Cyber Exercising, Red Teaming and Pentesting
Cyber security can be confusing particularly if you are engaging with the area for the first time. One of the sources of confusion is the variety of products and services on offer that all seem the same or at least very similar. Penetration testing (aka pentesting), red teaming and cyber exercising are three such services that can be easily confused. This article will aim to describe the similarities and differences between these three services. All three are tools, and useful ones at that, but they must be used in the right place, at the right time and in the right manner.
It is important to first offer a disclaimer. There is no internationally agreed definition of these terms and different service providers will apply the terms differently. Red teaming to one provider will be a different thing to another provider. This article will not attempt to assert any new definitions but will instead describe a continuum along which the typical version of these services can be found. The subjective nature of what is typical should be noted by the reader.
Penetration testing, more commonly referred to as pentesting, consists of a trained individual, or individuals, trying to gain access to a computer system or network of computers. The tools and techniques used by the pentester are commonly used by many attackers so the pentest tries to identify any security weaknesses before an attacker could.
Pentests can be conducted either with or without any prior knowledge of the system they are attacking. Prior knowledge tests, often called white box pentests, are useful for testing a defined set of security controls. Prior knowledge is required so that the pentester knows what to test. Tests without prior system knowledge, often called black box tests, more accurately replicate a real attacker however they may not test all the implemented security controls.
It is beneficial to use both types of test as part of a wider security auditing regime. The white box tests provide assurance that known security issues are being controlled properly while the black box test provides the freedom to discover the unknown issues. Both types of pentests are constrained by the fact that they have to take place on operational systems. The risk of affecting live operations is managed by using a set of well understood tools and techniques. However this constrains the freedom of the test and so reduces the opportunity to discover unknown issues.
Both of these types of pentest take place in the virtual environment. That means that the pentester is sat at a computer and is engaging with other computers somewhere else. Other types of pentests can test the security controls implemented in the social and physical environments.
Physical pentesting involves physically trying to gain access to the computer assets of the protected system. This may be done by walking into the head office dressed as a telecoms engineer or by sending compromised USB gadgets to members of staff.
Social pentesting is more commonly called social engineering and involves exploiting human behaviour to gain access to the protected system. This may be by calling up a service desk and persuading the staff to reset a password or it could be by crafting an enticing email attachment that you just have to open. Social and virtual pentesting come together in anti-phishing campaigns which test how both technological and human behavioural security controls perform in the face of malicious emails.
Pentests can be run in both an adversarial and a collaborative manner. In the former the pentester and the defender work in competition until the test is over and the results are shared. In a collaborative test a member of the pentest team will work with the defenders and will provide prompts and guidance as they seek to defend against the other pentesters. This collaborative approach helps engender learning and development of individuals instead of just producing a large list of remedial actions at the end of the test.
All of these types of pentests can be conducted as individual activities. When these tests are combined we begin to move along our terminology spectrum into red teaming. Red teaming involves a motivated team of ‘friendly’ attackers doing whatever they can to compromise a system. They will use the full range of virtual, physical and social attacks, often in concert, to simulate a highly motivated and persistent attacker.
Red teaming has the benefit of increased realism as they do not have the artificial constraint of only operating in a single environment. This freedom however means there are far more opportunities to consider so they take longer and cost more. This is a challenge if there is a need to assess a broad range of security measures in the physical, social and virtual environments. Like pentesting they take place against operational systems and so will need to be constrained in some way. This will either be done by establishing out of bounds areas or by relying on the red team’s judgement.
Red teaming is conducted in the spirit of the original hacker ethos. This ethos involves the persistent exploration of any system in order to find out how it works. Once you know how it works you know how to break it and also how to protect it. The challenge in conducting this systematically is that it takes time for an outsider to acquire this knowledge. If conducted by an insider this system understanding will be influenced by organisational biases, perceptions and politics.
Classical red teaming
The challenge of addressing biases and perceptions is a fundamental problem in organisations and has been an issue for some time. In fact the term red teaming was not coined by the cyber security sector but was instead developed in US military and intelligence circles during the cold war. Red teaming, or classical red teaming for the sake of distinction, was used to challenge and test plans using a team that would adopt the mindset of the enemy. In the context of the cold war the enemy was the Soviet Union and so the team playing the enemy role were naturally assigned as the red team.
The key purpose of classical red teaming was to challenge assumptions and established groupthink. All plans are the product of complex sociological environments and so will be influenced by cognitive biases. The job of the red team was to try and identify these biases and to assess the impact they would have on the plan under scrutiny.
Classical red teaming is still used to challenge military and intelligence strategy and operations. It was reportedly used by the CIA in their approach to the search for Osama Bin Laden. The need to challenge groupthink in this instance had arisen out of the preceding intelligence failures in the hunt for weapons of mass destruction.
Providing classical red teaming as a commercial service is challenging. This is because the persons charged with countering an organisation’s groupthink need that organisation to continue to employ their services. This creates a conflict of interest that is difficult to resolve.
Cyber exercising is another activity with links to the military. The concept of exercising is long established in military circles due to the need to be ready to engage in live operations. Exercises require individuals and groups to make sense of their surroundings, understand what’s going on and then work collectively towards a common goal.
Cyber exercises aim to achieve the same except in the context of an organisation’s response to a cyber incident. The exercise is not just a drill to perfect the reaction to an incident but instead provides an environment for individuals to learn about how cyber security affects their critical business functions. These exercises will not normally take place on operational infrastructure as this constrains the freedom of the exercise and adds unnecessary technical complexity.
In fact cyber exercises do not need to take place in a virtual environment and can be conducted in analogue form as table top exercises. This is possible because it is not necessary to experience the breach of a security control to explore the consequences of such a breach. Cyber exercises rely on developing a systems understanding of the organisation in a similar manner to the hacker ethos embraced by red teaming. This allows scenarios to be played out and to allow participants to understand how critical business functions could be affected.
Cyber exercises, like all exercises, can suffer from groupthink. There is therefore an important role for a classical red team function in cyber exercises. This can either be achieved by an empowered and cyber aware individual from within the organisation or by employing a third party. These counter-groupthink perspectives can be written into the scenarios so that they can be played out. This helps make them more objective and provides examples and evidence to change perspectives.
Pentesting, red teaming and cyber exercises are all useful tools for an organisation looking to improve their cyber security. Pentesting and red teaming both test security controls in a range of different scopes and scales. Cyber exercising tests an organisation’s response to an incident and provides a platform for the participants to learn about how their business critical functions could be at risk.