Recently, I went to a convention. The convention was taken over by a group called BSides. The talk list was unpublished, and the subject matter was not in the brochure.
While we’re all fortunate that the reports afterward indicated that there were no casualties, this was actually untrue. For many, innocence was lost. They learned that it wasn’t a matter of if, but when, their network would be compromised, and that they needed to fix it, soon, or face unemployment.
What Is a Red Team?
Red Teams are systems and network engineers who specialize in offensive information security (INFOSEC). They will attempt to penetrate your network, break into servers, social engineer your employees, and gain access to your building or infrastructure physically (Is your Wi-Fi really secure?). They will use every trick in the hacker’s playbook to gain access — and trust me, this is a good thing.
When they are done, your Red Team is going to come back with a binder full of security vulnerabilities that need to be fixed and suggestions based on industry-standard best practices. It will be up to you and your Blue Team to fix the defects and implement the new best practices.
Trust me, it’s hard to hear that you’ve got a mess on your hands and that it’s going to require resources to repair. You’re going to feel beat up, and there will be an impulse to go find a bed to hide under. Fight that impulse.
It’s crucial to listen to what the Red Team is telling you, review their notes, and ask as many questions as possible. Fully understanding the security challenges you face will allow you to repair it now, before it is exploited.
After you’ve implemented the changes and best practices recommended by your Red Team, hire them again to make sure the changes have stuck. It’s unlikely that you’ll get a clean bill of health the second time around, either, but it should be way better than the first. And unlike with most other metrics, “security vulnerabilities” are best when they track down and to the right.
Where Do I Get My Red Team?
There are many commercial consulting firms that specialize in Red Team work. And while I can’t make specific recommendations as to which one is best for you, I can provide the following advice: Don’t hire based on cost. Hire based on comfort. The people you feel most comfortable working with are the people that are going to best serve you and that you will best listen to. Engage legal throughout the process to protect yourself and your future Red Team.