10 success factors for a successful Red Teaming Assessment
- Created by TÜV TRUST IT Unternehmensgruppe TÜV AUSTRIA
The TÜV AUSTRIA Group subsidiary TÜV TRUST IT has compiled 10 success factors for simulated cyber attacks against corporate infrastructures to test the resistance and defence mechanisms, so-called Red Teaming Assessments:
1. Management commitment
All relevant decision makers (e.g. CEO/GF, CIO, CISO, DSB, works council) must be behind the project, but no other employees may be informed about the planned project.
2. Trust in the service provider
The greater the trust in the "Red Team", the more valuable the knowledge gained from the tests.
3. Know-how and versatility of the service provider
A Red Teaming Assessment service provider must demonstrate a great deal of expertise, versatility, experience and tact. Industry knowledge helps in planning the approach.
4. Operate flexibly and agile
Red Teaming Assessments are carried out dynamically and flexibly, there is no fixed time. If, for example, details of new vulnerabilities become known that affect the company, the Red Team can also take advantage of the temporarily increased attack surface.
5. Use all instruments of Red Teaming
In order to obtain as accurate a picture of the security situation as possible, as many red teaming tools as possible should be used, including social engineering.
6. Limitations of productive systems
Red Teaming Assessments mainly test productive systems. A residual risk of system-related restrictions is unavoidable, so the client must take appropriate precautions.
7. Use unknown auditors for social engineering measures
In order not to falsify the results, unknown auditors should be used, especially in social engineering assignments in the context of Red Teaming Assessments.
8. Effective error culture
Companies should not look for a "scapegoat" for identified deficits, but should deal with the weaknesses constructively.
9. Define rules of the game
There are cases where systems and applications should be excluded from the audit. These must be clearly defined at the beginning.
10. Lessons learned & coaching
All findings were to be incorporated into a subsequent Lessons Learned phase, including detailed documentation and reproduction of the individual test steps, in order to be able to close the own doors of opportunity effectively and sustainably.
If the 10 success factors mentioned above are taken into account, as the project experience of TÜV TRUST IT (www.it-tuv.com) shows, Red Teaming Assessments also pay off economically in the long term, since an increase in the security level can be achieved far beyond the improvement of purely technical security measures.
About the TÜV TRUST IT GmbH TÜV AUSTRIA Group
TÜV TRUST IT GmbH has been successfully operating as an IT-TÜV for many years and is part of the TÜV AUSTRIA Group. From its locations in Cologne and Vienna, the company acts as the neutral, objective and independent partner of the economy. The focus is on the identification and assessment of IT risks. Its services focus on the areas of information security management, mobile security, cloud security, security of systems, applications and data centres, IT risk management and IT compliance. www.it-tuv.com