Red Teams have exploded in popularity and funding over the past 8+ years. They have evolved their skill and grown their team members, but many Red Teams have not evolved their scope and deliverables to maximize value for the organizations they help protect.
Red Teams in the Boardroom
Red Teams have gained a high reputation among senior executives, with much credit due to their straightforward purpose (simulate bad actors) and output (did they achieve their targets?).
Board and Audit Committee Members champion these engagements and have helped them multiply across the companies that they advise. This popularity has led to lucrative engagements for Red Team consulting companies, significant budgets to build and grow internal Red Teams and high salaries. When building internal Red Teams, organizations seeking to avoid the high costs of Red Team consulting have often spent even more than before, because they hire full time resources but continue to hire Red Team consulting companies for assistance or independence.
While highly specialized, the narrow scope of what we have expected of Red Teams has limited the value that a talented Red Team can produce.
The Red Team’s Locked Potential
Red Teams have two powerful assets: brand and expertise.
- Brand: Since Red Teams receive so much attention, many existing and aspiring cybersecurity pros want to be part of one. An organization can gain a recruiting and retention advantage if it allows other security testing activities to stand under the Red Team umbrella. Application security testers, network penetration testers, and vulnerability management can be allowed into this club. Broadening the Red Team with these functions can help leaders spot talent and facilitate career progression.
- For example, a senior red teamer may notice a junior application security tester with a lot of potential. Likewise, the aspiring red teamer who currently focuses on Appsec gets to see how the Red Team spends its time and what is expected. It will either inspire or send them packing from a life of creating custom tools and intense focus on evasive testing. In this model of exposure, I’ve seen many would-be “true” red teamers opt-out and embrace a specialization that better suits their personality and talents. For example, someone who wants to be technical but engage frequently with other teams can excel on a Purple Team. Another aspiring red teamer may find that OffSec is for the birds and take on the incredible challenge of developing effective adversary detections. If the Red Team is separate from other testing functions, this healthy informed career exploration will be less common.
- Expertise: The other reason to consider putting other security testing activities under the Red Team umbrella is that Red Teamers are highly skilled challengers by their nature. Even if a Red Teamer doesn’t switch their focus to Appsec, they can look at how Appsec is being done with a critical eye, inspire and foster higher quality testing. I’m confident Red Teamers with the right attitude can better almost any security process if they are willing to lend a hand. If they are organizationally separate, that window of possibility is smaller.
Advanced Capability Through Uncommon Culture
If your reaction to rolling one or more of these other testing areas under the Red Team umbrella is “that would never work here” you might have a culture problem on your hands. You don’t need Red Team leaders who refuse to collaborate with other teams. Don’t take any excuses. If all your Red Team leaders care about is their independence and maintaining persistence on your own network all year, you’re not getting enough for the investment. Red can and should run stealth operations for part of their testing calendar, but your Red Team leadership should be culture champions first and foremost. Take a culture champion any day over a Persistence genius, because every amazing talent will get lapped by someone new who is nurtured in the right kind of Red Team environment. I remember when I got lapped, and since I was not an amazing talent, it happened pretty early in my career. I pivoted to team leadership as soon as I understood my value in paving the way for others. Senior Red Teamers should want to fast track the next generation to be better than themselves. If you want to maintain advanced Red Team capability over time, you need this type of leader.
- Recruiting Mentality and Team Mix: Retention is not just about keeping senior Red Teamers. It’s both unrealistic and unhealthy to staff and maintain an entirely senior Red Team. The right kind of senior Red Team leaders should enjoy and make time for recruiting and overseeing development of high potential juniors. It can give seniors purpose when they are summiting, stagnating, or needing a new challenge.
- Maturity in any function is the ability to maintain capabilities through people and technology changes. Red Teams are no exception. Having a balanced team of caring seniors, hungry joiners and a culture of coaching, feedback and upskilling is a recipe for a long-term Red Team that will stick around to play their crucial part in protecting your organization’s assets.
- R&D / Upskilling: Red Teamers join and stay with organizations that make time for their research and upskilling. The best Red Teamers are relentlessly curious, constantly upskilling in areas like Cloud, AI, and (if the organization needs it) OT. They network with other Red Teamers, both in-person and covertly, and have incredible learning agility. However, their R&D needs to have tangible outputs. Those outputs may not necessarily be private tools – publishing research via tools and conference talks creates prestige for your Red Team. Prestige can attract and help retain junior talent. They want to be mentored by the cool senior Red Teamer at the podium whose name is etched in an ascii banner.
More Business Value through Expanded Deliverables
It’s not just about the people but I wanted to start there. If the Red Team umbrella becomes larger, an organization can also benefit from more Red Team deliverables, with more business value. The Continuous Security Testing Program with a calendar of testing activities can help set expectations and define deliverables, enhancing not just vulnerability identification but also visibility improvement.
Give your Red Team a vision and charter for an expanded scope and you will increase your cyber threat resilience.
Tim Wainwright
Tim has been a speaker at RSA, Gartner, FS-ISAC, H-ISAC and (ISC)2 National Congress. Tim helped found Security Risk Advisors in 2010. Tim advises CISO Offices on modernizing cybersecurity strategy to improve governance, communication, team culture and growth, detection and response capabilities. Tim is a thought leader in the area of purple teams and attack simulation and metrics to describe quantified threat resilience. Tim has a background in penetration testing, security assessment, and frameworks.