We implemented a Red Teaming project with Keva, which aimed to find new vulnerabilities in the organisation and provide practical development proposals to improve the organisation’s information security. But what is Red Teaming? How was the project carried out for Keva – and how did Keva benefit from it?
Red Teaming is a data breach activity carried out in the same way as a malicious attack would be carried out. Its purpose is to identify information security vulnerabilities that have been previously overlooked and to demonstrate their effects. Such vulnerabilities often involve human activity, risky operating methods, and structural weaknesses in the IT infrastructure and services’ operational entity.
Project design and determination of frameworks
Red Teaming projects can be implemented in full or with justified restrictions and through different starting scenarios. A typical restriction is to limit the physical premises outside the activity. A good example of a starting scenario is when the target organisation’s employee’s laptop is simulated to end up in possession of the attacker.
Restrictions and starting scenarios were also utilised in connection with Keva’s project. This also allowed observations and results to be focused on issues that were of interest to Keva.
Keva wanted visibility into how its own observation skills and processes concerning information security worked in practice. Overall, the objective was to learn and develop its own information security.
The project is always designed together with the client, and Keva’s white team included Keva’s Information Security Manager Juha Mäkinen and Special Expert Tuomas Vehaskari. By planning together, the project can be implemented to meet the client’s unique needs, in which case it can be implemented at a suitable level, and it can focus on the purposeful subjects.
Usually, achieving a Red Teaming project’s objectives refers to the attacker having access to the client’s main systems and most valuable data. Therefore, one of the main aspects of design is to ensure that the activity does not progress too far at any stage and the client’s core operations are not put at risk.
New energy for the development of information security through observations
As a significant pension operator, Keva has invested in the various sub-areas of information security for a long time. Red Teaming allowed Keva to test the information security entity and for its entire organisation to perceive what being the subject of a targeted attack could mean.
Keva also wanted visibility into how its own observation skills and processes concerning information security worked in practice. Overall, the objective was to learn and develop its own information security.
During the project, new vulnerabilities and risky practices in terms of information security were observed. The activity allowed their potential effects, particularly in combination with other information security weaknesses, to be verified in practice.
– The project was successful. In my own opinion, the most significant added value was the excellent discussion with 2NS’s information security experts about the significance of the Red Teaming results and sensible development measures. As a result, we obtained good development proposals and concrete improvement suggestions. Overall, Keva benefited most from the practical observation of information security risks. The results provided all of Keva even more energy for information security measures, describes Juha Mäkinen, Information Security Manager at Keva.