What do we mean by intelligent security? Today’s threat landscape has never been more sophisticated, so we must assume a great deal of intelligence in our adversaries. Successful defence must be equally intelligent and that means taking a threat-led approach.
Intelligent security requires an agile and focused defensive posture, designed to optimise both human and technical resources. Our adversaries use sophisticated techniques, so our defences need to be equally sophisticated – addressing the most likely lines of attack with a properly tested and relevant response.
Well-informed threat and risk analysis, professionally conducted with the right intelligence, can be used to design simulated attacks, known as Red Team exercises. These exercises test our protective controls and our incident response capability, as well as providing exciting and relevant storylines for awareness education, helping to strengthen our human firewall.
This is a relatively new discipline for many organisations, who remain uncertain how to implement it in a practical and pragmatic way. Fortunately there is a simple process for the identification, analysis and prioritisation of risks that can be implemented without the need for significant investment in time or money.
Workshops focused on the following three key questions, informed by professional threat intelligence, can kick-start the process quickly and relatively painlessly:
- Who may wish to steal or damage your assets, why and how?
- What are your key information assets, where are they and who owns them?
- Who has legitimate access to these assets and how are they protected?
A roundtable on these topics, led by an experienced information security practitioner, can deliver some highly relevant scenarios for a red team exercise.
Beginning by identifying threat sources and threat agents – the adversaries who want to steal or damage your assets – can encourage productive and educational debate. Threats may include organised crime, competitors, disgruntled employees, activists, foreign governments and many others, as well as non-hostile threats such as untrained or reckless employees and business partners.
The discussion around threats quickly broadens into an exchange of views on known vulnerabilities, and which information is sensitive and valuable to the business, thus also addressing the other two questions. Within a few hours, you will have a flipchart full of potential scenarios, and the individuals in the room will begin to think quite differently about threats and their potential impact.
The likelihood of a particular scenario taking place is determined in debate between security professionals and business managers, taking into account threat intelligence on the one hand and sector-specific experience on the other. The anticipated motivation of each threat agent, their respective skills and typical methods inform the discussion and allow the group to assign a risk level to each.
For example, a legal practice involved in a high-profile case may consider organised criminals to be a threat, perhaps attempting to coerce or deceive an employee into sharing information. The motivation for this type of attack would be substantial and the necessary skills well honed, making this a high-risk threat for the law firm. The criminals’ objective would be to steal sensitive information pertaining to the case, and the most significant vulnerability may be revealed as untrained or unaware staff. In response, the business may decide to conduct a review of where case information is stored, the access controls in place and who has permission to access the data. An audit of the access controls would be conducted to ensure that they are working as expected, and staff would be reminded of their responsibilities to safeguard the information against a data breach. Finally a red team exercise would be commissioned to simulate this threat scenario, testing both the technical controls and human factors for vulnerabilities at each step of the attack. This process is then repeated for each threat premise, allowing resources to be applied to the highest risks that have the most significant potential impact to the business.
Thus a red team exercise reinvents the traditional penetration test as a threat-led, intelligent attack simulation. Rather than examining individual components of the security model in isolation, red teaming replicates every stage of a criminal attack under controlled conditions.
This threat-based approach highlights vulnerabilities that would otherwise be missed or perhaps not even considered during a more traditional ‘due diligence’ exercise. Red teaming should not be seen as an alternative to traditional testing, but as a very valuable additional activity.
There is also the opportunity to use the results of a red team exercise as the basis for highly effective awareness training. Because the audience follows a story, and because that story is genuinely relevant to their organisation, it becomes possible to effectively address that perennially challenging security control – the human firewall. Security awareness at all levels can be increased significantly and staff members become security evangelists in their own right. Further red team exercises can build on this exciting precedent and provide more engaging stories to continue the education of everyone in the organisation.