One of the greatest heavyweight boxing champions of all time, Mike Tyson, famously said: "Everyone has a plan until they get punched in the mouth." And security is a lot like that. You can follow the best practices, have the best technologies, but it could all fall apart with a first serious cyberattack. The truth is, people who protect things often do not think like people who attack things.
This is where Red Team comes into play. Red Team is a team of ethical hackers, people who try to break into systems in the same way a criminal would. But in the end, they do not lock your data, they do not steal your money, they do not bring down your business to its knees. They document every exploit and write long reports on how to fix problems and ensure nothing bad ever happens.
Their service is extremely valuable because they test your system against real-world attacks. In fact, many industry or state regulators require certain industries to perform regular offensive operations against their systems.
But unlike cybercriminals, Red Team operates by rules of engagement – before any activity organizations are advised on proceedings. How long will Red Team try to beat organization's defenses? When should attacks take place (during work hours)? How much data should Red Team be given (that determines will that be black, gray, or white box testing)? What can Red Team use – do they use only technology, or can they try to fool employees in revealing business secrets (social engineering), can they use 0-day exploits (security problems nobody except us found out)? Only after all that has been agreed upon the operation can start.
In the end clients get a project documentation – there is a management (executive) summary, technical report with detailed descriptions and mitigation recommendations, and videos for critical vulnerabilities.
SANS is the most trusted and by far the largest source for information security training and security certification in the world. To be one of their 76 Certified Instructors is no easy task, it takes years of true dedication, but our team leader/CTO, Bojan Zdrnja, is just that. His knowledge is immense, and while he is not educating the world's best cybersecurity experts on the web app penetration testing (SANS SEC542), he is making sure Infigo's Red Team is in a class of its own. With a team lead like that, our only choice is excellence!
A security assessment is a great way of identifying existing security vulnerabilities; until you know what the vulnerabilities are, you don't know what you have to fix. But, getting the right results for the best price is always a balancing act, and many organizations are not sure when to use vulnerability scanning, penetration testing, and red team engagement.
Vulnerability scanning is something every organization should be doing on a regular basis. It is the most basic activity in managing vulnerabilities and is often done with software vulnerability scanners with security specialists removing false positives.
Penetration testing is a step up, and here it is important to have the right scope. The goal of penetration testing is to find as many vulnerabilities as possible in the target scope. And if the target scope is clearly defined, penetration testing will yield the best results. Of course, since penetration testing is more time-consuming and requires lots of manual work, it is more expensive than vulnerability scanning.
A red team exercise is the ultimate test of any organization's defenses. In this exercise, the attackers are given a goal and they can use any means necessary to achieve it. This includes writing new exploits, using social engineering, even physical break-ins. A red team exercise might miss some vulnerabilities that penetration testing would find, but it will show how the organization stands against the real attacker.
For more on that, you can read an article by our CTO.
Everything security related! But it mostly falls under a couple of categories that are most useful for organizations big and small.