In this mad, mad world of breaches, organizations are scrambling to keep their heads above water. It's like trying to navigate a minefield while blindfolded and riding a unicycle — one wrong move, and everything goes up in flames.
So, how do you know your security controls are up to the task of defending your organization? This is where red teaming comes in.
Red teaming is like crash testing a brand-new car. You take your shiny, pristine vehicle and slam it into a wall at full speed, just to see what breaks. It might seem crazy, but it's the only way to find out where the weaknesses lie. In the same way, red team members put an organisation's defences through the wringer, poking and prodding at every possible vulnerability until something gives way.
Part of red teaming can involve social engineering, the art of manipulating people into giving up the keys to the castle. It's like a Jedi mind trick, but instead of waving your hand and saying, "These are not the droids you're looking for," you convince an unsuspecting employee to hand over their login credentials, open a fire exit, or plug a blinky device into the network for you.
Simulated phishing exercises are sometimes used by red teamers or organizations wanting to continually test their human layer defenses. It’s like sending your employees on a virtual fishing trip, except instead of catching trout, they're learning how to spot the bait. By throwing them into the deep end and watching them swim (or sink), organizations can identify who needs a life jacket and who's ready to take on the sharks.
Some red teamers will also conduct detailed penetration testing to infiltrate networks, exploit software and expose weaknesses in the infrastructure like a bad tabloid exposé.
Just like crash testing a car, the point of all this chaos is to build something better and stronger. By putting your organization through these exercises, you’ll gain assurance as to what works and what doesn’t. Ideally you’ll come out the other side with a vehicle that can handle anything the road throws at it. And with regular tune-ups in the form of security awareness training and phishing simulations, your employees will become the equivalent of Formula One drivers — alert, skilled and ready for anything.
While all of this may feel like you're being thrown to the wolves, think of it like training in a dojo with a well-trained master. Their objective isn’t to hurt you, but to show you how to be more effective at self-defense. It’s better to sweat in the gym than in the real world. And in much the same way, organizations would rather be exploited by friendly hackers who want to help you get stronger than a real attacker.
Red teaming and social engineering tests including simulated phishing emails aren’t a one time deal. Just how physical fitness requires consistency, so does the process of assuring the effectiveness of organisations security.
As Malcolm Gladwell states in his book Outliers, “Practice isn’t the thing you do once you’re good. It’s the thing you do that makes you good.”
So keep practicing, keep testing your security from all sides, physical, technical, and human — and build that strong security culture.