I’m a huge fan of red teams, but they are often so good at what they do that they lose sight of their primary mission: to help the organization reduce cybersecurity risk.
Red teams are employees or contractors who hack into an organization’s computer assets to reveal weaknesses in defenses. In my over 30-year career, the most enjoyable part was when I was being paid to break into someone’s network. I don’t do it now, although I keep my hands slightly wet by creating realistic hacking demos for my presentations. I always worried that I might not be able to do it, but I was always able to break into every place I was paid to. Hacking is relatively easy once you know what tools and techniques to use. Everyone thinks hackers are uber geniuses, but it’s more like being a skilled plumber or electrician.
Every organization should have regular red teaming done against its environment and applications/services/sites. How often is up to the organization, but anything less than once or twice a year borders on negligence. If you don’t do it at all, you are likely to have multiple vulnerabilities that you are not aware of.
The red team needs to be ethical and professional, and it needs to document and communicate all found vulnerabilities. Here’s my advice for a successful red team engagement.