What Is Red Teaming?

Are you wondering if you should be “doing” some Red Teaming?  Since we started our company in 2000 we have been trying to educate the world on terminology surrounding cybersecurity, including the way we test our network detection and response methods.  In the early days “pen test” referred to just about anything involving a Nessus scan.  We didn’t like that, because it was wrong, and would often use the phrase, “do you want to capture the flag or find the vulnerabilities?”

Fast forward to 2024 and the big buzzword for the audit world is Red Teaming.  In fact, Red Teaming seemed to be the one thing all people who are graduating from cyber schools want to talk about.  We hired nine people since 2000, and had to include the promise, “yes you can be involved in Red Teaming” with six of them. 

As we are used to learning new buzzwords for things we’ve always been doing, I don’t feel right using my own definition of what I think Red Teaming is.  Therefore, I asked CyberGPT to define it.  After reviewing the eight-paragraph answer, I prompted, “now define it in two sentences,” which resulted in this definition:

“Red Teaming in cybersecurity involves simulating real-world cyber-attacks against an organization’s digital infrastructure to identify vulnerabilities and test the effectiveness of its security measures. This practice allows organizations to proactively strengthen their defenses by exposing weaknesses and improving response strategies before actual attackers can exploit them.”

Okay, so it’s the marketing term for Penetration Test. 

What is a Red Team?

My new employees, chomping at the bit of Red Teaming, would be irritated if I allowed the CyberGPT definition to stand.  For one, it leaves out the whole concept of the Blue Team.  Obviously the two-sentence definition above would cause some umbrage with the accounting firms pushing the process, because they have developed a methodology to work with the Blue Team during the penetration test.  If all are in the know, the marketers of this service call it Purple Teaming. 

At least until some other groups with new marketing professionals develop new buzzword terminology leaving you, my readers, wondering yet again if you need to be concerned with the term. 

But let’s not forget there is value in the approach, or it would not have been successful.  I have discussed with several cyber professionals the advantages of setting up a red team in their organizations.  So, let’s ask CyberGPT to define what a red team is, in two sentences:

“A red team in cybersecurity is a group that adopts the role of an adversary to challenge an organization’s security posture by identifying vulnerabilities, testing defenses, and evaluating the effectiveness of security measures through simulated cyber-attacks and other threat simulations. Their work is crucial for uncovering potential security weaknesses before they can be exploited by malicious actors in the real world.”

Now we’re getting to the bottom of it – what distinguishes Red Teaming from penetration testing.  THE SIZE OF YOUR ORGANIZATION.

If you are a small community-based bank, you’re lucky if you have a Blue Team, much less a red team.

So, what is a Blue Team?

When you read our definition of a SIEM, you may be thinking “where’s the Blue Team” but again, let’s not rely on my definitions.  CyberGPT defines Blue Team as:

“A Blue Team in cybersecurity refers to the group responsible for defending an organization’s information systems against attacks, including those simulated by red teams. They focus on strengthening security measures, detecting breaches, responding to incidents, and improving the organization’s overall resilience against cyber threats.”

Beyond the three teams working as one, a SIEM is the set of technical tools and practices the Security Operations Center (SOC) uses to monitor a network.  Fundamentally, it includes Intrusion Prevention (IPS), Intrusion Detection (IDS), Threat Intelligence, Event Log Management (ELM), Change Detection (CD), and some form of Endpoint Protection – either AVS or better, Endpoint Detection and Response (EDR). 

In a small community-based bank, a Blue Team is the technical team – the internal IT people and usually the primary contact people at their Managed Services Provider (the current buzzword for what we used to call Network Support Provider). 

So what?

Well the problem we have here is that when a community-based bank does a penetration test, there’s usually nobody available to “work with the red team” much less people educated enough to be on the white team.  In fact, a member of the Blue Team is usually working with the ISO to schedule the audit.  So the ISO must be the white team?

No.  In community banks, we don’t have the staff to implement Red Teaming.

And that’s okay.   At least for now, “Red Teaming” is one buzzword that we can ignore.

Where the problem actually is.

Those of us who tabletop test community-based banks all recognized the rolled eyes on the part of the technical people involved in those tabletop tests – the Blue Teams.  They know that while management is impressed with how we just got everybody on the same page about a new risk or control, management “has no clue about what actually happens before they get called into an event.”

I put quotes around that last phrase, but it’s not actually a direct quote.  It’s just similar to what I heard EVERY TIME I asked for feedback from a Blue Team member, after the tabletop test.

The FFIEC Guidance on Incident Response requires us to implement tabletop tests.  And they are great.  In fact, I have written about how important they are.  But they only exercise response tactics AFTER escalation.  We did try to bring in some SIEM reports and such in the early days, but stopped because we didn’t want management to start reading email in the middle of the test.

Current guidance does NOT require us to test detection, containment, an escalation.  The three make-it-or-break-it tactics in incident response.  Worse:  we expect our Blue Teams to handle this part of the process flawlessly – with no training whatsoever. 

What’s the Solution?

One of my Clients tried Red Teaming because he wanted to fix this problem.  But it didn’t work well.  I remember him using the word, “gotcha.”  It’s not exercising our Blue Team.

The Blue Team needs to know what an incident looks like.  Ultimately, they need to know what it looks like when controls are broken or don’t work as planned.  How is the incident detected?  What do we do to contain it?

More importantly, we have noticed in our 24 years of service that the most ugly of incidents occur when a Blue Team member takes what we call “the lone ranger approach.”  Technical people do not want to reach out.  Thus, we need to exercise escalation – put Blue Team members in a position where they have to decide whether to escalate.

We believe we have developed a process that works really well.  We set up a Blue Team Demonstration which is kind of like “Purple Teaming with a plan.”  It’s just one step in an overall “Blue Team Exercise.”  Adam Reynolds and Sean Waugh have been receiving rave reviews from our Clients on this process, so we believe we have – yet again – developed a process that will one day have it’s own buzzword.   For now, we call it Blue Team Exercise.