So I asked you the readers what you wanted to read about and we had many great questions but the main one was "Why do we need Red Teaming?"
So I went back a couple of years into my vault of documents and I found a submission to the Australian Government answering the question of why we should have red teaming. This submission was written by a former team member and me. So I thought I would share it's a bit long but so is the question.
In his first address as Prime Minister, the Hon Malcolm Turnbull stated that the Australian Government would be “…focused on ensuring that in the years ahead as the world becomes more and more competitive and greater opportunities arise, we can take advantage of that.
The Australia of the future has to be an agile nation, that is innovative, that is creative. We can’t be defensive, we can’t future-proof ourselves. We have to recognise that the disruption that we see driven by technology, the volatility in change is our friend if we are agile and smart enough to take advantage of it.”
We believe that a red teaming security strategy is one of the most powerful ways that the Government can be proactive, adopt disruption and take advantage of it. We believe that the Australian Government should adopt a security red team strategy. The strategy should be implemented across all Commonwealth Government Departments and Agencies and should involve regular red team assessments that aim to identify security vulnerabilities across technical, physical and workforce elements of Government.
For Australia to be truly innovative and effective in regards to security, it must see security not as a burden, but as an enabler. Increasingly, governments around the world are recognising that supporting innovation and transformation involves actively encouraging change while ensuring that new technologies are safe and fit for purpose. These governments are increasingly aware that security failings can have significant economic and reputational impacts causing often irreparable damage. In the case of a security failure, the technology that was designed to transform and achieve a vision instead becomes the very thing that destroys it.
The Prime Minister would be all too familiar with examples like the United States Government Office of Personnel Department cyber attack (where the details of 4 million employees were compromised), the Anthem healthcare attack (where 80 million client details were compromised) and closer to home, the Australian Department of Immigration data breach (where the details of 10,000 asylum seekers were compromised). In these cases and many more, security failure has undermined reputations, brands and public confidence.
Given the significant impact of such experiences, it is not enough for organisations – governments included - to base their security strategy solely on compliance measures and minimum standards. Organisations that are truly intent on their vision succeeding, identify and pursue best practice when it comes to holistic security - innovation and excellence must also extend to this area. Increasingly, one of the key elements of best practice is the implementation of red teaming.
Red teaming is the process of viewing a problem from an adversary or competitor’s perspective. Traditionally used by the military, red teaming is now increasingly employed by governments, media, and a range of commercial organisations to identify and reduce enterprise risk and increase business opportunity. Simulating the mindset and behaviour of an attacker, a red team challenges assumptions and recognises vulnerabilities from an outsider’s perspective to make an organisation more effective.
In the context of holistic security, red teaming is an authorized, adversary-based security assessment for defensive purposes. The process involves completely re-imagining traditional security testing and vulnerability analysis. Rather than examining individual components of the security model (technology, policies and procedures) in isolation, red teaming takes a holistic big picture view of a target (a Government Department for example) and simulates real targeting under controlled conditions.
A red team security assessment tests the digital, physical and workforce elements of an organisation’s security. The objective of such an assessment is to identify likely risks to the organisation (such as financial loss, loss of market advantage, or corporate reputational damage) from varying threat actors (such as competitors, state-sponsored or criminal organisations) by identifying an organisation’s vulnerabilities (specifically relating to information security, security policy and procedures, and the security awareness of the workforce, often exploited in phishing campaigns for example).
All testing considers the specific threat context in which the particular organisation being tested operates, including likely threat actors and their associated methods of attack. In a red team assessment, security specialists play the role of an adversary to simulate realistic attack scenarios that may occur across varying elements of the business. Specialists seek to identify and exploit possible security vulnerabilities in a coordinated, interconnected approach that is representative of genuine attacker behaviour that targets information and assets. This results in a better understanding of possible adversaries for organisations and an improvement in countermeasures for future threats. The limitations of a penetration test or vulnerability assessment are that they only test a small snapshot of an organisation’s security, with limited scope, in an artificial environment. By simulating real attackers in a realistic attack environment, testing is both more reliable and valuable, because identified risks are not just theoretical – they have been demonstrated in action.
Red teaming in a government context involves testing the security of the information governments store and transmit through its networks. To do this, red teaming considers three keys aspects of security that are the primary attack vectors used by real-world attacks to targets governments and other organisations: technical (e.g. external networks, internal networks, mobile devices); physical (e.g. network access points, physical information assets, workspaces); and people (e.g. employees, stakeholders, supply chain). A red team assessment always begins with a detailed threat context analysis, personalised to the business, to identify real-world attackers (e.g. state-sponsored, competitors, criminal or politically motivated actors), their motivation, their skills and likely avenues of attack.
This is followed by in-depth reconnaissance and research into the target organisation in question (such as a Government Department for example) to identify potential weaknesses in networks (particularly internet-facing technology, including mobile devices), physical premises, and the workforce (both at work and during work travel). The results of these initial exercises are then used to devise realistic, likely attack scenarios, based on the target and most relevant threat actors. These attacks are then simulated by the red team and include realistic attacking behaviour such as lateral movement across networks where possible, targeting information deemed to have the most value and greatest business impact.
