By Robert Wood, Technical Manager, Cigital
The need for strong security in the banking industry is not a new concept; the threats and methods utilised to exploit and steal from the industry however, are constantly evolving. Consequently, security controls need to adapt to the targeted, yet holistic nature, of these new attacks. However, determining the correct path for that adaptation requires significant effort. Red teaming is the process of modeling an adversary: determining how they think, what they see, and how they will attack your critical assets using any techniques and attack surface accessible to them. Operationally, this may mean that a Red Team leverages vulnerabilities across many domains (such as web application security, network security, social engineering, process manipulation, or physical security) into a singular composite attack, driven by the set of objectives they are working to achieve. This process can be applied in a security assessment or strategic planning capacity to help improve the intelligence, awareness, and effectiveness of a security initiative.
3 advantages to red teaming
From a security assessment perspective, red teaming processes can be used to gauge the effectiveness of an organisation’s security posture in a production environment. The key advantages of using a true red team are:
- Utilising the entirety of the organisation to identify vulnerabilities and subsequent composite attacks, rather than operating in a vacuum. This emphasizes the importance thatsystems, software, people, and processes are able to prevent vulnerabilities in the first place, identifying areas for improvement along the way.
- Operating in a covert manner relative to operations and engineering teams. The ability for those teams and any automated infrastructure to detect and alert on red teaming activities is critical to detecting real world attacks.
- Coercing incident response teams into reacting to their efforts, highlighting any process weaknesses or bottlenecks along the way. The ability for an organisation to swiftly and successfully react to an attack is a critical step in minimising the impact.
Contrary to the traditional vulnerability scan or penetration test,which is a targeted effort on components that are considered important by the organisation, red teams operate with a different mindset. The red team attacks what an adversary considers important and relative to achieving the established objectives. However, red teaming is not meant to replace targeted security assessments. Red teaming augmentsthese assessments and provides a different set of results and attack intelligence back to the security initiative.
What does it mean to be red team secure?
Being red team secure means that an organisation can withstand the simulated attack efforts of a red team as they model different types of adversaries, such as insider threats, criminal organisations, and coordinated hacker groups. The prevention, detection, and response capabilities of any security organisation are paramount to its overall success in protecting critical assets. It also ensures that these capabilities extend to the entire organisation and not just select pieces. This is critical given the interconnected nature of a modern financial services organisation.
Over time, things naturally change within an organisation to facilitate job efficiency. This may cause a significantshift away from an original design or intention. This shift from a known, understood state frequently introduces new connections, storage locations, communication channels, and configurations. This createsattack surfacesthat are completely unknown to a security team, and, therefore, never reviewed. As a result, these new changes may introduce new vulnerabilities in addition to not being considered in a standardised risk management review.
Adversaries are opportunistic and do not restrict themselves to specific attack vectors or pieces of attack surface based on risk management policies or organisational structure. Adversaries look at organisations in a holistic manner, driven by the assets they’re targeting; therefore they will identify vulnerabilities across many different aspects of an organisation and how those vulnerabilities fit together into composite attacks.This composite attack approach can be used to highlight more specific risk measurements to a class or set of vulnerabilities, depending on how it can be leveraged to compromise critical assets.
The bottom line
Security leadership in the banking industry should start by understanding the adversaries they need to defend against, including their capabilities and motives. An effective definition should include qualitative analysis and quantitative measurements regarding attack skills, time to dedicate, number of resources available, etc. Once these adversaries are understood, they can be effectively modeled through red teaming processes to stress test the security posture of an organisation. Without a sound understanding of relevant adversaries, organisations cannot answer the “secure against what/whom?” question and can only perform very general red teaming activities, degrading the potential benefit.
In summary, the industry as a whole is responsible for protecting a very sensitive collective set of assets. That value and sensitivity has historically and will continue to attack malicious actors, who will attempt to access or steal those assets. Red teaming is a proactive measure to identify the methods and paths that an adversary may take to compromise a set of assets, instead of simply identifying more vulnerabilities.