10 September 2019

5 red teaming myths debunked

Plenty of red teaming myths have been around since the concept originated as a military term for a dedicated team to simulating enemy activities and techniques. Fast forward 10-15 years, and the term “red team” is also being used in cybersecurity industry. Despite its increasing popularity, there are many myths that we’re going to clear up for you.

Myth #1 – ‘Red Teaming is just advanced Pen Testing’

We often hear that red teaming is simply a complex version of pen testing but, in fact, they are very different from each other. Pen testing seeks to identify application, network and system flaws along with an aim to compromise physical security barriers. They are usually short and discreet exercises constrained to testing software.

Red teaming exercises differ as they take a free-form and holistic approach. The consultants take time to avoid detection (as a cybercriminal would). They take everything into account identifying physical, hardware, software, and human vulnerabilities.

Myth #2 – ‘Red teaming is only for large companies’

Red Teaming is often perceived to be employed only by organisations with mature, sophisticated security stances. Sometimes, cybersecurity decision-makers believe their business doesn’t need ‘that’ level of security assessment.

In reality, Red Team engagements can be delivered to organisations of any size. The engagements can follow a wide variety of techniques to be successful. IRM has a 100% success rate of getting through the front door/reception of organisations that we’ve completed Red Teaming exercises for. We use a mixture of penetration testing, social engineering and physical intrusion to hit key objectives.

If you want to understand the key threats and vulnerabilities in your organisation, Red Teaming is a good route no matter your size or security maturity.

Myth #3 – ‘It’s all about Mission Impossible-style tactics’

The general misconception around Red Teaming is that it requires scaling buildings and entering back doors of buildings.

In truth, although there is a wider scope of tactics employed outside of standardised pen testing (such as Social Engineering and Physical Intrusion), it doesn’t have to be overly complex. There may be some clever psychology or engineering to get through reception or a secured lift entry, but traditional tactics may also be used once inside a building. The idea of a Red Teaming is to present the tactics, techniques and processes that threat actors are most likely to use.

Myth #4 – ‘Red Teaming’s too expensive’

This is one of the most common red teaming myths. When people start to think about Red Teaming, their first thought is that it’s going to be too expensive. Perhaps due to the fact that there’s likely to be more consultants with a physical presence on site.

High cost is not always true, as you can define the scope to suit your organisation’s requirements. For example, if you have 20 office locations, you don’t have to include every one of those in a red teaming exercise. Similarly, there are always going to be certain departments or areas of the business you want to exclude for sensitivity or legal reasons. Your Red Teaming vendor can work with you to choose the most cost-effective way to produce the best results within your budget limitations.

Myth #5 – ‘Red teaming means lack of control’  

Many people worry that entering into a Red Teaming exercise and handing over the engagement to their chosen supplier means loss of control. More specifically, security managers are concerned about the Board’s reaction if the exercise uncovers serious vulnerabilities.

This is not an accurate portrayal of what would happen. An experienced and effective Red Teaming partner should work with you to engage the Board of Directors or any senior management from the beginning. The vendor should help them understand that, in order to create a strong cybersecurity approach, the organisations weaknesses and flaws need to be highlighted. They vulnerabilities can then be tackled and remediated together to ensure the organisation is stronger and safer moving forward.  It’s far better that you and your cybersecurity vendor discover flaws than a potential cybercriminal later down the line.

Want to learn more now some Red Teaming myths have been debunked? Download our latest Red Teaming Guidance Paper below:  “The Exec’s Handbook to Red Teaming.”

To understand more about IRM’s Red Teaming services, visit the “Scenario-based Testing” area of our website here. If you would like to speak to one of the team about how a red teaming exercise could support your cybersecurity strategy, get in touch.