Cybersecurity is moving away from using threats, vulnerabilities and exploits as the management metaphor towards risk-based cybersecurity management. Using risk terminology,
penetration testing is a standard detective control used in cybersecurity risk assessment. A penetration test is an authorized external cyberattack on a computer system. Its main role is an audit of the system to evaluate the state of its security controls.
Red Team’s are similar but come at things from a different direction. Red teams leverage an understanding of the organization’s policies, processes, and defenses in order to provide insights about vulnerabilities and the effectiveness of controls in place. By leveraging internal access, Red Teams can provide deeper cyber risk insights – but are much more expensive.
Another key differentiator between the two approaches is that one is a “blackbox” (pen testing) approach whilst the other is “white-box” (red team) approach to cyber risk assessment. Red teams are “white–box” enabling them to be more thorough but also makes them more expensive. Pen testing “blackbox” approaches are more standardized and affordable. Breach and Attack Simulation (BAS) is another blackbox method. It promises to increase standardization and lower the cost of pen testing through automation – but BAS automation also has a dark side. BAS automated exploitation of vulnerabilities in a live production system can cause unplanned outages and can harm the device or process that hosts the vulnerability.
That brings us to blue teams. Cybersecurity blue teams were first proposed as a way to design defensive measures against red team activities. Blue teams conduct systematic examinations of cybersecurity controls to assess effectiveness, identify security deficiencies, predict effectiveness of proposed security controls, and to confirm effectiveness of such controls after implementation. Like red teams, they too are “white-box” and expensive.
It is clear cyber risk management through an integrated red (team), white (box) and blue (team) is preferable to black (pen testing or BAS). The right way to advance cyber risk as the primary management paradigm for cybersecurity is to lower the cost of red, white and blue through automation, and use it as the basis for a risk management approach to cybersecurity.