Red Teaming: 2023 Insights from the Ponemon Institute

There are many ways that organizations prepare to deal with the unfortunate incident of an advanced cyber-attack, but most have unverified confidence that the preparation will be enough unless they’ve invested in Red Teaming. In our recent study with the Ponemon Institute, 2023 Ponemon Institute Report: The State of Offensive Security we discovered that the most mature, elite security organizations frequently turn to Red Teaming to test their worst-case cyber scenarios for a breakdown of how their security postures stack up against real-world adversarial tactics, techniques, and procedures (TTPs). The survey results proved that mature security organizations don’t leave security to chance – they pressure test the people and environments that are often the root of a compromise.

In this blog, we share research findings from all 664 participating IT and security practitioners (as well as highlights from 64% (424 respondents) who currently use Red Teaming) to demonstrate the importance of Red Team implementation, the motivations behind it, and how it helps build sophisticated security organizations now and as the threat landscape continues to evolve in the future.

Research Findings: Red Teaming

With the wide variety of cyber threats bombarding attack surfaces today, it is not surprising that mature organizations routinely turn to Red Teaming to understand how adversaries compromise the environment. In fact, survey results revealed that Red Teaming (47%) is the second most effective offensive security testing strategy behind cloud security testing (57%). Since Red Teaming is tailored to provide simulations and emulations of specific threat actors, tactics, and scenarios, it can bring big ROI against a wide variety of threats. Depending on the needs of an organization, Red Teaming can test for ransomware readiness, simulate an insider threat, evaluate a Blue Team’s ability to detect and stop a particular type of malware and many more types of threats.

FIGURE 1 - Effectiveness of offensive security testing

Red Teaming is not a one size fits all offensive security solution and that is likely what makes it a valuable investment for mature security organizations. It is characterized by versatility and creativity that fuel different types of unique engagements that meet specific goals for tailored security scenarios. In our survey findings, we wanted to dig deeper to understand the types of Red Team engagements that bring the most ROI to mature security organizations.

We discovered that over half (63%) of survey respondents reported that Tabletop exercises were the most preferred type of Red Teaming engagement. Tabletop exercises are used to prepare for cybersecurity incidents by establishing a plan to address weaknesses in the organization’s ability to both prevent and recover from attacks. This is an ideal non-invasive method that brings a variety of stakeholders to the table to enable one-of-a-kind coordination and collaboration across an organization.

Ransomware readiness (55%) followed closely behind tabletop exercises for the most impactful type of Red Team engagement. As we’ve already seen, survey respondents reported that ransomware was the top threat (41%) driving offensive security investments. Both tabletop exercises and ransomware readiness provide solutions that prepare organizations against the inevitability of ransomware attacks and offer tangible recommendations for improved security protocols based on individual organizational nuances and circumstances.

More often than not, people are the weakest link in the cybersecurity chain of an organization. Almost half of survey respondents (47%) reported using Red Team social engineering to test their people against the TTPs of advanced adversaries. While there are many security solutions that test social engineering susceptibility, Red Team engagements always up the ante. They bring heightened levels of knowledge, innovation and subject matter expertise to customize social engineering emulation scenarios that mimic how real-life threat actors take advantage of unwitting employees, opening a door for compromise. The survey results prove that mature organizations prioritize stringent testing of their workforces for social engineering compromises.

FIGURE 2 - Most important Red Team engagements

Preparing for the Future

A strong majority (56%) of survey participants plan to increase investments in Red Teaming in the next one to two years, demonstrating the importance of this offensive strategy for improved security readiness.

FIGURE 3 - Future offensive security investments

Drilling down into the types of investments, the survey results showed that Red Team continuous testing (26%) will continue to be critical for outpacing adversaries in the next one to two years. Continuous offensive security solutions combine the right mix of technology, automation, and human testing to prevent attacks before they can occur.

FIGURE 4 - Frequency of future offensive security testing

Red Teams can be challenging to build from scratch due to the wide variety of skillsets (and personalities) that are needed – unicorns among unicorns. Therefore, we were interested to learn if survey participants planned to funnel future investments into developing their own Red Teams or third parties. About a third of survey respondents reported that they will continue to rely on third parties for Red Team testing; however, 38% plan to invest in building an internal Red Team in the future illustrating the significance of this offensive security capability. Over a third of respondents believe the value Red Teaming brings to the table is worth the challenge to build a permanent, internal team.

FIGURE 5 - Future investments in external or internal Red Teaming

Additional Resources

Red Teaming has a secure future amongst organizations that prioritize offensive security solutions. To follow their lead, learn more about Red Teaming and how it builds mature security programs, check out these resources:

• Avoid Security Heartbreak with Red Teaming
• Ready or Not? Test Your Ransomware Defenses Against Real-World Playbooks
• Combating Ransomware with an Offensive Roadmap
• Getting Red Teaming Right: A How-To Guide
• The Offensive Guide to Ransomware Readiness
• Ready or Not: A Ransomware Self-Assessment