In House vs. Outsourced Red Teams (Part 1)
Build or Buy: How should corporations conduct red teams?
In-House or Outsourced Red Teams
In this post we discuss:
Definitions of different types of red team assessments
The two most common approaches to red teaming at large corporations and government entities (in-house and outsourced)
Eight additional less-common approaches that can have equal or greater success, depending on an entity’s security budget, team talent, and vendor expertise
Description on how to use these models as a security manager both to help individuals grow in their role, and to help the security team grow their performance and capabilities
Factors to consider when deciding which approach(es) to take while red teaming at your organization.
Definitions:
Engagement: A red team operation is often referred to as an engagement. It encompasses the planning, execution, and reporting phase of a red team assessment.
Low Level Test / Assurance Test: Low level, small scale, or assurance tests focus on a specific control or controls (security measures) and are limited in scope. While a full-scale engagement may involve using many different tactics to steal a specific piece of information, an assurance test is more likely to test a specific control, such as an access control point (door, turnstile, security officer). Assurance tests are great opportunities to partner with other security teams, where you can provide real-world testing against recent training that security personnel completed or test new security equipment before it is rolled out broadly. By definition, it is not a true red team assessment, rather a targeted test or audit to determine the performance of specific security measures.
Full-Scale Engagement: A holistic and realistic assessment of security measures by a red team, emulating adversarial tactics to meet the adversary’s objective. In plain English, the red team pretends to be a company’s enemy (typically a hostile country or competitor) to target valuable information or items. True adversaries have little constraints in their approach to targeting your company, and a full-scale red team engagement should reflect this fact. A full-scale engagement should have as few constraints as possible, the team should be creative in their approach, and truly behave like an adversary would as they target your assets. For a full-scale engagement to live up to the red team motto - “Better us than them” - it is incumbent upon the red team to reflect the tactics, capabilities, and motivations of the adversary. This provides the most accurate picture of when, where, why, and how the company will be attacked, enabling the security teams to best defend the company.
Organizations with different needs, budgets, headcounts, internal skill sets, and constraints must decide on a red teaming approach that reflects their reality. Many organizations will take an overly simplistic view and consider only two options: outsourced or in-house.
Outsourced: Hiring consultants to conduct red team assessments and report findings to you. The red teamer is employed by an outside company who was contracted to test security.
In-House: Hiring employees or reallocating employee’s time to conduct red team assessments. The red teamer is employed by the organization they are assessing.
Additional Red Team Models
In reality, there are often better models that adopt a hybrid approach to maximize benefits from both outsourced and in-house. These may include:
Hybrid Operator Model: There are fewer operators in-house and they embed within larger consultant teams on engagements.
Learning Model: The assessment or team is fully led by outside subject matter expert (SME) consultants, with one or two in-house members joining as trainees or operators. The in-house personnel can learn from the experts in real-time as they conduct the assessment. In this case, the organization obtains hands-on real-world training and a red team assessment for the price of a discounted assessment. Why discounted? If an engagement requires eight people and you are providing three of them, that means fewer billable hours for the consultants and a lower overall outsourced cost to your organization. This is a great way to build operator confidence, create new leaders, and help non-red teamers begin to transition to red teaming roles.
Hybrid Mitigation Model: In-house red teamers focus on translating findings (i.e., vulnerabilities) into mitigatory actions (i.e., patching vulnerabilities). They may embed on operations but mainly in order to understand security posture and details of the red team findings so they can then help fix it.
Outsourced Assurance Model: In-house operators conduct full-scale engagements, while outsourced red team personnel conduct more frequent low-level assessments. This is good when a) you do not trust your outsourced consultants to conduct full-scale assessments against your enterprise, or b) when your assets are too valuable to have outside organization or personnel knowledgeable of security measures surrounding them (or, in some cases, when your leadership believes this to be the case).
Assurance Model: Your in-house team focuses on low-level assurance assessments, while your outsourced team conducts full-scale operations.
Outsourced Leadership: When a consultant with extensive red team experience leads your internal team during an engagement.
Outsourced Operator Model: When you manage and control the assessment with in-house leadership, but a portion of the team is comprised of outsourced consultants or personnel. This may be particularly relevant when looking for a specific skill set that you would like to test, but that talent is not available in-house.
Academic Model: There are several academic security programs in the United States that have major red team components. As part of these programs, both students and instructors hunger for real-world experience and applications of the topics discussed in a classroom. Partnering with an academic program to get low/no-cost red team assessments can provide both financial and talent-pipeline costs to your organization. The University of Minnesota’s Master of Science in Security Technologies is an excellent example of this; though, I am biased as one of the graduate faculty that teaches risk management and red teaming in that program.
Discouraged Models
Part Time: If you are unable to obtain both external consultants and an in-house red team, a part-time red team can still provide a significant benefit to the organization. This requires security and security-aligned professionals to dedicate a specific percent of their time to coming together and conducting a red team assessment against the very assets they spend much of their time protecting. There are significant pros and cons to this approach, both of which will be discussed in a future post.
Contingent Worker (CW): Many companies will use contractors or contingent workers to staff their security teams. While this may be a less expensive option for the company, you are likely to have trust, loyalty, and capability concerns. For an important, specialized team identifying the company’s most significant vulnerabilities, you should have either a walled-off third party, or a fully in-house team doing the work.
Caveat: I have seen (and even built) successful CW red teams when it is the only option. It takes significant effort and resources to be successful, and your budget is better spent on creating a smaller in-house or hybrid red team.