I read about how Facebook's security staff was recently involved in "red team exercises," which seemed to be an...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
in-depth attack simulation to test its incident response protocol. Could you give some advice on how other organizations could go about enacting similar tests? How far would you say is too far in such a simulation?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Facebook's network and systems are an obvious target for attackers because of the value of hundreds of millions of users accessing its Web presence. Due to Facebook protecting a potential method for attackers to distribute malware to millions of systems, the steps its red team should go through to ensure adequate preparation for a sophisticated attack are much more stringent than those most companies would require. The Facebook red team exercises simulated a compromise of the core of its network and systems to find out how its incident response team would react if it knew its own systems were compromised and not to be trusted. Basically, it was a test involving a worst-case scenario. Ironically enough, shortly after conducting its first two "red team" exercises, several Facebook employee computers were compromised via a Java zero-day attack.
Whether an enterprise can enact tests similar to Facebook's is ultimately dependent on the resources available. How far is too far depends mostly on resources and security requirements, but enterprises with high security requirements like Facebook should devote significant security resources to incident response planning and testing. Exploiting other companies or customers without their permission as a part of an incident response test would cross the ethical boundary, but other companies or customers could be included if permission was given.
According to Facebook, the red team exercises helped it hone its incident response capabilities to minimize the damage from the actual attack that followed. It's an important lesson: If an organization hasn't tested or used its incident response plan, it's bound to encounter issues when the incident response team uses it for the first time. Testing an incident response plan is different from running a penetration test, though they could be interrelated.
If a full-blown red team exercise isn't feasible -- this often requires hiring a third-party organization to act as the attacker -- a tabletop exercise may be a better approach. A tabletop exercise simulates the events of an attack in a mock environment, either on test systems or often merely on paper, and gives the security team and other stakeholders the opportunity to apply an incident response plan step by step.
Dig Deeper on Information Security Incident Response-Detection and Analysis
Related Q&A from Nick Lewis
The new Trochilus RAT can avoid detection in cyberespionage attacks. Expert Nick Lewis explains how it works, and if enterprises need to adapt their ...continue reading
The Asacub Trojan has new banking malware features. Expert Nick Lewis explains how it made this transition and what enterprises should be watching ...continue reading
BlackEnergy malware may have been part of the attacks on Ukrainian utility and media companies. Expert Nick Lewis explains how this malware works and...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.