by
James Stanger
| Jul 30, 2018
One of my favorite military movies is The Hunt for Red October. It pales in comparison to serious movies such as Paths of Glory or escapist, revisionist flicks such as Kelly’s Heroes, but it’s still a great popcorn flick.
I love the part when one of the crewmen, Jonesy, explains to the captain that he has just figured out what the Red October, a new, top-secret Soviet submarine, sounds like on sonar. Jonesy says that he keeps hearing an unusual, repeating noise, but the multimillion-dollar computer he uses keeps telling him it’s simply an underground volcano – specifically, a magma displacement.
But Jonesy doesn’t believe the computer. Instead, he examines the signal and washes it through a few filters, revealing that it’s actually the near-silent engines of the Red October. He then tells the captain that he has been able to trace this signal halfway across the ocean and find the bad guy.
“If I can get you close enough … can you track this sucker?” the captain asks Jonsey.
He confidently states, “Yes sir. Now that I know what to listen for, I’ll bag ’em.”
I love the camaraderie between Jonesy and the captain, how Jonesy had an independent, inquisitive mind and how he was able to use evidence to support his assertion about the magma displacement that was actually a high-value target, the Red October.
How Penetration Testers Support Cybersecurity Analysts
I’ve been thinking about this scene a lot lately, because over the past couple of years, I’ve been talking to a lot of penetration, or pen testers and cybersecurity analysts about red team/blue team exercises and how the red team – the pen testers – is the most useful when they work closely with the blue team – the cybersecurity analysts.
Why?
Because the blue team of cybersecurity analysts – who are basically Jonesy – are constantly listening for anomalies and trends. According to Locard’s exchange principle, perpetrators will bring something to the crime scene and leave something behind. In cybersecurity circles, that “something left behind” is usually called an indicator of compromise.
Cybersecurity analysts are tasked with finding these indicators of compromise and hunting for threats using various tools, including Security Information and Event Management (SIEM) tools, log files and intrusion detection tools to discover hacks in progress. They spend a great amount of time configuring and customizing sophisticated tools and programs so that they can help identify attacks in progress.
But blue team folks can’t do their job well unless they have someone to help fine-tune their approaches and equipment. That’s where the pen testers – the red team – show their value.
By conducting war games and doing pen tests, the red team focuses on the latest techniques to compromise systems. As the blue team listens in on these activities, they then have real-world information that improves their performance.
Why Penetration Testers Get a Bad Rap
For years, pen testers and vulnerability assessment managers have often been seen as romantic warriors or cybersecurity ninjas. They do cool things and (supposedly) use cool-sounding apps like Metasploit and Nmap. But over the years, pen testers got a bit of a bad rap.
One reason is that the valid activity of pen testing was substituted by mere vulnerability scans. Such scans are useful when properly analyzed. But they cannot be a substitute for a pen tester.
Another reason is that few IT or cybersecurity professionals seem to grasp the symbiotic relationship between the red team and the blue team. But someone such as Jonesy would understand: He can’t learn how to do his job by just reading about something. He knows that he has to dive into the deep water and investigate.
Red Team Efforts Make the Blue Team Better
Over the past few years, it’s been exciting to see how the industry is embracing the relationship between the red team and blue team. At CompTIA, we’ve run mini boot camps and participated in hackathons and capture the flag exercises designed to demonstrate this. And now, in addition to CompTIA Cybersecurity Analyst (CySA+), which certifies blue team skills, this week, we’re releasing CompTIA PenTest+, which certifies red team skills.
So, for those of you who want to become either Jonesy or the person who helps him improve his skills, think of how the red team and blue teams work together:
- Improve SIEM tool performance
- Generate traffic so that blue teams can improve their performance
- Help the security operations center (SOC) focus on high-risk systems
As a result, companies that combine the red team and the blue team will improve their risk management abilities. To put it in Jonesy’s terms: Now that the blue team knows what the bad guys sound like? They’ll bag ’em.”
After all, why else would you use a red team? Compliance-based approaches often aren’t effective against all the ways hackers manipulate end users. It might work in some cases, but only for the largest of today’s organizations.
Even then, mere compliance to a security framework or approach doesn’t guarantee much. From the now-ancient Target, OPM and Equifax hacks to the recent health care database breach in Singapore, these breaches illustrate that mere compliance auditing isn’t going to help.
But, companies that use their red teams properly will be able to better manage risk. That’s the true importance of the red team. And, you don’t even have to think about this in terms of The Hunt for Red October. There are other great movies such as Das Boot, The Enemy Below and Run Silent, Run Deep. Regardless of the movie you like, keep thinking about the interrelationship between the red team and the blue team – and let me know your insights!
Validate your red team skills with the new CompTIA PenTest+.