Hiring a bunch of researchers and bug hunters to break into your network after spending millions of dollars carefully securing it may not seem like the brightest of ideas. But sometimes, conducting a simulated attack on your infrastructure is the best way to surface hidden vulnerabilities in it.

Penetration testing firms and red teams are paid to look at client networks the way a threat actor would. Their mission is to probe and poke at your defenses in search of weaknesses that would let an attacker steal data, sabotage your systems, or conduct espionage. Firms that offer such service thrive on thinking like adversaries and often pride themselves on their ability to breach even the best defenses.

While there is an element of risk in giving such parties free license to attack your network, a well-conducted, well-managed red team exercise can yield substantial benefits, say analysts. Unlike narrower penetration tests, red teaming really involves a full-scale assault on your networks. It may take hours, days, or even weeks. But the information generated from these efforts can go a long way toward bolstering application, system, and network security.

Here are six security goals you can accomplish by hiring a red team.

1. Identify vulnerabilities in applications and systems

One of the primary reasons organizations hire red teams is so that they can identify and close the vulnerabilities that exist in their infrastructure software and systems. A red team exercise can help identify vulnerabilities and exploitable configuration errors in production apps, systems, or the entire infrastructure.

Many of the security firms that offer these services use custom tools and attack methods employed by threat actors to try to find holes in your applications and systems that can be exploited. The goal of these penetration tests is to try to simulate a targeted and persistent attack on your digital assets to see what, if anything, will give. The effort is focused on finding not just weaknesses that provide access to your critical data assets, but also all the ways that an attacker would then be able to exfiltrate it.

Depending on how comprehensive you want it to be, a red team exercise can focus on finding anything from operationally disruptive vulnerabilities in a single mission-critical app to insider threats to weaknesses in your processes, workflows, and supplier, partner and social networks.

“A good red team will not stop at the first vulnerability it finds. The real good engagements are goal oriented where you are telling them, ‘Here are my crown jewels, see if you can get them.’” —John Pescatore, SANS Institute

2. Have a fresh set of eyes to look at your software and systems

Hiring a red team is one way of ensuring that a totally fresh set of eyes takes a look at your network, data, and application security, Pescatore says. A lot of times, internal testing groups know the weak spots in their systems and tend to probe the same spot over and over again.

People who are not familiar with your company’s infrastructure, on the other hand, likely will see your applications and systems very differently from how your security organization sees them. “Their kind of pen testing and their pushing and poking may be totally different from what you have done,” Pescatore says.

That’s one reason, in fact, that so many vulnerabilities in software products are discovered by external bug hunters and security researchers. After all, it’s not as if software companies, especially the giant ones, do not test their products. Many have implemented sophisticated software development lifecycle processes to specifically look for, detect, and mitigate flaws through the entire design and development phase.

The fact that bug hunters are able to find so many flaws in products that have gone through such testing shows the tremendous value that a fresh set of eyes can bring to application security practices, Pescatore says.

Mitigating the flaws uncovered during a penetration testing exercise can go a long way toward strengthening overall application security.

“[One of the] benefits of red-teaming your apps is the learning cycle the developers go through. The exposure of vulnerabilities and perhaps bad coding practices can lead to culture change [in the application development organization]." —Richard Stiennon, IT-Harvest

3. Understand the impact of a security breach

If conducted well, a red team exercise can help you identify the full impact of a compromise. It can expose the multiple ways an attacker would be able to breach your defenses and identify the potential damage that each method could inflict on your data assets.

A well-conducted red team exercise can map assets and processes and show how an attack on one would impact the other. Importantly, such simulations can also expose the financial implications of a breach or an attack on a specific system or portion of your IT infrastructure.

4. Discover weakness in your development and testing processes

A red team exercise can expose the fault lines in your development and testing procedures. If a penetration test exposes a bug or several of them in a product you have already tested, it is a clear indication that something is broken or not working the way it should, says Jon Oltsik, an analyst at Enterprise Strategy Group. “You get to see where your development and testing procedures need more work,” Oltsik says.

Most organizations have some skills and processes around developing secure code and testing their application security, he says. Large organizations with mature software development practices often have teams dedicated to identifying and mitigating software vulnerabilities through the app development lifecycle.

“If red teams can still find and exploit vulnerabilities, however, organizations may discover additional areas where they should apply resources.” —Jon Oltsik, Enterprise Strategy Group

The issues may live in the development process, for example, with faulty business logic that is vulnerable to fraud. Or it could be an issue of inadequate testing processes. A red team test might identify, for instance, the need for an organization to do more blackbox testing to identify vulnerabilities in hidden functions, Oltsik says.

5. Test your incident response capabilities

A red team exercise offers a good opportunity to test your real-time incident response capabilities, especially if you conduct in conjunction with a blue team exercise. Because the red team will be running a simulated attack against your organization, you will have a chance to see how well your detection and mitigation capabilities are likely going to work in stopping or mitigating a real attack.

“If the red team takes the time to explain their process and show what they found, then the defenders can learn more about how the attackers get in and then find ways to defend themselves better. You could add the aspect of showing the defenders how you got in. So there can be a training element [to a red team exercise]." —Pete Lindstrom, IDC

6. Demonstrate security controls, justify security spending

Just as a red team exercise can expose vulnerabilities in your infrastructure, it can also demonstrate the robustness of your security controls. If a full-fledged penetration test and simulated attack fail to turn up any major weaknesses in your defenses, there’s a good chance you have some pretty decent ones in place. But having a third-party firm attest to that fact is often—fairly or unfairly—more credible in the eyes of your CIO and CEO than your own claims of improved security, says Pescatore.

Making the case

For the same reason that C-level executives have a tendency to hire consultants to tell them what they could have easily found out from their own staff, the C-suite is more likely to act on an external party’s recommendations than your own. Over the long term, the results of red team exercises can be used to justify increased security spending.

Has your organization hired hackers or red teams? Share your war stories in the comments below.

Keep learning