The SANS definition of a Red Team is, “a process designed to detect network and system vulnerabilities and test security by taking an attacker-like approach to system/network/data access.” At Core, we believe that a Red Team is the ultimate way to “Think like an Attacker.” No matter how you say it, a Red team should be formed with the intention of identifying and assessing vulnerabilities, testing assumptions, viewing alternate options for attack and revealing the limitations and risks for that organization. Some organizations will have different teams for these functions in order to carry out conceptual challenges, wargaming and even to challenge each other to provide the best security possible.
No matter how many teams you decide on building, they should all consist of independent thinking by a group of structured, creative and critical professionals to assist the end users in making better informed decisions or to produce a safer product. Restricting Red Teams with artificial constraints like “no phishing” creates a false impression of security. Enable your Red Team to fully test your organization to get a true benchmark of your organization’s current security posture.
Now that we know the basics of a Red Team, how do you build one? Red Teams can be made up of as few as two people and scale to be over twenty – depending on the task at hand. It’s crucial when it comes to scaling your security team that you are making smart hires with a specific purpose in mind and adding to your Red Team’s overall toolkit.
Ideally, you want to have the members of your Red Team spanning across different specialties and functions of your technologies. Building out your team with members possessing a diverse set of skills and backgrounds will help you tap into areas you’ve not been able to in the past. This helps because of the many areas within a company that you may be trying to protect. Think about it – within each company at any given time you are (or should be) securing information and people from all corners of the organization. This ranges from aspects such as business continuity to emergency management, supply chain security, information security, operations security and facilities security. A few years of experience is needed to season them for this experience and to gain the know-how to build and administer networks is critical so that they know how these networks are run and where shortcuts and mistakes likely are.
Some of the best Red Team members we’ve seen have come from IT admin ranks, are experienced in network engineering or have been part of Windows and Unix administrations. Testing web apps? We’ve seen the best of these testers come from development – which makes sense since they understand the backend of a website and know the intricacies of these environments.
Don’t count anybody out. Instead, look to those outside the “normal” mold of Red Teamer or security engineer and you may be surprised with the insights they can bring to the table.