Photo by Chris TaggartIf a hacker broke into your computer network, stole all the x-rays that you, a health system administrator, had stored, and used artificial intelligence to change the images, what percentage of x-rays would convince you to pay a ransom to learn which ones they were? Twenty percent? Five percent?
At The Red Team Experience, a panel discussion held the second day of the International Conference on Cyber Security, Michah Zenko shared that possible scenario with an audience of security professionals as an example of what red teams can prepare a firm for before it actually happens.
“I always think of the first ever red team meeting as an act of therapy,” said Zenko, the author of Red Team, How to Succeed By Thinking Like the Enemy (Basic Books, 2015).
“It’s having an honest conversation about what do you care about most, what degree of resources are you committed to protecting, how will you marshal resources, how good are you at putting out fires, and what is your relationship with third party responders and law enforcement, when a breach happens?”
The panel, which was moderated by Ed Stroz, GABELLI ’79, co-founder and president of Stroz Friedberg, (now known as now known as Aon Cyber Solutions) explored the intricacies involved in hiring an outside firm to try to break into ones’ own computer networks and stop just short of causing irreversible harm. Done right, Stroz said, a sustained attack, done without any of lower management’s knowledge, can provide valuable insight for employees who are willing to learn.
“If you were to draw a picture of a company’s computer network, they almost never show the people; they only show the devices. It’s not wrong; that’s how most networks maps look,” he said.
“But I think if you really want to do it correctly, you have to show the people, because they are part of the computer network.”
Jude Keenan, director at AON Cyber Solutions, said there is often confusion between penetration (or PEN) testing, and red team testing, with the former offering breadth, and the latter offering depth. Many companies falsely equate internal tests to be the same, he said.
“For us, we need to have buy in from executive level members, someone who has the authority to say, ‘I give you permission to steal really what is our company IP, crown jewels and have no one else to know about it,’” he said.
“It’s pretty important from that perspective, because if the blue team knows know someone is going to attack the, then it’s not really an accurate test.”
Stroz said the tricky part of red teaming, which takes its name from military exercises where red teams play offense and blue teams play defense, is balancing the need to show weaknesses in a company’s networks with the potential downside of embarrassing and demoralizing employees.
Often, he noted, red teams will discover flaws that a company’s IT staff was previously aware of, but couldn’t convince their superiors to address. Together though, everyone can work to address the issues before they become problems.
“In my experience, clients who are going through a real cyber-attack, everybody’s IQ drops about 20 points, because it’s human nature,” he said.
“You tighten up, you go back to primitive thinking, the reptile brain kicks in. Everybody does it, including me. But one way to minimize the bad side of that is to inoculate yourself and be aware of it and try through a bit of preparation. Any preparation that helps you build resilience is going to benefit you.”