The Australian Defence Force does it. So does the Australian Tax Office and the Department of Human Services. And now, red teaming has spread to the corporate world with CIOs and CISOs increasingly turning to the practice to assess their organisations’ cyber resiliency.
Red teaming exercises, initially used by the military to test their defence readiness against active threats, are simulated, targeted cyber-attacks carried out by an elite red team unit that mimics the tactics, techniques and procedures (TTPs) used by threat actors.
Whether the threat actor is a nation state, criminal group, or hacktivist, the red team executes a full simulated cyber-attack and an opposing team – the blue team – defends against the attack. The exercise enables the organisation to see how they would respond, test their defences and assess capabilities without the risk and collateral damage associated with a real cyber attack.
A little over two years ago, organisations worldwide received a sobering wakeup call. In May 2017, the massive WannaCry and NotPetya cyberattacks cleaved a path of indiscriminate destruction across the globe. These, and other cyberattacks since, not only caused catastrophic business interruption to numerous organisations from hospitals to financial institutions but also highlighted that manufacturers, once perceived as low risk, are also now a prime target for cybercriminals.
One reason is that while data-rich industries such as financial services and retail are hardening their security posture, many manufacturers are using legacy manufacturing systems and industrial operational technology (OT) devices designed more for productivity and safety and less for security – effectively making their facilities enticing targets for cybercriminals.
The nature of these operational environments also makes it inherently more difficult to upgrade and patch these devices due to the disruption they may have on production lines, and as such their risk exposure to compromise by attackers may be larger than usual.
Another is that motives of threat actors are now more complex and range from money to competitive advantage to strategic disruption. Cybercriminals, for example, are gaining access to and hiding inside networks to spy and steal intellectual property (IP) costing manufacturers years of IP and competitive advantage.
Propriety information (29%) ranked second in the type of data targeted by cybercriminals in the manufacturing industry, the 2019 Trustwave Global Security Report found, behind financial and user credentials (43%).
In the rapidly evolving cyber landscape, red teaming can help manufacturers lessen their cybersecurity risks in a number of ways.
Showing how things could go wrong before it goes wrong
The red team objective is to demonstrate how bad things can get if a threat actor succeeded. Could threat actors deploy malware that disrupts a manufacturer’s production line? Could they steal trade secrets from a digital vault, could they cripple the business and affect product workflow and supply chain?
Red team exercises can show the organisation if they are vulnerable to these risks without causing the damage associated with them. The activities allow security teams to react to a perceived attack and give them the experience of handling a real attack.
Understanding resilience against a specific threat
Red team exercises are simulations of specific attacks to help a manufacturer understand their resilience against a specific attack or threat actor group. These simulations, if repeated over time, allow the organisation to baseline the effectiveness of controls, and measure its improvement or decline.
Manufacturers require their operations to run like clockwork, so running a simulation to determine the many ways that operations of production lines, for example, could be stopped unexpectedly, would be a valuable way to assess just how ready the organisation is in preventing, reacting and responding to these specific threats.
Identifying security gaps beyond technology
People generally perceive cybersecurity to be a technology problem. This is not the case. Cybersecurity is also a people and process problem.
People need to be armed with the knowledge to prevent themselves from becoming a victim and processes need to be established so people know what they can do to avoid or limit the impact of a cyberattack. Combined with technology, people and process are intertwined and can either prevent or allow an organisation to be susceptible to a cyberattack.
Red teaming also simulates attacks against people. The exercises test if employees are susceptible to being tricked into opening malicious files, tricked into providing someone with information they shouldn’t have given, or to test if the way they work can be abused to achieve the larger goal of the attacker’s objective.
Red teaming helps guide decision-making
Cybersecurity is a large part of risk management. Cybersecurity risks can be complicated and come with complex solutions. With a finite budget and limited resources, red teaming can help in identifying the best way to prioritise and focus efforts to protect an organisation.
Red teaming assists with guiding an organisation’s decision-making. The exercise helps organisations understand how they are exposed, where critical control failures are, and if there are significant, actionable threats against the production line.
With the knowledge from this exercise, the results can then be used to guide where an organisation should prioritise its efforts to enhance their resilience to cyberattacks.
Kevin Tran is Director, SpiderLabs at Trustwave APJ.