Penetration Testing: When to Call in the Red Team

When should you call in the red team?  

Every organization, regardless of size or industry, should conduct a red team exercise at least annually. Red team exercises differ from traditional penetration tests where the focus is just IT assets. This type of engagement will help you to identify critical vulnerabilities with people and processes in your organization. They will also test the strength of  your existing incident response plan in-practice.

 

What to expect during a red team engagement:

The team will review your organization’s business structure and the value of the data stored or processed. Once the critical business areas are defined, the team will formulate an attack plan to identify vulnerabilities in key components of your organization.

During the initial meetings, the team will work with you to gather information about your organization’s key lines of business. They will then present a testing plan of action for your approval. Testing should be kept solely between a client point-of-contact and the red team to allow testing of normal incident response procedures. If your workforce is tipped off about a red team engagement in advance, their behavior is likely to change, affecting test validity when analyzing normal incident response procedures.

 

 What should you expect from the deliverable?

You should expect to receive a comprehensive report with an executive summary detailing the testing along with high level recommendations for the organization. The findings and recommendations section should have actionable recommendations to mitigate or alleviate all issues identified. The report should be valuable for security leadership as well as your technical team.

 

 What should you look for in a vendor?

Vulnerability management vendors should be able to conduct testing on any entry point of your organization and have expertise in how policies and procedures are applied to mitigate or alleviate identified threats. Selecting the right vendor is essential to building an effective security strategy. Detailed recommendations on selecting the best vendor for your organization can be found in our 2018 pen test guide:

Get the guide: Selecting the Right Penetration Test Vendor