printer friendly version

What is your ‘real’ security posture?

Many businesses operate under the illusion that their security controls, policies, and incident response plans will hold firm when tested by the real deal – cybercriminals. Operating a tick-box system of thinking, believing that ticking compliance frameworks, passing penetration tests, and completing security awareness training annually, does not mean you are safe.

Christo Coetzer

On the contrary, it can also mean you have become the CEO/COO/or CTO, etc., of Never-Never land, nurturing a comforting fantasy. The last thing you want to happen is that, when the bad guys strike – and today they are increasingly sophisticated - you discover catastrophically that your defences are little more than a misconception.

Red teaming

The Only Way to Know If You are Truly Defensible. The disconnect between perceived and actual security posture is precisely why red teaming has emerged as an indispensable component of mature cybersecurity programmes. Unlike traditional security assessments that validate the existence of controls; red teaming reveals whether those controls actually work when facing determined, adaptive adversaries.

Red teaming goes beyond penetration testing. In a nutshell, penetration testing identifies technical vulnerabilities within a defined scope and timeframe, whereas red teaming simulates real-world adversarial campaigns. A red team operates like genuine threat actors, employing social engineering, physical infiltration, supply chain compromise, and advanced persistent threat techniques to achieve specific objectives, whether that is exfiltrating sensitive data, compromising critical systems, or demonstrating the ability to cause operational disruption.

The fundamental difference between the two lies in the approach. Penetration testers announce their presence through scope agreements and rules of engagement, which in turn constrain activities. Red teams, conversely, operate under the radar, testing not only technical controls, but also detection capabilities, incident response procedures, and the human element that so often represents the weakest link in security chains.

Facing the truth about your defences

Most organisations invest heavily in preventive controls, such as firewalls, endpoint protection, identity management systems, and data loss prevention tools. These controls create a sense of security, reinforced by quarterly vulnerability scans showing declining numbers of high-severity findings.

However, prevention-focused security operates on a fundamentally flawed assumption; that you can eliminate all attack vectors. Red teaming exposes this approach as fallacious. Time and again, red team engagements demonstrate that determined adversaries will find ways through even robust preventative controls. They might phish credentials from an employee working remotely on an unsecured home network. They might exploit a zero-day vulnerability in a third-party application that your scanners cannot detect. They may even brazenly walk into your building carrying a USB device and a convincing story.

What red teaming truly tests is not whether you can prevent every attack (which is not possible), but whether you can detect and respond to attacks in progress before they achieve critical objectives. This shift from prevention to detection and response represents the maturation of cybersecurity thinking, acknowledging that breaches are inevitable, while focusing on minimising their impact.

Testing your detection and response capabilities

Your security operations centre claims 24/7 monitoring. Your incident response plan outlines clear escalation procedures. Your threat intelligence feeds provide indicators of compromise, but do these capabilities actually function when faced with sophisticated adversaries using tactics specifically designed to evade detection?

Red teaming answers this question definitively. A skilled red team will employ living-off-the-land techniques, using legitimate system tools and processes to avoid triggering alerts. They will move laterally through your network at a pace that mimics normal user behaviour. They will exfiltrate data in volumes and patterns designed to blend with legitimate business traffic.

When your security operations team fail to detect these activities – which they often do – the resulting report provides invaluable insights. Perhaps your detection rules focus too heavily on known attack patterns, while missing novel techniques. Perhaps your analysts are overwhelmed by alert volumes and miss critical signals. Perhaps gaps in lateral movement detection exist because internal network traffic receives less scrutiny than perimeter activity.

These failures should not be viewed as embarrassing, but rather as an opportunity for improvement. Better to discover these gaps through controlled red team exercises than through incident responses to actual breaches where the consequences are measured in regulatory fines, reputational damage, and operational disruption.

Be sure to check out the second article in this two-part series, where Christo Coetzer will explore the human element of cybersecurity weaknesses in your business. The article is at www.securitysa.com/26131r

Share this article:

Further reading: