Importance of Red Teaming

By Clayton DillardRisk Management
red teaming services

Why Red Teaming is a Must-Have Weapon Against Cyber-Threats

 

Core Concepts (TL;DR)

  1. Red Teaming is an essential security control that is not limited to larger firms with bigger budgets or bigger problems to solve.
  2. Red Teaming is effective and often appropriate even at early stages of your cybersecurity journey
  3. Pentesting allows organizations to assess the effectiveness of its security controls (trust but verify).  Continuous pentesting services, like what we offer at Legion Cyberworks, ensures that your controls are tested frequently.
  4. Red teaming can prove value to your leadership and justify expenditures in cybersecurity tools, services, staff, and training.
  5. Pentesting and red teaming are an excellent way to evaluate your MSSP/MSP.
  6. Frequency is an important consideration.  Is annual pentesting really sustainable?
  7. Is vulnerability scanning sufficient?  The short answer is, no.
  8. We patch, protect, and monitor so do we still need to pentest? Yes, because you still have blind spots.  Patching can sometimes fail, your EDR solution can give you a false sense of security, and vulnerability scanners cannot go deep enough to find all of the gaps and weaknesses.

 

In this blog, I’m going to talk about the benefits of red teaming and why it is an essential security control for organizations of all sizes, regardless of your industry or cyber maturity level.  The goal of this article is to offer our perspective on the benefits that offensive security delivers to expand your ability to identify, prevent, detect, and respond to cyber-threats and remediate weaknesses that put your organization at risk.

It is important to discuss who red teaming is going to be effective for, and also which organizations may not get as much value.  Historically, pentesting was a service that mostly mid-market and enterprise sized firms were receiving, but a lot has changed since then.  Not only are attackers targeting SMBs, advancements in AI and other tooling enables red team organizations like Legion Cyberworks to give our clients options which allow them to match their need to find and fix weaknesses up with the realities of their budget and time/availability.

What’s more, while large enterprises often hold vast amounts of data that cyber criminals are thirsty for, SMBs are often lucrative targets as well due to several factors including the fact that SMBs are often under-prepared and their prevent/detect/respond capabilities are not as robust.  According to a recent Forbes article, small- and medium-sized businesses (SMBs) are victims of the most common cyber threats—and in some cases, more commonly as SMBs tend to be more vulnerable with fewer security measures in place. In fact, last year, 1-in-5 breach victims were SMBs—with a medium-cost of losses at $21,659, according to the 2021 Verizon Data Breach Investigations Report.

So are there businesses where Red Teaming isn't going to deliver much value?  Perhaps, but we don't know of any.  The truth is that even with a completely mobile workforce, where your business apps and data are 'in the cloud' and you have no physical infrastructure, you still have an attack surface area.  There are technical and human weaknesses, supply chain weaknesses, and blind spots that an adversary will find and exploit to cause you harm.  You need to find and fix these weaknesses in order to protect your business and clients.

Legion Cyberworks serves the small- and medium-sized business marketplace by delivering value-packed managed security services, and professional services like penetration testing and risk assessments that lower the likelihood that our clients will be the victims of a cyber-attack.  Our mission is to help our customers get secure, and stay that way through continuous prevention, detection, monitoring, and threat response services.

At Legion, we believe that red teaming can be highly effective at breach prevention for companies at all stages of their cyber maturity journey.  We recently onboarded an SMB customer who is a startup in the healthcare services industry, and unbeknownst to them, their customer facing web portal was vulnerable to a remote code execution attack which led to the compromise of a web server.  This was a case where you have a small startup firm with under 30 employees, who would have benefited from a pentesting engagement because the vulnerability would have been discovered and subsequently remediated, saving them the cost of a server compromise.

Ok, so you have an MSP/MSSP or you are staffed up internally and your security controls - patching, EDR, access controls, firewalls, segmentation, monitoring / response, etc. - are all up to speed.  Do you need to pentest your environments?  The answer is yes.  Pentesting is a proven way to assess the effectiveness of your security controls and find blind spots so that you can find and fix problems before they are exploited.

After running many pentests over the years, I have yet to see one that produces zero findings, regardless of whether the customer fully manages their IT & Security operations, has outsourced to an MSP or MSSP, or has a hybrid model in place.  There are always areas to improve.

Offensive security also gives you a powerful way to prove to your leadership team that investments in security tools, services, staff, and training are paying off in ways that you can actually see.  We see this in the red team engagements we work with our clients where there is considerable investment in resources to protect the business from cyber-attacks.  The IT and Security teams we work with are hard-working and dedicated and are usually doing a great job at implementing security controls.  We validate their efforts and the company's investments in our reporting and post-operation discussions with our customers.

The last point I want to make is that vulnerability scanning is an effective tool to inform the business of weaknesses and to help validate security controls like patch management.  However, vulnerability scanning is not a substitute for penetration testing because it cannot perform the multi-stage attack paths of a red teamer, nor can it evaluate multiple attack options or chain together several weaknesses, which themselves may not be significant, but when combined result in total system compromise.

Penetration testing is absolutely necessary if your goal as a business is to achieve the bar of compliance with applicable laws and regulations, and to build security into your technology and human environments to defend against real world cyber attacks.  Plain and simple, pentesting works.

If you would like to explore how Legion Cyberworks can help your business get secure through our penetration testing services, our managed security services, and through our network of winning partners, please contact us at [email protected] or by phone at 919-769-2916.  We would love to work with you!