Critical Control 17: Red Team Exercises
How do attackers exploit the lack of this control?
Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Once they get access, they burrow deep and expand the number of systems over which they have control. Most organizations do not exercise their defenses so they are uncertain about its capabilities and unprepared for identifying and responding to attack.
This control goes beyond traditional penetration testing, which typically has the goal of identifying vulnerabilities and showing their business risks. Red Team Exercises are exercise in the traditional sense of military exercises where the three goals are improved readiness of the organization, better training for defensive practitioners, as well as inspection of current performance levels. Independent red teams can provide valuable objectivity regarding both the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even those planned for future implementation.
How can this control be implemented and its effectiveness measured?
Vis/Attrib: Conduct exercises to test the readiness of organizations to identify and stop attacks or to respond quickly and effectively.
Vis/Attrib: Ensure systemic problems discovered in Red Team exercises are fully mitigated.
Vis/Attrib: Measure, in particular how well the organization has reduced the significant enablers for the attacker (these are all counted on by Red Teams) by setting up automated processes to find:
- Cleartext emails and docs with “password” in the filename or body.
- Critical network vsd diagrams stored online and in cleartext
- Critical config files stored online and in cleartext.
- Assessment documents stored online and in cleartext.