Red Teaming is Vaccination for the Enterprise
I was doing the Twitter thing recently, and someone was talking about red teaming and I had an epiphany: Vaccination and Red Teaming are extremely similar.
Or at least they should be.
Here are some similarities:
The main purpose is to strengthen the defenses
It’s done by exposing defenses to the bad stuff
Its effect weakens over time, so you have to keep doing it
People who refuse to do it are more vulnerable to real attacks
The closer the exposure is to the real thing, the better
Various groups mandate them, and various groups fight that mandate
These are pretty striking to me.
There is some argument that most people just use regular old attacks, however.
The regulation angle is fascinating as well. All sorts of security standards require that adversarial testing is performed, but very few testing practices can actually mimic the type of attackers that are likely to come after a given target—especially for high-level attackers.
The problem is that real attackers are diverse, and use diverse toolsets, and I’d argue those are more varied (and tame) than the TTPs of security testers. And that in turn results in less immunity to the real stuff when it happens.
So that’d be something like immunizing for a Flu strain we saw in 1994, knowing that what’s coming next year won’t look much like it. Anyway, I’m not sure how deeply the analogy holds, but I think it is quite strong as a metaphor.
Basically, if you’re not emulating real adversaries to your WHATEVER then you’re more likely to be blindsided when they actually show up.
Both red teaming and immunization is based on exposure to real threats.
Both weaken in effectiveness over time and therefore require periodic re-applicaiton.
Both are being mandated by various groups, and are being carried out with varied levels of effectiveness.
Both have detractors who refuse to participate, and who leave themselves in weakened states as a result.