Part 1: Ready for Red Teaming? Intelligence-Driven Planning for Effective Scenarios 

TL;DR

Meticulous, intelligence-driven planning rooted in organisational context is crucial for impactful red team testing. Taking the time for dedicated planning and evaluation ahead of red team exercises will result in more valuable results and a better testing experience for both customers and vendors.

What to do: 

• Do utilise multiple sources to inform scenario design, including:  
  • Realistic threat and open-source intelligence from multiple sources 
  • Business needs, strengths, weaknesses, challenges, and organizational structure 
  • Input from key stakeholders, users, owners, and consumers of the services and businesses you will test 
• Do engage CISOs, and system and process owners well before testing starts to ensure operational integrity 
• Do allow at least three months for thorough planning and stakeholder alignment 
• Do make sure your business security capability meets the maturity level where red teaming is beneficial 
• Do tailor scenarios to specific regulatory frameworks and legal requirements for data security (e.g., CBEST for finance) 
• Do document clear objectives and success criteria before execution; make sure they are grounded in reality  

What not to do: 

• Don’t rely solely on generic, off-the-shelf scenarios that are not mapped to your business 
• Don’t ignore industry-specific threats, compliance requirements, and intelligence data 
• Don’t rush the planning phases, leading to poorly defined scope and outcomes 
• Don’t red team before you are ready; have a detection alerting and response capability that requires evaluation 
• Don’t skip securing executive buy-in and necessary resources and staff cooperation 
• Don’t overlook the need for well-defined rules of engagement, communications, and escalation processes 

Introduction

Conducting a red team exercise has significant benefits to enhance your organisation’s security resilience, if planned and executed well. However, given its advanced nature, it isn’t always the most valuable type of test to enhance resilience, and getting to the point of being able to get the most value from one, is a challenge.

Without the right elements in place, nothing is learned, and you end up with the best parts whizzing above the proverbial head of the organisation.

This analogy works almost all the time, except when you are legally required to red team, and scaling up quickly becomes a big undertaking. In this case, consider an intermediary service, like scenario-based testing, that tests against specific NIST pillars, and provides insights that go beyond normal pentesting.

Many of you are considering whether now is the right time for a red team exercise, or you’re seeking a red team experience as part of a larger move toward compliance, such as the Digital Operational Resilience Act (DORA). This article will help you get the right processes and capabilities in place so you can prove and validate any assumptions around your security capability through real-world testing – that’s what a red team should help you do.

The planning and evaluation that goes into red teaming can make or break the quality of test outcomes, which is why we’re exploring foundational planning and radical realism so you can gain the most value from any red team exercise.

Is Red Teaming Right for My Business?

Ask yourself: Is red teaming the most valuable type of security test for your business right now? Red teaming is an incredibly impactful way to enhance your security against real-world risks, but it can also be too advanced for some organisations, especially if they have novice asset visibility, managed security, or detective controls.

If your IT and security fundamentals are in flux, and you don’t yet have a capability to respond to a real-world event (managed or in-house), then a red team test may not provide the most value.

Consider this analogy: You’re a new boxer, about to start sparring and practicing ‘the real fight,’ but it turns out your opponent is a class or two above, and has a large, shiny, golden belt. This is clearly an unmatched fight that will result in injury, and not a great deal of practical lessons. You’ll walk away having tried your best, but ultimately not learning how to progressively build your skills.

Bringing it back to red teaming, getting the level of challenge right takes planning, so it can prepare your team for the scenarios that are most likely to face your business, and validate the threats you may face. To get the most value and education from red teaming, you need to have security protocols in place, tailored to your system, and functioning correctly.

Consider Scenario-Based Testing as an Alternative to Red Teaming

A different type of test that provides significant insights with more control than red teaming is scenario-based testing, which is more focused on a specific set of circumstances. Scenario-based testing allows you to explore ‘what if’ scenarios much like a red team, but it doesn’t have to be the full organisational scope.

At NetSPI, we perform scenario-based testing aligned to concepts around NIST: identify, detect, protect, respond and recover. Think of it as a practical test to answer ‘can my business detect an active threat in ‘x’ set of systems,’ or ‘if we have an active breach what can we see? Are our thresholds for response where they need to be?’.

