printer friendly version

What is your ‘real’ security posture? (Part 2)

In the second part of this series of articles from BlueVision, we explore the human element: social engineering and insider threats and how red teaming can expose and remedy them. The first article is at www.securitysa.com/26130r

Christo Coetzer

Technical controls can be implemented with reasonable consistency, but humans remain inherently variable and unpredictable. Red teaming comes into its own when it comes to testing the human aspect of security through sophisticated social engineering campaigns that exploit cognitive biases, authority dynamics, and helpful instincts. A well-crafted phishing email might bypass email filtering systems and exploit an employee's desire to be helpful to apparent colleagues.

A convincing pretext call might elicit sensitive information from a help desk analyst who follows inadequate verification procedures. A tailgating attempt might reveal that staff hold doors open rather than challenging unfamiliar faces in sensitive areas.

These scenarios test whether security awareness training has changed behaviour or merely satisfied compliance requirements. They reveal whether your culture genuinely prioritises security or if your policies exist only on paper, while day-to-day operations prioritise convenience and speed.

Furthermore, red teaming can simulate insider threat scenarios, demonstrating what a malicious employee with legitimate access could achieve. These exercises often reveal excessive privilege allocation, insufficient segregation of duties, and inadequate monitoring of privileged user activities, vulnerabilities that external penetration testing cannot identify.

Measuring resilience, not just controls

Traditional security metrics focus on control implementation: the percentage of systems patched, the number of security training hours completed, and the mean time to remediate vulnerabilities. These metrics measure activity, but not effectiveness. Red teaming provides outcome-based metrics that actually matter, such as: time to detection; effectiveness of containment; accuracy of impact assessment, and restoration timeframes.

A red team engagement might demonstrate that, while your organisation patches systems within defined service-level agreements, your detection capabilities give adversaries a 45-day dwell time before suspicious activity triggers an investigation. This finding is far more valuable than knowing that 95% of systems are patched within 30 days because it reveals the actual risk exposure period during which adversaries can operate undetected.

Similarly, measuring how quickly and effectively your incident response team contains a simulated breach provides genuine insight into organisational resilience. For example, can you:

• Isolate compromised systems without causing unnecessary operational disruption?

• Preserve evidence while containing the threat?

• Accurately scope the breach to determine what data or systems were affected.

These capabilities determine whether a security incident remains manageable or escalates into a crisis.

Driving meaningful security improvements

The ultimate value of red teaming lies not in the exercise itself, but in the improvements it drives. A comprehensive red team report should provide actionable recommendations prioritised by the demonstrated risk they address. These recommendations often challenge existing security strategies, revealing investments that offer minimal security value and highlighting gaps in critical areas.

Organisations embracing red teaming move beyond checkbox compliance towards genuine security maturity. They accept that testing by adversarial simulation provides the most reliable assessment of defensive capabilities. They create feedback loops in which red team findings inform security architecture decisions, detection engineering priorities, and updates to incident response procedures.

This continuous improvement cycle, where defences are repeatedly tested and refined through adversarial simulation, represents the only reliable path towards genuine defensibility. Without this testing, organisations remain blind to the effectiveness of their security investments, discovering their true security posture only when facing real adversaries under the worst possible circumstances.

Embracing adversarial testing

The question is not whether your organisation can benefit from red teaming, but whether you can afford to operate without it. In an environment where sophisticated threat actors constantly evolve their techniques and where the cost of breaches continues to escalate, understanding your actual defensive capabilities is not optional; it is essential.

Red teaming reveals uncomfortable truths, exposing gaps between security perception and reality. However, these truths are gifts, offering opportunities to strengthen defences before adversaries exploit them. Organisations that embrace regular red team engagements demonstrate security maturity and a realistic understanding of risk that their peers lack.

Ultimately, the only way to know if you are truly defensible is to be attacked by skilled adversaries operating without constraints. The choice is whether those adversaries are your red team, operating under controlled conditions with the goal of making you stronger, or genuine threat actors whose objectives involve maximum damage. The former provides an opportunity for growth; the latter, a lesson learned too late.

Share this article:

Further reading: