As a cyber professional, you quickly get used to the harsh reality that cyber only gets noticed when things go wrong.
However, the life of a cyber professional is very different. Most hours are spent patching vulnerabilities, meticulously tuning detection rules, and rehearsing for incidents that never become known to the public.
This unglamorous but essential work keeps organisations ready, though success is hard to measure. That’s where red teaming shines
Red team exercises are how cyber practitioners discover whether an organisation’s cybersecurity strategy is ready to handle a breach. So, how do you scope out a red team exercise and ensure it is successful in improving readiness?
What is red teaming? —
Red teaming has existed for decades, alongside vulnerability management and penetration testing, but it’s only one part of offensive security. Today, blurred definitions mean vulnerability assessments are sold as pentests, and pentests as red teaming.
At its heart, a red team is any group that exercises your incident response and detection capabilities. The goal is to put the organisation’s entire security programme through its paces, including people, processes, and technology.
Focusing solely on identifying vulnerabilities and misconfigurations within systems is the function of a pentest, not a red team. Red teams assess people, processes, and technology to reveal gaps that could let attackers go unnoticed.
So, how do you conduct an effective red team exercise?
Step 1: The purpose of the red team exercise —
A red team is designed to answer one very specific question – how will my organisation fare during a real attack?
A red team will typically only ever provide a single attack path and the knowledge of whether your defensive team spotted the attack.
If you have settled on a red team, the next step is to make it realistic, generic exercises are useless. Scoping the engagement specifically to your business is the best way to realise value.
Exercises should be built through a threat-led approach. This means asking yourself: what are the most relevant threats to your organisation? The answer to this can normally be found in your threat intelligence briefings.
Red teaming should also address physical threats, such as planting malicious USBs or exploiting smart building systems. As digital access grows harder, physical intrusion becomes a more viable attack path.
There are also a lot of substandard red team organisations out there, you will want to speak to your industry peers to see which ones are good, and don’t be put off by the high price tag, a well executed red team is an expensive investment.
Honest discussions are needed to determine what is appropriate. You don’t want a rushed, half-baked effort that adds no value and could potentially put employees at risk.
Step 2: Preparing the scenario —
It’s important to think carefully about your red team’s objectives and the techniques they’ll be using. Time spent researching and developing the tools for the exercise should happen well in advance of the engagement.
Avoid relying on a single approach and encourage red teams to leverage human curiosity and persistence. Again, the goal is to test strategy and resilience, not to impress with technical novelty.
When running my own red team, I typically try to avoid using zero-day exploits. They offer little value in terms of learning, although threat actors do use zero days in their attacks, there is not much that a blue team can do against the unknown.
Another key consideration of a red team is the escalation paths. In the event of the red team being detected, how will you ensure that a full scale incident is not triggered?
Finally, consider whether your blue team will be pre-warned about the exercise. Surprise tests simulate the pressures of a real attack but can cause stress.
If you do warn your staff, then consider doing a purple team instead. Your blue team will learn far more from working directly with the red team.
Step 3: Oh no! My red team was caught —
If the red team is caught, that’s fine. In fact, it becomes an opportunity to test the blue team’s response. If the red team remains undetected, have them make more noise to test detection and escalation.
Do they understand the red team’s entry and actions, or just react to a single alert? Can they follow their playbook under pressure, and most importantly, evict them? Nothing’s worse than watching an attacker roam freely while you can’t stop them.
Detection is only the first part of the battle. You also need to be able to communicate, adapt, and educate. Red teaming provides an ideal opportunity to assess and strengthen those skills.
Step 4: How to improve for next time —
Once completed, post-exercise analysis is just as important as the execution itself. Simply saying “we ran the test” doesn’t mean the job is done, assessing what happened is key.
Have a debrief, invite the red team and the blue team to discuss what they were doing and why.
These findings then should be put to practical use, from updating individual development plans to implementing new processes or technical solutions that close identified gaps.
Red teaming is one of the most effective ways to move beyond compliance and truly measure cyber resilience. When executed well, it improves response times, sharpens decision-making, and prepares organisations for real attacks.
Dave Spencer is Director of Technical Product Management at Immersive.
You must be logged in to post a comment.