I read about how Facebook's security staff was recently involved in "red team exercises," which seemed to be an...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
in-depth attack simulation to test its incident response protocol. Could you give some advice on how other organizations could go about enacting similar tests? How far would you say is too far in such a simulation?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Facebook's network and systems are an obvious target for attackers because of the value of hundreds of millions of users accessing its Web presence. Due to Facebook protecting a potential method for attackers to distribute malware to millions of systems, the steps its red team should go through to ensure adequate preparation for a sophisticated attack are much more stringent than those most companies would require. The Facebook red team exercises simulated a compromise of the core of its network and systems to find out how its incident response team would react if it knew its own systems were compromised and not to be trusted. Basically, it was a test involving a worst-case scenario. Ironically enough, shortly after conducting its first two "red team" exercises, several Facebook employee computers were compromised via a Java zero-day attack.
Whether an enterprise can enact tests similar to Facebook's is ultimately dependent on the resources available. How far is too far depends mostly on resources and security requirements, but enterprises with high security requirements like Facebook should devote significant security resources to incident response planning and testing. Exploiting other companies or customers without their permission as a part of an incident response test would cross the ethical boundary, but other companies or customers could be included if permission was given.
According to Facebook, the red team exercises helped it hone its incident response capabilities to minimize the damage from the actual attack that followed. It's an important lesson: If an organization hasn't tested or used its incident response plan, it's bound to encounter issues when the incident response team uses it for the first time. Testing an incident response plan is different from running a penetration test, though they could be interrelated.
If a full-blown red team exercise isn't feasible -- this often requires hiring a third-party organization to act as the attacker -- a tabletop exercise may be a better approach. A tabletop exercise simulates the events of an attack in a mock environment, either on test systems or often merely on paper, and gives the security team and other stakeholders the opportunity to apply an incident response plan step by step.
Dig Deeper on Information Security Incident Response-Detection and Analysis
Related Q&A from Nick Lewis
Conficker malware was found in a German nuclear power plant computer system. Expert Nick Lewis explains the possible impact of malware infections of ...continue reading
OneSoftPerDay, an adware program can install backdoors on PCs, is able to avoid detection from antimalware tools. Expert Nick Lewis explains how to ...continue reading
The hot-patching feature in Windows servers is vulnerable to attacks from APT groups. Expert Nick Lewis explains what hot patching is and how to ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.