By: Bryan Peace
May 8, 2023
How to Build a Red Team
By: Bryan Peace
May 8, 2023
Your team is well staffed and knowledgeable in its defensive security posture, but it still seems like you’re constantly under attack. You trust your team’s instincts, but they’re spending so much time reviewing alerts, triaging, and responding to incidents that they’re often a step behind adversaries. You find yourself wondering how your organization could be more strategic and proactive to prevent attacks before they even happen.
If this sounds like you, then you should take a serious look into building a Red Team! Red Teams implement a proactive, programmatic approach to understanding how attackers could penetrate your environment, so the team can use those insights to improve your defenses. Great! So how do you build a Red Team? Read on to learn more…
Understand What a Red Team Truly Is
Before you dive head first into building a Red Team, you need a firm understanding of what it is, what it isn’t, and how it works within the context of other cybersecurity functions. A good first step is distinguishing between the Red Team and the Blue Team.
Essentially all cybersecurity teams have a Blue Team function, even if they don’t call it that. The Blue Team performs fundamental defensive security tasks: hardening the organization’s systems, reducing the risk of a breach, and responding when one happens to contain the damage. Their focus is monitoring security events and remediating confirmed security incidents. While a Blue Team prepares the organization to prevent incidents and breaches from happening, it’s typically a more reactive function.
The Red Team takes a more proactive approach in comparison. In contrast to defensive security, Red Teams perform “offensive security,” assuming the mindset of real-world cyber criminals and implementing known adversary tactics, techniques, and procedures (TTPs). They holistically test the organization’s defenses by targeting multiple attack vectors over a longer time frame. Their goal is to methodically identify gaps and weaknesses in the organization’s defenses so they can recommend preventative measures for the Blue Team to implement.
If you’re thinking, “great, our compliance auditors check our systems regularly, we’re all set!” then think again. Red Teaming is a more programmatic and strategic function. It goes beyond one-off penetration tests and other tactical security assessments. Red Teams require a more substantial investment in time and resources as well, so be ready to commit for the long haul if you want to see the benefits to your enterprise.
Validate the Need and Assess Your Readiness
A Red Team will benefit almost any cybersecurity organization. That said, it's more beneficial (and feasible) for some organizations than others. Before committing to rolling out an offensive security function, take a step back to consider your organization’s need for a Red Team.
A high volume of security events, incidents, and breaches indicates your organization could benefit significantly. If you’re constantly under attack then getting a step ahead of your attackers with a Red Team will help inform specific improvements to your security posture. These improvements will reduce the severity and damages related to incidents and breaches. To understand what high volume means, see how your organization’s data stacks up to industry benchmarks.
Some types of companies and industries come under attack more frequently than others. Banking and financial services institutions are prime targets for cyber criminals for obvious reasons: that’s where the money is. Larger organizations in industries like energy and utilities are often targeted by state-sponsored threat actor campaigns as a way to disrupt critical infrastructure. Fast-growing and high profile tech companies with large quantities of sensitive customer data may also come under attack. These are just a few types of companies that could experience attacks often enough to justify a serious look at building a Red Team.
Even if you have the need for an offensive security function, your organization may not be ready. If you’ve just experienced a breach, obviously the need is there, but the immediate focus should be on containment and recovery. Before rolling out a Red Team, ensure your defensive security fundamentals are strong. Your Blue Team should be well-staffed with SOC processes and playbooks that continuously monitor for events and alerts. SOC analysts should be prepared to respond and triage incidents appropriately. Once you have a solid defensive security posture, building a Red Team is a natural next step to test these functions.
If you’re not sure if your organization is ready yet, consider giving your team assessments that evaluate defensive skills to confirm whether you have the right prerequisites for a Red Team, or if you need to beef up your Blue Team first.
Get Buy-In and Alignment
Getting support from leadership stakeholders is essential when implementing a complex strategic program that requires long-term commitment like a Red Team. This means you’ll need to adopt a sales mindset to succeed. In order to prioritize the program and secure the budget to fund it, you may need to develop a business case that outlines its benefits to the organization.
