What are the important considerations in choosing a Red Team (or attack team) for your software system?

It is important to consider the following factors when choosing a Red Team for a software system-

  • Is the team skilled?

A Red Team is a highly-specialized penetration testing team whose job is to use a wide set of skills to hack the system and expose not just the software flaws, but also “test the organization’s detection and response capabilities”.1

The team needs to have razor-sharp skills in a variety of fields2

  • Be creative thinkers
  • Problem solvers
  • Think like malicious hackers
  • Be experts at reconnaissance and stealth
  • Be well-versed in “research attack patterns”
  • Be experts of software and network security
  • Fluent with new and old pen-testing tools, including and not limited to, vulnerability scanners, port scanners, fuzzers…
    • Is the team trust-worthy?

The team needs to be trustworthy. They have the same skill-sets as malicious hackers, and can wreck the same amount of havoc on the systems. They need to be trusted and the company hiring them should have confidence that are ethical, and are working for them. Trusting the red-team is necessary as they-

  • Will be able to access “source code and system documentation” 2
  • They will require “transparency” – as this will lead to “better protection from real attackers” 2
  • They will need full access and permission to try and break the system
    • Does the team have a proven track-record?

The Red Team needs to be highly skilled, with a proven track-record of its intelligence, diligence, and ethics.

If the team isn’t competent enough to perform “sophisticated” and deep attacks, their inability to penetrate and break the system can lead to a “false sense of security”2 in the application. “The results of a penetration testing exercise are only as good as the testers themselves” 2

  • Does the software system need a Red Team?

This is probably the first factor to consider. Not all software need a Red Team to test it – and it may prove to be an over-kill for small projects. Red Team Assessment methods include “Social Engineering (Physical and Electronic), Wireless, External,” 1 and more. A Red Team Assessment is NOT for everyone though, and should be performed by “organizations with mature security programs.” 1
These are organizations that often have penetration tests done, have “patched most vulnerabilities, and have generally positive penetration test results”1 and have budgeted in the costs, risks, and time that a Read Team requires.