I read about how Facebook's security staff was recently involved in "red team exercises," which seemed to be an in-depth attack simulation to test its incident response protocol. Could you give some advice on how other organizations could go about enacting similar tests? How far would you say is too far in such a simulation?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Facebook's network and systems are an obvious target for attackers because of the value of hundreds of millions of users accessing its Web presence. Due to Facebook protecting a potential method for attackers to distribute malware to millions of systems, the steps its red team should go through to ensure adequate preparation for a sophisticated attack are much more stringent than those most companies would require. The Facebook red team exercises simulated a compromise of the core of its network and systems to find out how its incident response team would react if it knew its own systems were compromised and not to be trusted. Basically, it was a test involving a worst-case scenario. Ironically enough, shortly after conducting its first two "red team" exercises, several Facebook employee computers were compromised via a Java zero-day attack.
Whether an enterprise can enact tests similar to Facebook's is ultimately dependent on the resources available. How far is too far depends mostly on resources and security requirements, but enterprises with high security requirements like Facebook should devote significant security resources to incident response planning and testing. Exploiting other companies or customers without their permission as a part of an incident response test would cross the ethical boundary, but other companies or customers could be included if permission was given.
According to Facebook, the red team exercises helped it hone its incident response capabilities to minimize the damage from the actual attack that followed. It's an important lesson: If an organization hasn't tested or used its incident response plan, it's bound to encounter issues when the incident response team uses it for the first time. Testing an incident response plan is different from running a penetration test, though they could be interrelated.
If a full-blown red team exercise isn't feasible -- this often requires hiring a third-party organization to act as the attacker -- a tabletop exercise may be a better approach. A tabletop exercise simulates the events of an attack in a mock environment, either on test systems or often merely on paper, and gives the security team and other stakeholders the opportunity to apply an incident response plan step by step.
This was first published in December 2013