The primary reason to undertake a red team security strategy is to ensure that the Australian Government is supported to achieve its priorities and thrive. With great opportunities, also comes risk. Using security as an enabler, we believe that the Australian Government can confidently pursue their agenda knowing that they are not turning their opportunities for growth into opportunities for threat actors to use it against them. Adopting a red teaming strategy will allow the Government to lead from the front to achieve this. Specific benefits to the Government in adopting red teaming are:
Tangible Business Impact: Red team testing mimics the real-world attacks that businesses and governments face daily. In this way, red teaming can deliver the true business impact of a security breach. This allows governments to effectively prepare for worst-case scenarios, develop realistic business continuity strategies while becoming genuinely resilient.
Cost Efficiency: Red team assessments include all the value of traditional penetration security tests but also a range of other security deliverables. Importantly, they deliver significantly more value for security budgets. Governments that implement a red team security strategy have a better understanding of possible adversaries and therefore which countermeasures are effective and which are not. This means they can target their spending, with accurate knowledge as to where money needs to be spent, and where it can be saved.
Workforce Training: Because red teaming involves real-world simulation, it provides an excellent training opportunity for ICT security employees whose responsibility it is to defend Departments and identify potential attacks. In an environment where targeting is becoming increasingly innovative and sophisticated, those tasked with defending the need to continually sharpen their skills and increase their experience to improve the Government’s ICT capability. Red teaming provides the opportunity for this.
Building Security Culture: Red teaming provides the opportunity to build a resilient security culture and improve security awareness for the Australian Government workforce overall. Because red teaming is scenario-based, details and results of the exercise can be shared using an engaging story-based approach and delivered to all levels of the business. This has the added benefit of strengthening the Government’s security profile in the most vulnerable area – people
Evidence of Red teaming has already been adopted by the United States Government,12 the United Kingdom Government,3 and the European Union 4. In the United States, several Government Departments now use red team assessments, including the Department of Labour, the Government Accountability Office, the Department of Energy, the Department of Defence, and the Department of Homeland Security. In their Security Assurance Program briefing 5, the Department of Homeland Security highlights the importance of red teaming in creating an unbiased view of network defence and security, while delivering a more realistic picture of security than traditional security assessments.
Red teaming is identified as a way of optimising return on investment while validating the integration of people, processes and technology. The Department of Homeland Security now undertakes red teaming regularly - Operation Cyber Storm 6 – which is a cross entity activity involving multiple government departments and agencies (both state and federal) and private companies. Similarly, the United Kingdom Government is highly proactive regarding red teaming and has released a guide to encourage its use across varying public and private sectors (see footnote).
On a larger scale, the European Network and Information Security Agency (ENISA) now undertakes regular red teaming exercises involving 200 organisations that are designed to test the security and response of governments and the stakeholders they interact with (e.g. internet services providers and utility companies). Red teaming is also undertaken with increasing frequency in the private sector, with notable examples including the financial sector, defence sector, and utilities sector.7 Closer to home, the subject of red teaming was recently included on the discussion agenda at the inaugural Australian Cyber Security Centre Conference.
We believe that the Australian Government should adopt a holistic security red team strategy to be implemented across all Commonwealth Government Departments and Agencies. We believe this strategy should involve regular red team assessments that aim to identify security vulnerabilities across technical, physical and workforce elements of Government.
We believe that a holistic security strategy of this nature that involves such a broad range of security areas is best initially coordinated by a Department with overarching visibility of all these areas. This is why we are presenting this proposal to the Prime Minister’s Office. We also believe that the Prime Minister’s recent comments about the importance of using ‘disruption’ innovation to our advantage as a nation, mean that he is likely to understand the need for such a strategy and have a genuine interest in the outlined proposal.
Appendix
1 Defense Science Board Task Force on ‘The Role and Status of DoD Red Teaming Activities’: http://fas.org/irp/agency/dod/dsb/redteam.pdf 2 Department of Labor ‘Clean Sweep Red Team Report’: http://www.dol.gov/dol/media/CleanSweep-RedTeam-report.pdf 3 Ministry of Defence ‘Red Teaming Guide’: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/142533/20130301_red_teaming_ed2.pdf 4 NATO Cooperative Cyber Defence Centre of Excellence ‘Cyber Red Teaming’: https://ccdcoe.org/sites/default/files/multimedia/pdf/Cyber_Red_Team.pdf 5 Department of Homeland Security ‘ Cybersecurity Assurance Program: http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2012-05/may31_cap-red-team-brief_rkaras.pdf 6 Department of Homeland Security ‘Cyber Storm - Securing Cyber Space’: http://www.dhs.gov/cyber-storm-securing-cyber-space 7 SC Magazine UK, ‘Red Teaming in the Real World’: http://www.scmagazineuk.com/red-teaming-in-the-real-world/article/345158/