‘Red Teams’ Need to Deliver Context — Let’s Help Them

Working on a Red Team is frustrating. I know, I was on one.

Red Teams work hard penetrating systems, gathering data and presenting findings to senior management only to get strongly dismissive responses- “So what?” This is frequently followed by an order to not to share detailed information with the Defensive Cyber Operations (DCO) teams defending the network. Sometimes the reason is obvious. Sometimes not.

I came to realize that the underlying problem is that the findings don’t include enough information to make an impact on a culture of inertia that comes with the cybersecurity world. I have actually had executive leaders tell me they would lose plausible deniability.

This obviously sub-optimal situation hasn’t changed since my time serving on a Red Team.

The DOD Office of Inspector General just released a new report, “Followup Audit on Corrective Actions Taken by DoD Components in Response to DoD Cyber Red Team-Identified Vulnerabilities and Additional Challenges Facing DoD Cyber Red Team Missions.

This was a check up on the earlier report “Better Reporting and Certification Processes Can Improve Red Teams’ Effectiveness,”  a more easily understandable title.

They investigated three areas to see what had changed in eight years.

  • Did DoD Cyber Red Teams support operational testing and combatant command exercises?
  • Were corrective actions being taken to address DoD Cyber Red Team findings?
  • Did the assessed risks affect the ability of DoD Cyber Red Teams to support DoD missions and priorities?

The results? In a word: No.

The data generated by Red Teams and the teams conducting Defensive Cyber Operations is still not being shared. Worse, even with better procedures, part of the problem is that both the results and the analysis of the results of penetration testing and vulnerability management functions are superficial.

They don’t pass the “so what” test.

But, Red Teams can’t do their job well unless they have an accurate map of the cyber terrain to put information into a larger context. This context is more important for reducing the risk to missions.

Unique in the industry, RedSeal can model and evaluate Layers 2, 3, 4 and now 7 — application-based policies. And, it includes endpoint information from multiple sources.

If both Red Teams and the DCO teams tasked with defending the cyber battlespace can easily analyze 3-4 layers of complex attack depth to connect vulnerabilities exposed to the Internet with pivots and attack paths buried deep in a network’s hybrid infrastructure, their recommendations will be seen as worthy of immediate attention. This will lower the risk to mission in a real way.

Maybe then, senior management will listen, the process will radically improve, and the DOD Inspector General will not have to write a report saying nothing has changed in seven years.

For more information, click here to speak with a RedSeal government cyber expert.