Red teaming, penetration testing, security assessments and the like have been evolving over the last few decades. I recently wrote a blog about how organizations are leveraging Verodin SIP to change up their approach to the red team. But the bottom line is, how we approach red teaming is about to take a giant leap forward.
Red teaming is an art and science. The men and women conducting these assessments are some of the most security-savvy people you’ll ever work with. But red teams aren’t being armed with the tools to make them business-relevant. That’s about to change.
There is a better way with the Verodin Security Instrumentation Platform (SIP). Verodin SIP augments red teams – internal and external – and brings the red teaming process out of the past.
As you are aware, there are sizable gaps with traditional red teaming approaches that reduce the value that red teaming can bring. Red teams generally operate over a finite time across a finite set of targets looking for exploitable vulnerabilities. The result: the dreaded report.
Nobody likes writing these reports. Fewer people enjoy reading the reports and they are often not acted upon. And an assessment repeat in a month, quarter or year will likely reveal the same or similar issues.
But the result shouldn’t be a report nor should the results be at a point in time. They should be evidence-based, prescriptive actions predicated on continuous, automated assessments at scale. And the process should remove frustration – not introduce it.
Anyone that has been part of the red teaming process on either side knows the frustration:
- Friction between offensive groups, defensive groups, and leadership
- Periodic assessments don’t keep up with today’s ever-changing IT environments
- Findings that focus mostly on patching and configuration that rarely consider the actual network security controls, endpoint security controls and security management solutions like SIEM
- Fixes are too general and not at all perspective
- Too resource intensive to scale
- Slow to integrate new attacks
- Only temporary fires are lit for business decision makers – then it’s back to business as usual which is extremely frustrating for everyone and bad for security
But enough about the issues – let’s see how Verodin helps improve red teaming.
Top 5 Tips for Making Red Teaming Modern with SIP
1. Coordinating offensive red teams with defensive blue teams
Verodin SIP operates by allowing you to safely and continuously execute real attacks in your production environment. You control Verodin SIP Actors with the Verodin SIP Director – note that Actors can only attack each other and by doing so evaluate the effectiveness of your firewalls, WAFs, IPS, DLPs, endpoint security controls, SIEMs, etc. The Actors aren’t looking for missing patches and vulnerabilities on your databases, desktops, and webservers, for example, they are looking for issues with your security controls.
Each attack is associated with an API or similar integration with your log manager or SIEM for example so that you know empirically what was blocked, alerted on, correlated, etc. In doing so, the Verodin SIP provides actionable results regarding not just what attacks were successful, but what changes can be made such as an IPS signature, firewall rule or SIEM rule.
This prescriptive approach goes beyond illustrating what the issues are. It details exactly what you need to do on your security controls to better prevent, detect and respond to the attack thus bridging the ineffective gap between offense and defense and making mitigation quicker and easier.
2. Moving from point-in-time to continuous validation
Let’s face it, you know that evaluating your security quarterly, semiannually, yearly, etc., never really worked but there wasn’t a better approach. With Verodin SIP you can continuously evaluate the effectiveness of your security controls by testing hundreds or even thousands of attacks multiple times throughout the day by taking advantage of Verodin SIP’s automation controls.
Best of all, you can manage by exception. With Verodin SIP’s Continuous Validation capability you can schedule attacks and should the results return something that wasn’t expected such as certain traffic being allowed, alerts not firing, and correlation not working, you will be alerted to the change. This continuous validation negates the need for you to have a dedicated headcount for Verodin SIP and allows you to scale as a rate never thought possible as it relates to validating the efficacy of your security controls.
3. Validating security control effectiveness
While Verodin SIP offers many compelling use cases related to hiring, training, tuning processes, optimizing SIEM, DLP, firewalls, etc., evaluating new products, removing redundant or outdated solutions, at its core, Verodin SIP allows you to validate the effectiveness of your security controls.
Other solutions will help you with patch levels on your databases, configurations on your web servers and the like. Verodin SIP allows you to evaluate your security control effectiveness across firewalls, IPS, DLP, WAF, endpoint, SIEM, etc.
Verodin SIP then prescribes the necessary adjustments so you can implement changes. Following, Verodin SIP allows you to re-validate that the adjustments were instrumented correctly. Finally, Verodin SIP allows you to continuously evaluate to ensure that defensive regression has not caused your security effectiveness to be reduced over time.
4. Scaling with limited resources and evaluating new attacks
Verodin SIP is designed to not require a dedicated FTE. It is also designed to work seamlessly across Network Actors, Cloud Actors and Endpoint Actors with a centralized management console – the Verodin SIP Director. Verodin SIP operates today in some of the largest and most complex environments in the world. The Continuous Validation discussed in item #2 really helps reduce your workload and increase your productivity.
When you want to evaluate a new attack with Verodin, this is accomplished quickly and easily. It might be a PCAP that you downloaded from a third-party site. It could be a host CLI, malicious DNS query, socket, port scan and so on. And if you want to get really hands-on with the attack, you can even code your own in Python or Ruby – however, writing code or scripts is not necessary to get value from Verodin SIP.
You’ll probably find that loading in PCAPs derived from your own packet captures, third-party sites, ISACs and threat intelligence providers will be the most useful. So, when your boss calls (I’ve blogged about this scenario before) and asks, “Are we safe from attack ABC?” You can download the PCAP, load it into Verodin, and in only a few seconds it’s weaponized, routable, and ready for you to start running attacks between Actors to determine if your security controls are preventing, detecting, alerting and correlating the “ABC” attack and there are no false positives. With Verodin it’s binary – either your controls did what you want, or they didn’t. For more information about Weaponizing PCAPs – check out this related blog.
5. Becoming part of a larger business risk discussion
All the technical variables within the Verodin SIP make it valuable for red teams, blue teams, security executives, and auditors, but we’re finding that red teams often have a compelling story to share with CIOs, CROs, CEOs and even the board.
With Verodin SIP you can illustrate trends related to your organization doing better or worse with details regarding why. You can show the value of changes that have been implemented – new products, adjusted processes, better training, and existing solutions that have been tuned and optimized.
You can also show what products are not adding value and can be retired as well as where future investments should be focused and prioritized.
With Verodin SIP red teams can measure and articulate risk with quantitative data that is steeped in showing ROI. This is a powerful capability that gives red teams a voice at much higher levels in the organization and allows organizations to adapt and improve more quickly because they are better informed and thus operate more securely.
Verodin SIP does not replace your red teams – it augments them. It doesn’t replace the tools that red teams use because Verodin SIP isn’t another security tool, it’s a business platform for security. Verodin SIP allows red teams to be more efficient and effective. It allows red teams to validate security control efficacy, processes, and people. It bridges the gap between red and blue teams. And, it allows red teams to be more business relevant. Verodin SIP helps make red teaming modern.