Think about how the Red Team can support overarching business objectives. In most cases, this will come down to cost, risk reduction, and decreasing your organization’s financial and legal liabilities that would stem from a potential breach. You can also put a more positive spin on it; frame the security enhancements that the Red Team’s findings would produce as a way to harden IT systems, enhance productivity, and drive growth. Just make sure your business case outlines the benefits in a succinct manner and connects to your organization’s key goals.
Before putting the case in front of your entire leadership group, start by working directly with stakeholders with whom you already have a good rapport. Once you get a couple of folks on board on a 1:1 basis, it’ll be much easier to get cross-functional alignment and buy-in.
Timing is another factor. You’ll want to make sure you’re getting this in front of leadership before your organization’s budgeting and goal-setting cycles. If you’ve been breached recently, you have a window of opportunity to get a Red Team approved after breach remediation and recovery. More than likely the costs and repercussions will still be top of mind for leadership. By articulating specific things that a Red Team would have uncovered to prevent the breach from happening, in a delicate yet assertive manner, you can strengthen your case.
Build the Team
Actually building your Red Team starts with the decision whether to build internally, with some combination of existing staff and new hires, or outsourcing. Before you jump right into developing an internal team, it may make sense to launch a Red Team “pilot” with external consultants. This allows you to prove the Red Team’s efficacy with a more limited scope and smaller investment. Think of it like a stepping stone to a longer-term investment that will lead into a fully-formed internal Red Team. Just ensure you stay highly engaged so you’re ready to manage the program when the time comes to hire full-time employees.
When building internally, consider in advance how many employees are needed to staff the team. This will vary by organization so understanding your security posture and company size is pivotal. A range of one to three employees is a good starting point. If you’re starting with just one, you’ll need to recruit a senior practitioner with in-depth offensive security skills. Look for someone with demonstrated experience in a company like yours, who has already performed Red Team engagements in your industry. If you’re building a team of two or more, you might pair a seasoned new hire with a junior or intermediate internal team member. Take a look at your current staff. You probably have great internal candidates who have excelled in a variety of cybersecurity functions and are hungry to upskill and build specialized skills.
Some of the most important traits in a good Red Teamer are intellectual curiosity, openness to different ways of thinking, and a commitment to building new skills. As you’re developing your team culture, you want to actively promote the importance of these characteristics by encouraging the team to challenge each other and grow.
Promote Red Team Skills Development
It’s critical to give your team dedicated time to develop their skills, get hands-on experience with offensive security techniques, and learn new tools and processes to maximize your Red Team’s effectiveness. With a robust skills development program, more junior staff can confidently fill intermediate roles, and senior staff will be motivated to learn and implement leading-edge tactics that keep their skills sharp.
Offensive security is a domain that requires familiarity with a broad range of general topics and deep knowledge of complex specialized topics. You’ll need to commit to a thorough curriculum covering the key components of Red Team exercises and operations. This includes in-depth coverage of attack chain concepts, adversary emulation plans, blue team collaboration, open source intelligence, reconnaissance, target acquisition, physical and social attacks techniques, in-depth breach operation and execution, and post exploitation actions.
Mission-ready skills development also requires sufficient exposure to labs that offer hands-on experience using these techniques. You also need to ensure the team understands how to navigate thorny ethical issues that come with assuming the mindset and capabilities of a hacker or cyber criminal.
At Cybrary, we’re helping ensure organizations are ready to build successful Red Team programs with in-depth Red Team training content on the full spectrum of offensive security skills we just mentioned. Our Red Team Exercises and Operations (RTXO) series is a flagship set of courses within our new Cybrary Select advanced content program. Exclusively available to Cybrary for Teams accounts, this series starts with Red Team fundamentals and then pivots to much deeper technical skills. It will prepare your team to thoroughly plan an operation, breach the target, build advanced skills for more complex missions, and collaborate with internal stakeholders for optimal outcomes. It also includes critical content on Red Team leadership, ensuring you’re effectively coordinating between teams and scoping the scale and overarching objectives of the engagement.
With Cybrary Select, your staff can confidently fill Red Team roles and position your organization for success. If you’re an existing Cybrary for Teams customer, check out the RTXO series overview to review the curriculum. If you’re interested in learning how Cybrary for Teams and Cybrary Select can upskill your staff to ensure you're prepared to respond, remediate, and recover from breaches, request a demo today.