With scenario-based testing, we help you turn these conceptual tests into specific test cases and scenarios. This blends the focus of a pentest with the business impact of a red team in a more cost-effective and manageable way. Depending on your current security stance, a focused test such as this can produce more helpful results and be a better use of resources, time, and money.  

Starting with basics like pentesting, and then working your way up to scenario-based testing, and eventually red teaming will help your team systematically grow their skill sets.

Embrace Realism When Planning for Red Teaming

Being realistic about your organisation’s security maturity and your team’s mindset of continuous improvement through blue and red team testing will bring the most beneficial enhancements to your security.

On the practitioner side at NetSPI, we engage in extensive preliminary planning to ensure the success of our red team engagements. These tests are highly involved, and we always want to be realistic about the level of effort that goes into a red team versus a quarterly or annual pentest for example.

Red teaming has a greater level of tactical and cultural components, such as ensuring you’re landing in environments that reflect the organization as realistically as possible, and working internally to get the right executive buy-in both from a timing and funding standpoint.

For instance, if someone delivers a red team from a fresh user account, without all of the long-standing hygiene issues your organisation may face, have you really validated something that reflects reality?

Now is the time to critically think about whether your company is ready for red teaming. You don’t need to face this decision alone. Contact NetSPI’s security experts for guidance on the most valuable security test for where you stand today.

Defining Clear Rules and Objectives of Red Team Exercises

Red team testing is quite involved and requires clear, comprehensive, and proactive communication well before the test starts to avoid common blockers. 

A few discussion points to align with your vendor include: 

1. Engagment Basis: Give ample room for planning because a rushed test is a poor test. Make sure you fully know why you are doing it. Pro tip: Yearly compliance isn’t the answer to this question, and neither is running the test at the same time each year. 
2. Objectives: Don’t just default to ‘highest privilege possible.’ Think about what matters to your business and how you want to assess it. 
3. Isolation: Make sure those who know about the test can protect its integrity. If the security team knows a red team is coming, it will always alter their behaviour. How do you know if you face a real risk if red teams cannot expose this safely? 
4. Data Security: Make sure your provider complies with the laws and regulations you do, such as the General Data Protection Regulation (GDPR), or DORA guidelines on supply chain. Remember, your pentest and red team providers hold your most precious data, and they’re a supplier as much as your SaaS, SIEM, SOAR, or managed service providers. 

Why Data Security?

Data security is a growing concern because of the increased attention on supply chain risk. Any red team vendor should be able to speak clearly to their data processing protocols and whether they follow standard compliance policies.

At NetSPI, we’ve seen an increase in customer requests regarding vendor due diligence for secure data management. We’re ahead of the trend in this regard, because we’ve taken steps to address the real risk of the supply chain today. Ultimately, a red team is also a supplier, and our security is a key consideration for companies seeking quality red team services.

Plan for Appropriate Red Team Testing Lead Times

Bringing more transparency into adequate lead times benefits both red team testers like NetSPI and our customers.

The level of care and attention that goes into creating a realistic attack scenario is far greater than red teams typically talk about. As a CISO, security manager, or blue team practitioner, clearly outlining the preparation required for red team testing will lead to a more efficient process and improved testing outcomes. 

Business Considerations before Red Team Testing 

All too often, we encounter blue teams that know when a red team exercise is happening because their company’s budget renews annually, so they can anticipate which quarter of the year they need to be on guard.  

Timely involvement of the right people is key to protecting the operational integrity of red teaming. Executive buy-in and stakeholder awareness are essential to minimise the potential risk to a business during a red team test. Equipping your red team vendor with a thorough understanding of your market, organisation, how it operates, and what its security concerns might be, is critical to designing the right type of scenario. 

Today, we’re seeing red teaming expand into sectors such as energy, healthcare, and manufacturing. With more critical industries relying on red teaming, practicing safe and appropriate use of force from a red team perspective is essential. Having open, honest conversations early on about a company’s known weaknesses and scoping bounds is an important part of forward planning in this process. 

Ready for Red Teaming? Contact NetSPI

Red teaming is an involved testing type that brings highly beneficial insights into your company’s ability to detect and respond to the most realistic attack scenarios. Taking the time for proper planning and evaluation ahead of red team engagements will result in the most valuable outcomes and a strong working partnership between you and the red team testers. 

Whether you’re ready for the next challenge, or you’re working on compliance with industry regulations, NetSPI is ready to guide the most impactful next step for your security. Contact us for a consultation with our security experts.