By: Susan Morrow, May 08, 2017 (07:44 AM)

Is the Red Team in Your Corner?

One of the areas I am interested in when it comes to cyber security is the use of psychology and human behavior as part of the hack. It certainly seems, that in the 20 years that I’ve been working within the industry, that this aspect of cybercrime has been honed to perfection. I like to look at crimes ‘back in the day’ and compare and contrast the details of the crime. Apart from the conduit of a cybercrime, aka the technology, modern cyber crimes and past ‘analog crimes’ have a lot in common. For example, let’s take the infamous British ‘Great Train Robbery’ of 1963. The crime involved a commercial train traveling from London to Scotland which was known to carry large amounts of cash – around $3 million. The criminals, in this case, used a number of techniques applied by modern cybercriminals. They used surveillance and intelligence gathering on their subjects, and during the robbery, they tricked the train driver using a false signal to elicit a specific behavior – in this case, to stop the train and get out of his cab. These techniques, of manipulation and behavior management, are used by modern cybercriminals in spear phishing. In the end, the robbers were captured by a mix of people including eagle-eyed citizens, forensic scientists, and police on the ground.

The interesting thing about the Great Train Robbery, and other analog crimes is that it took a team, albeit, informal, of actors to solve it – people who were both connected, and not connected to the job in hand. This concept of using multi-disciplinary teams, to cast a fresh set of eyes over a situation, is being recognized as an important way to mitigate cyber crime. These multidisciplinary teams are known as a ‘red team’ or ‘red teaming’.

Who Will Win: Red Team Vs. Blue Team?

The idea of the red team originates way back, they may not have used that phrase, but many types of organizations had a red team approach within their working practices. Red teaming is about challenging pre-defined and possibly entrenched ideas. It is about facilitating informed decisions that improve the working of a company or process.

Back in 2003, the Department of Defense (DoD) carried out an appraisal of the use of red teams. In the subsequent report, they said that red teaming can “both complement and inform intelligence collection and analysis.” Red teams in the military were seen as able to “aggressively challenge evolving joint concept and prototypes”.

The main requisite of having a red team is to have a device that questions the core beliefs of any given organization or process, and that can come at a situation without any preconceived views.

One of the issues, in making any decision is that the information can be in some way colored by our own ideas and beliefs. This is especially true if we have some experience of that situation. We need a fresh pair of eyes to truly allow us to see what we can’t. A red team is meant to do this, to ‘step back from the canvas’ and give an unbiased assessment of a given situation.

Some organizations will pit a red team against a blue team to get to the core of a situation. In the technology application of a red team/blue team, the blue team would typically be internal IT persons who are already integrated into an organization and know their operations and system; whilst the red team would be made up of external persons who purposely go out to push against the barriers set-up by the blue team. The result is likened to a mini-war. Where one side is playing a defensive position, while the other is in for the attack. However, unlike a war, the two teams are attempting to get to the same outcome – a better process or operation.

Red Teaming for Better Cyber Security

Red teaming seems like a given for the military who, by definition, have to ‘think like the enemy’. The idea of creating a red team made up from multiple disciplines is also ideally suited to the nature of cyber security for the same reason. In the DoD report of 2003 they identified three key areas that a red team can work within:

  1. “Surrogate adversaries and competitors”
  2. “Devil’s advocate”
  3. “Sources of independent judgement”

In terms of cyber defense, having a group actively look for the cracks in your defenses can have enormous value. The idea of adversaries and competitors is equivalent to a hacker. Devil’s advocate is a challenger of widely held beliefs – in the case of cyber security, this could be a commonly used security configuration that has flaws. Sources of independent judgement are just that – having someone who can challenge conventional wisdom, is sorely needed in a world where modern cyber security threats use our natural behavior against us.

The People Behind the Team

What makes up the core attributes of a red team are:

  1. The ability to critically think about a problem, and be able to avoid bias in the approach to a problem
  2. Able to think ‘outside of the box’ about an issue – having assumptions can hamper insight
  3. Independence – having an independent team, who work outside of the direct involvement of a system or process, and can help to bring a new view and recognize previously hidden issues
  4. Technical skills to access what tests to perform
  5. Social skills to understand the psychology of cybercrime and enact realistic scenarios

One thing to remember is that red teaming, which involves any aspect of security, is also likely to come up against some legal complications involving data. NATO has created a useful study on Cyber Red Teaming which also looks at the legal and privacy aspects of using red teams. By definition, red teams involved in penetration testing will likely have access to Personally Identifiable Information (PII).

The Red Mists of Cyber Security

We are living through challenging times, certainly in terms of the amount and complexity of cyber crime types. Technology is an ever-changing landscape, that, at times, feels like you have to run to keep up with it. Within the world of cyber security and defense, we need to stand up to that challenge with every possible means. If this requires us to think differently and to look at our operations and attempts at cyber threat mitigation with a fresh eye, then we should explore those options. The worst possible place to find yourself is with a genuine cybercriminal acting like their own ‘red team’ and testing out your security defenses for themselves. Pre-emptive strikes, using friendly ‘red team’’ fire, should be something that you look at as part of your cyber security strategy.

Susan Morrow

Susan Morrow has spent the last 20 years of her life working in various areas of security, and more recently online identity. She is most interested in the interplay between the cybercriminal and the victim – the games that are being played out in the world of cybercrime.

Notice: The views expressed here are those of the authors and do not necessarily represent or reflect the views of Cursive Security.

Be Informed. Stay One Step Ahead.

Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies