cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Elemental
Newcomer II

Benefits of Establishing an Offensive (Red Team) Cyber Team

Hi all

 

I am trying to establish an internal offensive (red team) cyber security team. I have been asked to present to my executive and I was wondering if anyone had any really good power point presentations or other material that I could use to present to my executive on the benefits of having an internal offensive security capability (that compliments an existing external pen test service).

 

I am really just looking for a cool power point slide to really 'WOW' my executive. I don't mind writing the justification / content - but any material in that regard would also be useful.

 

Thanks for your help

 

Cheers

Luke

4 Replies
tmekelburg1
Community Champion

I'll follow this thread to hear others' experiences in this matter but I'm not sure I could justify the cost of having an internal red team vs. outsourcing as a business decision. Yes, conducting external pen tests and red teaming exercises are expensive but comparing that to hiring someone, e.g., salary, benefits, training, CEU, etc., and suddenly outsourcing doesn't sound so bad lol. 

 

 

CISOScott
Community Champion

Remember that as you go up the executive ladder your presentation needs to be more brief and precise. I would say no more than 3-5 slides. You may have other slides as back up, but only if needed. I once asked a junior team member to come up with a presentation for the head of the agency. He came up with a 59 slide, slide deck presentation. Now cut it down to 5, I said. "Five?" he asked, "There is no way I can fit it all into 5!" 

 

"Yes there is and you can do it." I said. He eventually was able to do so and it was successful.

 

So if I was the executive I would probably have these questions for you, so make sure you cover it in your presentation.

 1) Is there enough work to keep this person/team busy? Do we have that many systems that we need a full time red team?

2) What benefit does this provide to the agency and how does it fit with MY/Agency strategic objectives?

3) How will you/or I measure success of this team?

4) What benefit would this team provide that we are not getting from the existing pentesting engagements? And the follow up of "Will we still need the external pentesting engagements if we do this?" And then "Why?"

 

I'm sure you could grab some cool attack maps showing the attacks coming from all over the world (Here is a cool one from CheckPoint - https://threatmap.checkpoint.com/) and take a snapshot to use as your background (or use it live if your presentation supports it). Or have it up on a laptop facing the executive.

 

Make sure you tie it to the agency's strategic plan or objectives. That is key to gaining executive support.  You can have the greatest cyber ideas in the world but if the executive cannot see how it supports the agency/company's mission then it becomes harder to justify to budget or other stakeholders the cost of it.

 

DO NOT MAKE THE EXECUTIVE HAVE TO STRUGGLE TO FIND THE LINK TO STRATEGIC OBJECTIVES AND MISSION. 

 

For example, if your agency's mission is saving kids from abuse, show how this team will enable your workers to keep working by keeping the systems up and protected. Show how the team will protect the network from disgruntled parents looking to strike back at the agency for removing their kids from them, etc.

 

Do you already have a blue team? If no, then why have a red team? Don't be like this: "Yay! We found out we have vulnerabilities! If only we had someone to fix them." Show how the addition of the red team would complement what you already have. The executive may ask "Why doesn't the blue team have these red team skills?" Be prepared with an answer. What are you going to do with the red team's results? Is the company ready to fix what they find and would it burden other departments? Have those answers ready. If you do have a blue team, then point out how you are finding flaws and fixing them but it would be nice to have someone to independently test them out to be sure they are fixed or to potentially find something you missed. If asked "Well why can't the blue team just test the fixes themselves?" be prepared to show how this would provide sort of an independent test without bias to show that the fix was successful.

 

Be prepared to show how this would strengthen your identification of network attacks. If your blue team can detect the red teams activities (and perhaps even stop them) then show how that makes your network that much more secure. The best way to identify attackers is to have some experience being attacked. Point out that you do not want the only experience of dealing with an attacker to be during an actual attack. Having some previous experience may help point out other flaws that need remediating.  

 

Would this addition point out flaws of other divisions or departments? How are you going to handle the political dance around that? Would this team be able to adequately explain how to remediate the issues found to the appropriate departments without making them look bad?

 

How much work have you had in leading a red team? I have worked at one company that had a red team and they were darn good (well until the contract ran out). They were not a team to just run a tool and spit out it's results to the system owner without performing analysis on the tool's output. They would sit and discuss (argue) of the criticality of a finding while taking into consideration the system being analyzed. At the end of the discussion, they would come to a consensus about the risks of each finding and then deliver an outstanding, and accurate, report. There were 19 members on the team however not all 19 members would test each system. A small group, usually 3-4 would run the tools and then present their findings to the group of 19. This peer review was really good at looking at it from multiple angles. 

 

Contrast that to another agency I was with that hired out the red team activities and it was terrible. The pen testing company just ran the tool(s) and regurgitated the results. No analysis. No root cause analysis. No recommendations based on the way the company was structured, etc. The company also failed to rotate pen testing companies every two years and had hired the same company for 6 years straight. Same people, running the same tools, getting the same results. No new perspective or talent. No differences of opinion. Terrible. This is why you will still need that external pentest contract! To bring in a new perspective that your people may have overlooked. Also if you are using a pen testing company and they don't suggest rotating every two years? Find a new one.

 

I have also been able to work with an external red team from the NSA and they were great. It took longer to work out the legal stuff (8 weeks) than it did to run the test. Once approved, there was two weeks of prep work and then total network compromise in three days. I can remember we brought them in on Monday and then on late Wednesday I get an emergency email saying "There is a meeting in 30 minutes. Be there. Red Team achieved TOTAL NETWORK COMPROMISE." 

 

I show these examples to show you the various levels of exception and abilities of red teams. Are you prepared to lead them to excellence? Do you have the capabilities in-house to do so? What about the culture of some of these "hackers". Most red teams I have worked with have been a highly technical and slightly eccentric bunch of people. Do you have a Starbucks nearby? Do you have someone who can handle them? What about mistakes made while red teaming? I mentioned that the one company had a great pen testing team until the contract ran out. Then the newly awarded contract holder didn't retain any of the old staff and just brought in inexperienced pen testers and they took down three systems. Needless to say they ended up losing the contract.

 

I'm sure I'm missing some of the benefits of red team creation but hopefully this gives you some more ammunition for your short slide deck presentation.

tmekelburg1
Community Champion


@CISOScott wrote:

 

Do you already have a blue team? If no, then why have a red team?


Awesome write up! This right here should be the #1 take away for anyone trying to decide if they need a red team in house.

CISOScott
Community Champion

Are you ready for the next level of your proposal? State that your plan is to eventually cross train both teams so that you have a "purple" team. By cross-training the employees the blue team (defenders) will get to see the methods the red team (attackers) use and become better defenders. The attackers will see what the defenders see and become better attackers. So it becomes a win-win for the agency when this happens. The teams will be able to understand each other and ask questions of each other to better their skills.