Red team vs blue team exercises are a very effective method to evaluate the security posture of your business. However, red teaming carries certain risks that must be taken into consideration, both for the red team and the target business.
The world of IT security has been slightly shaken in September 2019 when two penetration testers outsourced by the state of Iowa were arrested on charges of burglary when penetration testing the physical security of judicial buildings. To make matters worse, this misunderstanding has not been resolved for several months. Only recently, the charges have been dropped. This case clearly shows that things can go seriously wrong for red teamers or any kind of offensive security professionals during a real-world attack.
However, it’s not only the red team operations and/or external pen testers that are at risk during security testing. The target systems that are supposed to be compromised during the test might potentially suffer damage as part of the cyber attacks. Therefore, it’s worth to have the following in mind when performing both penetration tests as well as fully-fledged red and blue team operations.
1. Agree upon Detailed Conditions of Red Teaming
When outsourcing pen-testers or red teamers, make sure to go into as much detail as possible. If there are areas of your security program that you would rather not have tested at the moment (perhaps because they are not protected well enough yet), make sure to clarify it. Remember that a good penetration tester will think of the strangest ways to circumvent your security controls. Unless it’s clearly stated before the test, they may try things like phishing, social engineering, or even disabling physical security measures during a real-life attack.
Take most care with resources that might potentially be damaged during a penetration test. For example, if part of the red team exercise is to go beyond cybersecurity and test your physical security, make sure to make it clear if you don’t want the team to test whether it’s possible to break through the glass door without tripping the alarm or whether it’s possible to cut the wires to the alarm system.
Also, don’t assume that such problems don’t apply if the team is internal, not outsourced. Your internal team may be just as eager to test your security in very imaginative ways. Make sure that they clearly know what you expect and what is acceptable.
2. Have Everything in Writing
No matter whether your red team exercise is performed by your own employees or by an external company, make sure that both sides are legally protected in case anything goes wrong. A detailed agreement/contract will safeguard both the pen testers and you.
For example, if any form of law enforcement is involved during the penetration test, your team might avoid a lot of trouble if they can immediately present documents that make it absolutely clear that their actions are requested and legal. For example, you could issue identity/entry cards that they could use to prove that they can legally gain access to the premises that they are breaking into. They would obviously not use such cards as part of the test.
In the case of non-physical tests (for example, network security or web security), access to an external IP address that is associated with your business will greatly help. This way, if any law enforcement gets involved (for example, due to the Internet provider detecting unusual activity), penetration testers will be able to show that the IP that they performed the attacks from was actually an IP that belonged to the same target that was being attacked.
3. Know Local Laws
Laws regarding penetration testing, both when it comes to physical security and information security, can differ greatly between countries or even between regions (as in the case of the United States). Professional contractors will be aware of such laws but your internal security teams might not be.
If your red team assessment is fully internal, make sure that your pen testers are fully briefed with your legal department about what actions might be considered legally risky. If your red teaming exercise is conducted with the help of a contractor, still make sure that your legal department is involved. The reason is simple: it’s much easier to prevent problems than be forced to rectify them afterward.
4. Inform Potential Stakeholders
When performing a realistic penetration test, especially if it involves checking the “human condition” as well (for example, the efficiency of physical security), the people who are directly involved cannot be informed because it would spoil the test. For example, if security employees know they are going to be attacked on a specific day, they will greatly strengthen their efforts to detect it early and prevent it.
However, keeping people in the dark may have serious consequences. For example, if the penetration test involves physical security and your business works together with an external physical security company, the employees of that company may detect the penetration attempt and react, possibly even physically harming the pen testers in the process.
There is no simple solution in such situations, therefore you must resolve it on a case-by-case basis, finding a perfect balance between the information that must be shared and the information that must be held back in order for the test to be realistic.
5. Expect Things to Go Wrong
Red teaming and pen testing is, by its nature, invasive. Even if the team members are fully professional and careful, accidents can happen and sensitive data might be endangered. Therefore, both in the case of cybersecurity and physical security, make sure that you protect the assets that are involved in penetration testing. Never perform a penetration test unless you have complete backups of all systems and data that might be involved. Of course, you should have complete backups even without a penetration test, but during such a high-risk activity, the probability of something going wrong is much higher.
In general, when performing such invasive real-time exercises, you should expect the worst – just as in the case of a real attack but even worse, because the attackers are part of your team, too! For example, if you have pen testers trying to physically break into your company, expect law enforcement to catch them and be ready to react accordingly. Some other results that you may expect are temporary unavailability of critical systems or defensive mechanisms.
Despite potential risks, penetration testing and red teaming are such an excellent way to verify the security posture that you should not get discouraged due to those risks.