Pre-empting attacks - Relevance of red teaming in enterprises

This panel discussion from HITB Cyber Week Dubai explores the relevance of red teaming in enterprises, covering why it’s important, how to get budget approval, common pitfalls, and how to resolve conflicts between red and blue teams.

Panelists

• Emmanuel: 30 years in security industry, specializing in telecommunications, mobile networks
• Dr. Erdell: Regional CISO at Standard Bank, loves community, believes events help share voice
• Kiran: Head of Technical Security Advisory for Digital 14, part of corporate information security team, manages team of security operations, penetration testing, incident response, speaks at multiple global cybersecurity conferences
• Bryson: Former army officer, founded consultancy Grimm 8 years ago, spun out adversary emulation platform Scythe, co-founder of ICS Village (non-profit on critical infrastructure), senior fellow in cybersecurity and emergent threats, advisor to Army Cyber Institute
• Anant Shrivastava: Technical team within NotSoSecure Global Services (part of Claranet Group), deals with threat teaming, pen testing, DevSecOps initiatives

Key Topics Discussed

Why Red Teaming is Important for Enterprise:

• Military games analogy: Matters same way military games matter - don’t get to war every day but train all the time
• Best way to uncover unknown unknowns
• Must translate to business language - talk dollars, not CVEs
• Three core elements of attack chain: Reconnaissance, Access, Post access
• Business value increases down the phases - recon has least business value, post access has most

How to Convince People Who Control the Purse:

• “You can either spend a hundred now or use a million later”
• Link back to dollar value and reputation factor with findings impacting business
• Show tangible results - demonstrate impact on payment gateways, ATM switches, critical applications
• Two kinds of companies: leadership cares, leadership doesn’t care
• Red teaming is not compliance focused - it’s understanding what will happen with real-world adversary

Purple Teaming:

• Evolution of red teaming - collaborative culture, get results as you go
• Decide in advance what to test, use milestone-oriented fashion together
• Blue team and defense sitting there going “We didn’t see that” - dial in detections, validate, move on
• Improving as you go - everybody’s part of that

Major Pitfalls:

• Cannot approach same way in every organization
• Scope matters - define activities and target systems
• Repeatable testing key - validate posture maintained
• Configuration drift happens - endpoints stop logging, lose visibility
• Ego on both sides - red teams trying to win, blue teams defensive

Resolving Conflicts Between Red and Blue Teams:

• Focus on business risk, not ego
• Leadership must set vision and expectation
• Not win or lose game - objective is to establish minimum environment where blue team learns
• “There are always threats we don’t know about” - don’t let ego take precedence

Key Insights:

• Red teaming is like military training - need readiness, sharpen tactics, know enemy
• Best way to uncover unknown unknowns
• Must translate to business language - talk dollars, not CVEs
• Three core elements: reconnaissance, access, post access
• Purple teaming is evolution - collaborative culture, get results as go
• Scope matters - define activities and target systems
• Repeatable testing key - validate posture maintained
• Ego on both sides - red teams trying to win, blue teams defensive
• Leadership must set vision and expectation
• Business value increases down attack chain phases
• Configuration drift happens - need repeatable testing

Actionable Takeaways:

1. Red teaming matters like military training - readiness, tactics, know enemy
2. Best way to uncover unknown unknowns
3. Translate to business language - dollars, not CVEs
4. Three phases: recon, access, post access - business value increases down phases
5. Purple teaming - collaborative culture, get results as go
6. Scope matters - define activities and targets
7. Repeatable testing key - validate posture maintained
8. Resolve conflicts by focusing on business risk, not ego
9. Leadership must set vision and expectation
10. Don’t let ego take precedence - there are always threats don’t know about