Defense in Depth: When Red Teams Break Down

What happens when red team engagements go sideways? The idea of real world testing of your defenses sounds great, but how do you close the loop and what happens if it’s not closed?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our sponsored guest, Dan DeCloss, founder and CEO, PlexTrac.

Thanks to this week’s podcast sponsor, PlexTrac

PlexTrac is a revolutionary, yet simple, cybersecurity platform that centralizes all security assessments, penetration test reports, audit findings, and vulnerabilities into a single location. PlexTrac vastly improves the risk management lifecycle, allowing security professionals to generate better reports faster, aggregate and visualize important analytics, and collaborate on remediation in real-time.

Got feedback? Join the conversation on LinkedIn.

On this episode of Defense in Depth, you’ll learn:

  • Don’t make the mistake of red teaming too early. If you don’t have your fundamental security program in place, you’ll be testing out non-existing defenses.
  • If you’re just starting to build up your security program, conduct a vulnerability scan and do some basic patch management.
  • A red team exercise exists to discover risks you didn’t even know about and couldn’t have predicted in your threat model exercises.
  • Have a plan of what you’re going to do after the red team exercise. Just discovering you’ve got problems with no plan to remediate them will not only be a waste of money, but will also breed discontent.
  • Don’t red team just to fill out an audit report. You can do a vulnerability scan for that.
  • Consider moving the red team to purple to actually help the blue team remediate the findings.
  • If you don’t have a plan for remediation you’ll find yourself running the same red team and filling out the same report.
  • Prioritize! The red (now purple) team can greatly help along with those who’ve assessed business risks.
  • First to remediate are the ones that are high impact and easy to execute. The rest is determined by an analysis of likelihood and impact.

Defense in Depth

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.