Closing your office cuts off several attack vectors—but remote working creates thousands more. Here’s why a red team assessment is so essential right now.
In a red team assessment, a group of hired ethical hackers demonstrate how real-world malicious attackers might use any means available—in person, over the phone, or online—to breach an organization.
The goal: Help those organizations identify their vulnerabilities and close them off.
Red team assessments are well respected because they’ve proven effective. But the new, everything-from-home world resulting from the ongoing health crisis means that the attack surface for organizations has changed, even expanded exponentially. Many businesses have grown from dozens of offices to thousands of home offices.
Which means that no matter how successful the red team model has been, it too needs to change.
Thomas Richards knows. The Synopsys principal consultant and red team practice leader said the crisis has created “a sudden and drastic shift for a lot of companies in a direction they weren’t ready to go—a remote workforce—just so they can continue doing business,” he said.
One stark example: Richards said he knows of one global company that “just had to try to procure thousands of laptops. All these employees who were in offices and had desktops had to shift to working from home. So the company had to get laptops to support them.”
“Think of that supply chain,” he said. “The electronics manufacturers were hitting a supply chain issue with China being shut down two months ago, and now you have all these companies putting in rush orders for basically pallets of laptops. There’s no way it could be done.”
Beyond that is the reality that there is much more involved than simply procuring laptops and shipping them to remote employees. There is also a mad rush “to configure them and develop policies around them,” Richards said.
“Companies were not geared toward allowing people to access the corporate system remotely or through a VPN. Their VPN might not even be able to handle the load that is coming in,” he said.
“With everyone in this freefall, that is where red teaming is even more imperative, to make sure that technological controls and training are in place to prevent a malicious attacker from gaining access to the system.”
The expanded attack surface is apparent in multiple ways, Richards said. Here are just a few areas to be aware of:
The people on your help desk are trained to be helpful to workers needing access to networks, data, and applications, among other things. But even though their instinct is to help, they now need to be suspicious of anyone contacting them.
“I can guarantee that security controls or checks that were put in place are probably going to get bypassed to allow someone to still do their work,” Richards said. “And all it takes is one bad configuration and someone to find it, or someone just to call into the help desk and say, ‘I can’t get access to something,’ and the help desk person is probably going to help them, because that’s what everyone in the company is doing right now.”
“It will probably also take less to authenticate yourself than before, because everyone is scrambling.”
“With everyone shifting things to the cloud, organizations have controlled access to the management or administrative portions of those cloud assets maybe to their corporate IPs,” Richards said. “But now, if their corporate VPN is overloaded, they might allow a home IP to access it. Or they will scale back that control to where you just need some form of authentication or some form of a key.”
“That reduction of the security control can also give a bad attacker that one more step or foothold into your attack surface.”
At one time, perimeters were defined by things like firewalls. But they have become blurred in recent years with the move to the cloud and the rapid expansion of BYOD (bring your own device). The current situation means they are dissolving altogether.
“The boundary just doesn’t exist,” Richards said, noting that confluence of many factors amounts to “a perfect storm of potentially bad actors starting to do even more bad things.”
Red teams, Richards said, “need to start talking to organizations now about all of these sudden changes that have to get done immediately, with no lead time. That’s going to mean corners are going to get cut.”
What should organizations do to both expose those corners and stop cutting them?
Richards said organizations should take the same fundamental steps but adapt them to the current reality. These steps include:
A tabletop exercise is a meeting to discuss a simulated emergency “to see what would happen if someone is actually attacking,” Richards said. The idea is to imagine how an attack would play out and see what sorts of defenses or responses an organization has in place. If you haven’t already, now is the time to run a scenario where employees are working at home, not the office.
Threat modeling is based on observations and interviews. The team “looks at the systems, how they are deployed, what the organization is planning to deploy, and asks a bunch of questions about the design and setup to see how that could be abused, or where any misconfigurations could live.”
“From that, the team produces a report,” he said. “It’s all on paper, providing recommendations on how we perceive a system without touching the system.”
A threat model is good preparation for the third element of the evaluation:
“This means hiring a red team to try to break in, amid all this mess,” Richards said. “That would be virtual, of course, because nobody is traveling right now.”
“But the goal is to test your help desk, try to test your corporate endpoints to make sure there are no compromised credentials that would allow someone to get access.”
“All those things are super important right now, and those three activities should help identify the risk that a company might have now in this sudden shift.”
But the need for red team assessments to be virtual suggests a silver lining from the current office shutdown: better physical security. With almost nobody going to the office, it is easier to spot somebody trying to get in. An attacker can’t “tailgate” on a long parade of employees coming back from lunch this afternoon.
“It would definitely be more suspicious right now,” Richards said. “If someone shows up to the office, the first question is going to be, ‘Who the hell are you and why are you here?’”
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.