Five things to look for in a red team/purple team vendor
By Oksana Vassilieva, Senior Manager, Cybersecurity Testing Practice
Offensive cybersecurity, such as red team testing and purple team testing, is a great way to take your cybersecurity to the next level. These kinds of tests can help you identify weaknesses in your network defences, providing the threat intelligence that you may need to strengthen your security posture and boost your incident-response capabilities so that you’re better prepared if a real attack occurs.
However, not all offensive security providers are created equal. If you want to increase the value from your red team or purple team exercises, you need to look for a vendor that can bring a very specific set of qualities to the engagement.
What is red team and purple team testing?
Red team testing is a targeted attempt to compromise or access your organization’s “crown jewels,” typically your most critical asset(s) or an important piece of intellectual property. Your in-house security team won’t know when testing is underway, allowing the testers to evaluate your network defences using the same techniques, tactics and procedures (TTPs) as real-world attackers.
Purple team testing is a joint effort by the vendor’s offensive red team and your security operation’s defensive blue team. By simulating real-world attacks and evaluating defensive strategies, this collaborative approach can help improve your incident monitoring and response capabilities and give more visibility over your security posture.
The qualities of a great red team and purple team testing vendor
The value of red team and purple team testing to your security operations will depend largely on the vendor. When searching for a vendor, favour the following qualities for best results.
- Technical expertise
The ideal vendor has skills and certifications across many technologies, systems, applications, and cloud environments. They are also familiar with the data security regulations and requirements specific to your industry.
- Leading processes and practices
Knowledge of security frameworks (e.g., MITRE ATT&CK, Unified Kill Chain) and proficiency emulating a range of attack TTPs are both critical to effective testing. The vendor should also use manual processes and customized tools, which are less likely to leave gaps and miss vulnerabilities, compared to automated processes and tools. Also, the vendor should have the R&D capabilities to create their own tools and customized payloads to emulate advanced attackers. Finally, the customer needs to ensure that the vendor minimizes the risk of business disruption while conducting the testing.
- Proven experience
Your vendor should have a track record of successful tests across industries and scenarios, including within your sector. A good vendor will also have a history of going beyond routine checks for common vulnerabilities and exposures in order to uncover zero-day vulnerabilities.
- Responsible data use
Opt for a vendor that holds official security clearances for accessing classified or sensitive information, so that you can be confident your data won’t be exploited or compromised. Especially if you’re in a highly regulated industry such as finance or healthcare, insist on a vendor that uses local resources to ensure that data won’t leave the country.
- Passion
Because cybersecurity is a complex and ever-evolving field, continuous investment and research are essential to maintain optimal testing and assessment capabilities – and that takes passion. Signs of this in a potential vendor can include team members who regularly present at security conferences or participate in (and win) “capture the flag” competitions and other ethical hacking events.
Should the same vendor handle your penetration testing and red/purple team testing?
Whether you use the same vendor for penetration testing and red/purple team testing or different vendors, you’ll find advantages to each.
For instance, the same vendor will be familiar with your organization’s systems, network architecture, and security landscape, which can make testing more efficient. They’ll also be aware of previous assessments and improvements, giving them valuable insight into trends over time. Plus, a long-term relationship with a vendor can foster better communication and a deeper understanding of your organization’s unique security challenges.
However, a new vendor brings a fresh set of eyes, which could make them less likely to miss vulnerabilities or use the same processes without adapting to evolving threats. A separate vendor may also be more objective in their reporting and be more likely to revealing major issues previously missed. Gathering multiple perspectives by using different vendors can also give you a more comprehensive assessment overall.
Ultimately, it depends on your organization’s unique situation. You’ll need to weigh the advantages of each approach and choose whichever best suits your needs.
Discover Bell’s professional cybersecurity services
Bell has years of experience in the ethical hacking industry and offers the full range of offensive security services. We help you reduce cyber risk and prevent attacks, and our Security Testing & Incident Response Team (STIRT) cybersecurity advisory services review, analyze and recommend proactive measures to improve your security posture. Visit our professional cybersecurity services page to learn more.