IT Security Red Team Operations: The Raison d’être

Basically I’m hijacking and plundering a superb talk given by J Wolfgang Goerlich at GrrCON 2014 to lay out the heartbeat of this blog, which can be summed up as the raison d’être for IT security Red Team operations.

The following two stand-out quotes lifted from the talk should be shouted from the rooftops:

“Without studying offence we can’t plan for good defence”


“Without exercising the defence, we have no assurance that it works.”

Simple truths, not emphasised enough in infosec in my opinion.

IT Red Team security operations are a natural response to the above quotes.

What are IT Red Team Operations?

Put simply, they are real-world scenario testing of our security controls and defences.

What is the point of IT Security Red Team Operations?

To answer the question of whether our endeavours to lock-down, harden, and otherwise secure our environment are working in the face of real-word attacks.

To exercise security teams, develop and build their mental incident response muscle.

To improve detection and mitigation response times.

Quantify our defence-in-depth.

To give defenders knowledge of Indicators of Compromise of real-world attacks (Insider threat, Malware, Phishing etc) and to know how to act and what to do.

Benefits of IT Security Red Team Operations?

To equip defenders to answer the question of whether they are ready for [Insert today’s media breach headline] breach and know their defensive posture.

To unmask attacker techniques and eradicate the FUD and hype surrounding the mysterious sounding Advanced Persistent Threat (APT).

To test specific controls along the path and determine the impact of missing controls.

Final Notes

Goerlich notes that Red Team operations should be performed on a regular basis in accordance with standard Business Continuity models and in doing so will garner competitive advantage, which is something I articulated in my Linkedin profile:

Robust, proved and tested data security will increasingly become a major factor in attracting and retaining customers, weary of businesses playing fast and lose with their data. Companies known to go beyond security compliance will see their revenue, profit and growth increase.

The below presentation by J Wolfgang Goerlich also gives advise on securing stakeholder buy-in, counteracting push-back, and techniques to engage with them.

I’ll be returning to this theme over and again as this blog (and my knowledge) develops and include tools, techniques and tradecraft for effective Red Team operations.