Managing Network Security

Red Teaming and Other Agressive Auditing Techniques

by Fred Cohen

Series Introduction

Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


Many people in the information security industry, myself included, offer Red Teaming services to their clients. In simplest terms, these services provide information on and demonstrations of vulnerabilities, but it isn't really that simple. The real challenge with Red Teaming is getting value for your money.

The cheap and dirty Red Team

Many people believe that the most important impacts of Red Teaming are in the effects of the results on management decision-making. In many cases, the sole purpose of this effort is usually to provide management with a graphic demonstration of the vulnerabilities faced by the organization. The information security specialists know that there is a big problem, but they are having difficulting making management understand. So they decide to do a sample penetration to make the impact of vulnerabliities clearer. Naturally, they call in a consultant rather than doing it themselves...

If this is what you ask for, it is likely to be what you get. If Joe is honest, he will likely break into some of your systems by going to an Internet-based hacker FAQ and using some of their tools. He'll describe what he did in the write-up, bill you a bunch, and you don't dare stiff him. If Joe is dishonest, the sky's the limit.

The high-priced mediocre Red Team

Suppose you want something a bit more useful. Then we can go to the next level of vendor - the scanner broker. A lot of the big CPA firms offer this service for big money - US$50,000 is considered on the low side. They buy a copy of ISS (Internet Security Scanner) or some other comperable product, and they run scan after scan on your computers, charging you US$150 per hour for a recent college graduate whose work is checked (at US$400 per hour) by someone with three years of experience. The signature comes from a partner in the firm who asserts that you asked them to use ISS and they did and this is the result. If you're lucky, they'll print out a comparrison to others who have been scanned, and you can take the paperwork to the big boss and say "I told you so."

The problems with this technology are numerous and have been discussed in other articles, including one in this series (August, 1997 - Penetration Testing?). Basically, the scan tells you about a lot of potential holes, but since you can't possibly afford to fix them all in every system you have, and since fixing them would only get at the tip of the iceberg in terms of the real protection problems you face, it's basically an expensive report with almost no real value.

The high-skills Red Team

High skill teams are available in small numbers throughout the world. They are fairly hard to find but they are becoming more popular. The high-skills team comes with high-tech equipment and some semi-custom capabilities. They tend to play by ground rules to limit their impact and the potential for real harm. Don't make the mistake of giving them unlimited license. For example, one of the teams I work with routinely asks whether they are allowed to kidnap anyone to get the job done. They usually get turned down, and they are rarely allowed to torture anyone they kidnap. The point of the exersize is usually to take a few hundred million dollars, to disable a plant, to cause a serious chemical release, or some such thing. The good players make sure that the particular plant is properly safed first to prevent any unnecessary deaths along the way...

High-skills groups typically run from US$50,000 to US$250,000 depending on what the ground rules and objectives are. I've never seen one lose against normal corporate security, but against a top flight protection force, they will probably end up with a few broken bones and some stories to tell - if they live through it.

The super-duper Red Team

You've decided to go all the way and get a real professional job done. Welcome the real experts. The real experts are, let us say, more thorough and more careful than the high-skills teams. For only a few hundred thousand dollars (minimum), the real experts will tell you more than you ever thought you could know about ways to break into your systems. By the time you get past the first hundred or so ways, you will probably tell them to stop. If you wait too long, you may not have anything left. The reports from these groups are very strictly confidential - meaning that, among other things, you cannot tell your boss what the report said in any detail. As the saying goes: "I could tell you... but then I'd have to kill you."

The super-duper teams are not to be toyed with. If you have a real potential for a multi-billion dollar loss or a potential for death to tens of thousands of people, and you want to be very certain that you thoroughly understand the risks so that you can make prudent risk management decision, this sort of team is a good bet.

There aren't many super-duper teams - perhaps a dozen in the world that fit into the general class - none of them available to just anyone. The demonstrations from the super-duper teams are extremely well controlled. Before they do anything potentially harmful, you will be told precisely the impacts of their demonstrations, all of the side effects that might result, the techniques they will apply, why they work, how they work, and so on. The only surprises here come from the enormous numbers of ways they will find to get around whatever protection you have. I could tell you some startling examples... but then I'd have to...

Value for your money.

Value is in the mind of the beholder. If you feel comfortable with Joe and he gets the job done, there's nothing wrong with using him. In fact, if all you want to do is prove to management that there are holes, Joe is often a good bet. Just - please - check him out first.

The big CPA firms are good for getting management attention, even if the results aren't particularly helpful to you in solving the problems. Top management in big companies tends to buy into anything the big accounting firms say, and in exchange for their fees, they will support your position as long as it is reasonable.

The high-skills teams are valuable - even if a bit risky - because they will give you a realistic report with information that you can use to help you improve protection. They will think up many clever things that most people would never come up with, and they are often better value for the money in terms of finding vulnerabilities and demonstrating them than most of the lower-priced teams.

The super-duper teams are top flight limited global resources. You had better be very serious about your security requirements before you go to them. To date, they have, as far as I am aware, never failed, and they have tested systems that are far more secure than any you are likely to encounter in your lifetime as a security manager. They have custom tools that they develop themselves and that have unique capabilities you are not likely to read about in the newspaper. They are very expensive, but they tell you very precisely what vulnerabilities you face and document your system in a more systematic way than even the system designers probably considered them. In the limit, they are the best value for the investment, but very few people operate at that limit.

About The Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Senior Partner of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at