Americas

  • United States
W. Curtis Preston
Contributor

How cybersecurity red teams can boost backup protections

Opinion
Sep 18, 20246 mins
Backup and RecoveryData CenterEnterprise Storage

Collaboration between red teams (offensive security) and blue teams (defensive security) can help organizations identify vulnerabilities, test their defenses, and improve their overall security posture.

Progress, breathrough. Paper plane breaks through a black barrier line.
Credit: Pasuwan / Shutterstock

Cybersecurity red teams are known for taking a more adversarial approach to security by pretending to be an enemy that’s attacking an organization’s IT systems. Let’s look at the tactics, strategies, and importance of red teams and the role they can play in enhancing the security of your backup system.

A cybersecurity red team acts as a group of ethical hackers who simulate infrastructure attacks to identify weaknesses and vulnerabilities that malicious actors could exploit. They go beyond the surface-level depth of most vulnerability assessments and automated penetration testing. By thinking and acting like attackers, red teams provide valuable insights into an organization’s security posture and help develop effective countermeasures. Here are some key aspects of their role.

  • Simulating real-world attacks: Red teams use the same tactics, techniques, and procedures (TTPs) as actual attackers. This approach provides a realistic assessment of an organization’s defenses, both physical and cyber.
  • Identifying hidden vulnerabilities: By thinking creatively and unconventionally, red teams often uncover vulnerabilities that automated tools or standard assessments might miss.
  • Testing incident response: Red team engagements help organizations evaluate their ability to detect and respond to security incidents effectively by showing them what one looks like firsthand.
  • Improving overall security posture: The insights gained from red team exercises can be used to enhance security policies, procedures, and technologies.

How red teams operate

Cybersecurity red teams use a range of tactics and strategies to test an organization’s defenses. Some common approaches include:

  • Social engineering: Red teams often employ social engineering techniques to exploit human vulnerabilities. This might involve phishing emails, phone calls, or even physical attempts to gain unauthorized access. Remember the movie Sneakers, where Robert Redford uses a birthday cake and balloons to slip right past security?
  • Exploiting technical vulnerabilities: Red teams search for and exploit technical vulnerabilities in systems, applications, and networks. I recently spoke to a red team leader who broke into a LAN via the TV in the lobby.
  • Lateral movement: Once initial access is gained, red teams attempt to move laterally within the network, escalating privileges and accessing sensitive data.
  • Evading detection: A key aspect of red team operations is testing an organization’s ability to detect and respond to threats. Red teams use sophisticated techniques to avoid detection by security tools and personnel.
  • Targeting backup systems: As highlighted in a recent podcast episode, backup systems are often overlooked but can be a significant vulnerability – a backup system can access, copy and overwrite any file in the network. Red teams may attempt to compromise backup systems to demonstrate the potential impact of such an attack.

Lessons for the backup folks

The backup system is both a valuable resource and a huge cybersecurity vulnerability. But there are steps you can take to help mitigate that vulnerability and ensure your backup system will survive a cyberattack.

  • The principle of least privilege: Users and systems should only have the minimum level of access necessary to perform their tasks, referred to as least privilege. Implementing least privilege can significantly reduce an organization’s attack surface and limit the potential damage from a breach. Nowhere is this more true than inside the backup system. Do whatever you can to separate powers between multiple people, and limit what any one person can do.
  • The importance of strong authentication: Another key area that red teams focus on is authentication. Weak passwords and lack of multi-factor authentication (MFA) are common vulnerabilities that attackers exploit. Red teams demonstrate the ease with which these vulnerabilities can be exploited. If your backup system isn’t already using MFA, please do so immediately.
  • Securing backup systems: Backup systems are critical for disaster recovery and business continuity. However, they are often overlooked from a security perspective. Red teams may target backup systems to demonstrate how attackers could potentially destroy or encrypt backups, making recovery from a ransomware attack much more difficult. Make sure your backup systems are not being overlooked by the cybersecurity team.
  • Collaboration between red and blue teams: Effective cybersecurity requires collaboration between red teams (offensive security) and blue teams (defensive security). While red teams simulate attacks, blue teams are responsible for detecting and responding to these simulated threats. The interaction between red and blue teams creates a continuous improvement cycle. Red team findings help blue teams enhance their detection and response capabilities, while blue team feedback helps red teams refine their tactics to provide more valuable insights. Make sure when all these tests are running, the backup system is part of that feedback loop.
  • The human element in cybersecurity: While technical vulnerabilities are important, the human element often presents the greatest risk to an organization’s security. Red teams frequently use social engineering tactics to exploit human vulnerabilities, demonstrating the need for comprehensive security awareness training. Please remember that the backup team is often (regrettably) the most junior people in the environment. Make sure they get plenty of cybersecurity training as quickly as possible.
  • Continuous improvement in cybersecurity: Cybersecurity is not a one-time effort but an ongoing process. Threats are constantly evolving, and organizations must adapt their defenses accordingly. Regular red team exercises help organizations stay ahead of emerging threats by continually testing and improving their security posture. Those in charge of the backup system should also be doing their best to make sure their security posture for the backup system is up to date.

Organizations that embrace red team operations and act on their findings are better positioned to defend against cyber threats. However, it’s important to remember that red teaming is just one part of a comprehensive cybersecurity strategy. It should be combined with strong technical controls, employee education, and a culture of security awareness to create a robust defense against cyber threats. And as a key line of defense, the backup system should help lead the charge of cybersecurity testing, training, and improvement.

W. Curtis Preston
Contributor

W. Curtis Preston—known as Mr. Backup—is an expert in backup, storage, and recovery, having worked in the space since 1993. He has been an end-user, consultant, analyst, product manager, and technical evangelist.

He’s written four books on the subject, Backup & Recovery, Using SANs and NAS, and Unix Backup & Recovery.

The opinions expressed in this blog are those of W. Curtis Preston and do not necessarily represent those of Foundry, its parent, subsidiary, or affiliated companies.

More from this author