30 August 2015

CAG 20: Red Team Exercises...

The Consensus Audit Guidelines (CAG) have been public for years and the 20 controls are vital to our enterprise business resilience. One stands out however that is not automated and requires a specific advance Operational Risk Management (ORM) strategy. CAG: Critical Control 20: Red Team Exercises:
Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Once they get access, they burrow deep and expand the number of systems over which they have control. Most organizations do not exercise their defenses so they are uncertain about its capabilities and unprepared for identifying and responding to attack. 
This control goes beyond traditional penetration testing, which typically has the goal of identifying vulnerabilities and showing their business risks. Red Team Exercises are exercise in the traditional sense of military exercises where the three goals are improved readiness of the organization, better training for defensive practitioners, as well as inspection of current performance levels. Independent red teams can provide valuable objectivity regarding both the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even those planned for future implementation.
We would like to emphasize the importance of this strategy execution beyond the IT and Information Systems within the organization. In any significant business disruption or "incident", whether it be the breach and theft of a database full of "Personal Identity Information" (PII) or the breach of a rear window of a corporate executives residence to initiate a kidnapping plot; the goal remains the same:
"Attackers use tools to exploit a vulnerability; to create an action on a target, that produces an unauthorized result to obtain their objective."
Think about it for a minute. Whether it be the online digital world or the offline physical environment your organization is operating in today; someone is probing and testing your vulnerabilities. The only possible way for you to discover them before your adversary is to continuously attack your own business and it's assets. And possibly most importantly, it must be done on a clandestine basis:
clandestine from L. clandestinus "secret, hidden," from clam "secretly," from base of celare "to hide"
What value can be gained from exercises or testing that is conducted with advance warning to your staff or team? Very little. To execute the "Red Cell" approach to effectively improve and to increase the resilience of your organization, the strategy execution must remain secret. Yes of course there will be people placed throughout the organization, in key areas that know that the exercise or attack on the organization is a planned exercise. However, it is only for the safety and liability purposes, along with the potential injection of simulations that increase the effectiveness of the vulnerability testing.

The CAG has 20 controls that are focused on Cyber Defense and many of these will require manual intervention, planning and effective oversight. Automated tools can only go so far, to address the real goal of understanding human behavior during and after a "Real Incident" actually unfolds. In the context of using a Red Team exercise, you must include the use of Gavin De Becker's "Elements of Prediction" with your employees and stakeholders:
1. Measurability - How measurable is the outcome you seek to predict?
2. Vantage - Is the person making the prediction in a position to observe the pre-incident indicators and context?
3. Imminence - Are you predicting an outcome that might occur soon, as opposed to some remote time in the future?
4. Context - Is the context of the situation clear to the person making the prediction?
5. Pre-Incident Indicators - Are there detectable pre-incident indicators that will reliably occur before the outcome being predicted?
6. Experience - Does the person making the prediction have experience with the specific topic involved?
7. Comparable Events - Can you study or consider outcomes that are comparable- though not necessarily identical- to the one being predicted?
8. Objectivity - Is the person making the prediction objective enough to believe that either outcome is possible?
9. Investment - To what degree is the person making the prediction invested in the outcome?
10. Replicability - Is it practical to test the exact issue being predicted by trying it first elsewhere?
11. Knowledge - Does the person making the prediction have accurate knowledge about the topic?
This is how and where you extend your physical controls to the actual people, who will make the difference before and during a critical incident in your enterprise.  Revisit the Consensus Audit Guidelines (CAG) for your enterprise.  It just might help you find that one place where the continuity of the business is at risk after a significant disruption or the one threat that still is hiding in the shadows.

No comments:

Post a Comment