event of a compromised network.

“Over time, red teaming works to mature your ability to detect and respond to more and more sophisticated threat actors as you mature your internal security program,” says Thompson. “The goal is to ultimately reduce the time it takes to spot and evict an attacker that successfully gains a foothold in your network, for example, by spear phishing or compromising an externally exposed service.”