Requirement text: CA.4.227: Periodically perform red teaming against organizational assets in order to
validate defensive capabilities.
DISCUSSION FROM SOURCE: CMMC
Red Teaming is a specialized type of assessment conducted against an organization’s
architecture with the goal to emulate adversary actions. This practice is focused on
performing red teaming for the purpose of validating defensive capabilities in place (access
controls, email protections, network segmentation, firewalls, and the defensive tools that
help monitor all activities). It is recommended that red teaming events be coordinated with
the defensive cyber teams of an organization in order to validate defensive cyber capabilities.
This testing will help shape where defensive resources are allocated and where funding is
needed to improve the overall security posture of the organization. This activity includes
some vulnerability analysis, similar to a pentesting effort, but the main purpose is to validate
defensive security mechanisms are providing the information needed to identify, disrupt, or
thwart attacks on the network. Any and all findings need to be rolled into a prioritized
security plan based on risk, cost, and time to implement.
CMMC CLARIFICATION
This practice focuses on red teaming an organization for the purpose of validating defensive
cyber capabilities focusing on identifying or thwarting attacks. As the red team performs
tests against the organization the red team is also working with the organization’s cyber
defender(s) in order to help validate the defensive capabilities against the attacks used. This
is a completely transparent relationship where the red team works with the organization’s
cyber defenders in order to identify areas that need improvement. While large corporations
may have internal teams perform this testing, a lot of small companies will lack the in-house
expertise to perform red teaming properly. Third-party adversarial assessment teams can
be used in this case. Rules of engagement will need to be generated prior to testing in order
to define the bounds of the testing, and to make sure test teams know to what levels they
may perform testing and making sure the in-bound assets are defined. The red team and
cyber defense teams need to keep in mind that they are working together to find gaps,
identify misconfigurations, and help improve the cyber defenses of the organization.
Red teams are typically asked to test environments from outside the enterprise and work
their way in. It is recommended to allow red teams to perform testing from inside the
environment as well, acting as if the outer perimeter protections have been breached, even
if they are considered secure. The best results will be achieved when the red team is given
the architectural knowledge of the environment being tested. When completed, the
organization should have a better understanding of any cyber defense shortfalls, and be able
to prioritize implementing changes as needed.
Example 1
You are the CISO for an organization and want to make sure your new endpoint tools are
working to provide your defensive cyber operations with the information they need to
identify an attack. You have an internal red team that performs several no notice attacks on
a select few end user laptops. You find out that two out of three attacks are identified from
capabilities already in place. You also learn that the third attack is successful and your DCO
team is not provided enough information to determine it happened. You ask your security
engineers to modify the configuration of the tool and have your red team rerun the tests.
Your DCO now can identify the third attack, and they are based on the latest TTPs provided
by your intelligence service. You are now confident in your team’s ability to see actions of
this nature and trust your DCO team will identify them if they occur.
Example 2
You are the CISO of a small organization and want to hire a red team to help test your security
solutions in place. You find a well suited commercial company to provide you red team
services. You have them perform their testing three times a year to validate your DCO team
is able to identify specific attacks based on threat intelligence feeds your organization is
currently receiving. The commercial red team is introduced to your defensive cyber folks
and they plan the tests and start working on identifying any shortfalls in defensive cyber
operations. The red team provides you a report at the end of each test phase and you use
the report to plan and implement modification to your security posture for enhancement
purposes.
References
• CMMC
• CIS Controls v7.1 20.3
• NIST SP 800-53 Rev 4 CA-8(2)