Red teaming and wargaming — essential in an organization’s arsenal for responding to cyber threats

If I can’t see a malicious actor in my network, maybe they’re not there? This is the approach that many take when discussing cyber threats. Red teaming and wargaming can, however, help organizations be better prepared for a breach and adapt to today’s ever-changing security landscape. The rise of an increasingly digitalized world and of the information society has led to overall societal development. However, permanent technological change has directed towards more and more security-related issues. Nevertheless, cyber threats are keeping up with digital and societal transformation. It is clear now that they are universal and they are growing both in numbers and intensity. The actors behind these threats are not only trying to break into organizations’ network, but also seek to bag their data. They use more and more complex ways to achieve their scope, techniques that might render them more and more difficult to be discovered while roaming around and compromising systems. In any case, not everything is dark in sight since there are some ways to ensure the prevention, efficient response and resilience in the face of a cyber-attack.

First, looking at red teaming, it was initially used by the German military in 19th Century as a way of getting grip of possible threats and unpredictable outcomes of an operation. Nowadays, this tactic is adapted to be used against newer threats, including the ones in cyberspace. A red team is usually composed of offensive cybersecurity experts that test an organization’s preparedness for facing a cyber-attack, by identifying weak points and providing ways to overcome them. The team’s findings become a tool to inform decision makers about their security program. This means that it is a full-scope assessment, looking at vulnerabilities of the security program by simulating a realistic adversarial attack.

Wargaming also has a long history of being used in military planning, assessment, and training. However, it is applied nowadays to cyber defense as well. It allows organizations to practice their attack and response capabilities while exercising and examining human performance and decision-making in a controlled environment. It entails a scenario-based simulation of common threats such as data breaches, website defacements, DoS attacks or the discovery of malware. Information gained through this interactive exercise can improve event response, platform and application development and selection and integration of defensive technologies in order to reduce risk to an organization’s assets. Thus, such a simulation, by bringing together the Blue Team (defensive cybersecurity experts) and the Red Team (offensive cybersecurity experts), helps organizations assess current and future capabilities, plan, examine possible scenarios and train staff. In this way, organizations can improve their posture against a potential adversary.

As it can be seen, the two techniques have great advantages for every organization, whether governmental or not. Red teaming enables the staff to think like the enemy, looking at its own networks from the perspective of a malicious actor searching for hidden vulnerabilities. Conducting wargaming exercises helps staff identify security approaches that might need improvement, determining the effectiveness of technology in the defense strategy of the specific organization and identifying opportunities for improving future exercises. Moreover, actors involved in such a simulation identify innovative cyber defense technologies that have the potential to improve cybersecurity and reduce risk from cyber threats. These exercises are two-sided and take place in a concrete, real world environment. New technology implemented during wargaming exercises can be evaluated as to how well it protects against certain threats and, the products that prove to come with effective coverage and protection can be considered for further evaluation. Thus, wargaming is a learning activity, helping organizations train their staff to better adapt to a permanently changing landscape of cyber threats.

In today’s rapidly evolving security context, exercising staff and providing constructive feedback on their abilities and response is essential. In this way they can understand their level and improve in order to better adapt in the case of an actual attack. Actively involving staff responsible for cyber defense in wargaming/red teaming activities aids in avoiding the most common culprit when dealing with sophisticated and new techniques used by vicious adversaries: the sense of complacency from the part of staff allowing these actors to keep up with their dangerous work and permanently develop. The effectiveness of adversarial simulation is now acknowledged even at European level. In May 2018, the European Central Bank adopted the Framework for Threat Intelligence-Based Ethical Red Teaming in order to create a standard in using red teaming and incentivizing organizations to use it as a technique to increase their resilience when faced with any type of cyber threat.

Now more than ever, almost every cross-border business transaction has a digital component. Added to this, as a result of the COVID-19 pandemic, the number of businesses using more digital means and individuals who work from home has greatly increased. The rise of the Internet of Things and greater exposure of critical infrastructure add to a complex system of security issues. More complexity means more vulnerability and this growing intricacy of technology leads to more and more threats, this time not only to governments, but also to every organization. Cyber threats hit unexpectedly and spontaneously. Malicious actors are on a permanent quest to come up with new ways to attack and succeed, making it difficult for organizations to adjust their capabilities fast enough. Since security cannot be seen as a perpetual state and there is always the risk of a successful attack, organizations should take charge and invest in training of staff on techniques, tactics and procedures beyond conventional penetration tests. This is where red teaming and wargaming come into play, as our lives are marked by constantly changing demands. Adversary simulation is, clearly, the way to go forward in terms of cyber security approaches.