This case study sheds light on why and how Red.es, the ccTLD registry for .es, set up the “Red Team Service”.

To Evaluate the effectiveness of the organisation’s cyber defense measures, seeking exploitable weaknesses in systems, processes, and people, and work jointly with the organisation to reduce these weaknesses and the impact associated with their potential exploitation.

The service launch was carried out by hiring cybersecurity services specialised in ethical hacking. These professionals operate with the utmost confidentiality, without the knowledge of the rest of the organisation, responding only under very specific circumstances to a very small group of people that make up the White Team. The White Team consists of individuals with high decision-making capacity solely for the purpose of approving certain operations of the Red Team and to prevent detection by the cybersecurity services responsible for defense from leading to a cyber crisis.

The Red Team is allowed to perform any activity aimed at compromising the organisation’s cybersecurity: deceiving, manipulating people, using exploits, taking advantage of vulnerabilities, physically infiltrating, creating traps, etc.

However, they need prior approval to act in three situations: when they foresee accessing confidential personal information; when they have to execute actions that could degrade or interrupt a service; when they have to perform an action that is destructive and irreversible.

Even in these cases, it does not mean they cannot perform these actions, but the White Team must authorise it (or not) beforehand after analysing the risks and potential benefits.

Simultaneously, it was necessary to make modifications to the organisation’s processes, procedures, and internal regulations to define the White Team, the Red Team, the Blue Team (defensive cybersecurity team), and the Purple Team (a mixed team of individuals from the Red Team and Blue Team who work together after Red Team exercises to jointly design measures aimed at increasing the cybersecurity level of Red.es).

Since Red.es relies heavily on third parties to whom it has outsourced its infrastructures and services, it was also necessary to adapt their respective contracts to allow the Red Team’s activities on these infrastructures and individuals who, from the moment they become suppliers to the organisation, are part of its supply chain.

The incorporation of an offensive cybersecurity team, or Red Team, into the organisation has marked a significant turning point. Firstly, as a direct benefit, many vulnerabilities at all levels have been discovered and addressed. But perhaps more importantly, it has led to a qualitative leap in the organisation’s cybersecurity culture. Currently, undergoing such activities is viewed positively, and the findings are treated as opportunities for improvement by those affected. Overall, the false sense of security has been abandoned, and a more critical, proactive, and comprehensive attitude towards the organisation’s cybersecurity has been adopted.