Empowering Tomorrow's Automotive Software
The automotive industry is experiencing change at a tremendous rate. The software-defined vehicle is leading the future of mobility - the car is rapidly becoming an electronic device on wheels. Empowering Tomorrow's Automotive Software will look at how electrification, automation and connectivity are impacting the industry, from changing the development process and software architecture to how data is generated and processed.
The podcast is brought to you by the experts at ETAS, leaders in automotive software.
To learn more, visit etas.com
Produced by ETAS Inc.; Madelyn Downs, madelyn.downs@bosch.com
Imprint and contact information:
ETAS Inc.
15800 N. Haggerty Road
Plymouth, Michigan 48170 USA
contact.us@etas.com
Privacy Policy
Empowering Tomorrow's Automotive Software
Introduction to Enterprise Red Teaming
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
ETAS’s Rene Reuter, Product Manager Enterprise Security Systems and Wolfgang Neufeld, Subject Mater Expert Red & Purple Teaming/Penetration Testing take us into the world of red teaming (i.e., real-world attack simulations). They talk about all things red teaming – what it is, why you should (or shouldn’t) do it, when to do it, how it’s done – as well as how it differs from pen testing and the pros and cons of internal vs external teams.
If you aren’t familiar with red teaming, or if you have some questions about it, this is a must-listen episode!
Tell us what you think - send us a text message!
Thanks for listening!
- Email us at: contact.us@etas.com
- Learn more about ETAS on our website
- Follow us on LinkedIn: @ETAS
00:00:02 Voiceover
Welcome to the Empowering Tomorrow's Automotive Software Podcast, brought to you by ETAS, a single source of cutting-edge software and hardware solutions that make automotive embedded systems safe, smart, secure, and sustainable.
00:00:15 Voiceover
Each episode, we'll be joined by ETAS and industry experts to discuss how electrification, automation, and connectivity are impacting the automotive industry.
00:00:25 Voiceover
Now, sit back and enjoy the discussion.
00:00:31 Rene Reuter
Hi, welcome everybody.
00:00:33 Rene Reuter
Welcome back to ETAS Empowering Tomorrow's Automotive Software Podcast.
00:00:38 Rene Reuter
Today we are covering the topic of red teaming and we want to give you a little bit of a brief introduction.
00:00:44 Rene Reuter
What is red teaming?
00:00:46 Rene Reuter
Do I need red teaming?
00:00:47 Rene Reuter
How is it conducted?
00:00:49 Rene Reuter
And my name is Rene Reuter.
00:00:51 Rene Reuter
I'm the responsible product manager here at ETAS.
00:00:55 Rene Reuter
for the enterprise security services, mainly covering penetration testing, red, blue, purple teaming engagements, and various consulting services.
00:01:05 Rene Reuter
But today, I'm not alone here.
00:01:07 Rene Reuter
With me, I brought Wolfgang.
00:01:09 Rene Reuter
Wolfgang is our expert in red, blue, purple teaming.
00:01:13 Rene Reuter
So, hi, Wolfgang.
00:01:15 Wolfgang Neufeld
Hi, Rene.
00:01:15 Wolfgang Neufeld
Thank you very much for the introduction.
00:01:17 Wolfgang Neufeld
So, yeah, then to me, I'm Wolfgang Neufeld.
00:01:21 Wolfgang Neufeld
I'm doing security now for about 20 years.
00:01:24 Wolfgang Neufeld
And I've done mostly all kind of different topics.
00:01:28 Wolfgang Neufeld
And what's I think interesting to me is how that all fits together.
00:01:33 Wolfgang Neufeld
So I did penetration testing, I did forensics.
00:01:37 Wolfgang Neufeld
And when I came to Bosch like 10 years ago or that, I also came to the topic of industrial security.
00:01:44 Wolfgang Neufeld
So yeah, and now I'm into red, blue, purple teaming all the way.
00:01:49 Wolfgang Neufeld
writing malware, writing ransomware, doing detections for that kind of stuff.
00:01:55 Wolfgang Neufeld
And I'm really loving it.
00:01:56 Wolfgang Neufeld
And yeah, we hopefully can give you some insights on what is red teaming.
00:02:01 Wolfgang Neufeld
And Rene will start now to try to define that.
00:02:05 Rene Reuter
Yes, to help you a little bit, I'm trying to explain, just in brief words, what is actually the definition of red teaming.
00:02:12 Rene Reuter
So in red teaming, everything revolves around attack simulations.
00:02:17 Rene Reuter
So what do we do there is we try to simulate real-world attacks like we have seen in the past.
00:02:24 Rene Reuter
So to give you an example, you may have heard two years ago, one of the major tier ones in Germany was attacked by an attacker group called LockBit.
00:02:36 Rene Reuter
It's basically a ransomware group.
00:02:39 Rene Reuter
And what they did is they ransomware'd all of, not all, but a huge amount of PCs from Conti's employees and server infrastructure, and basically encrypted all of them.
00:02:52 Rene Reuter
So on top of that, they also stole sensitive information, and they were blackmailing Conti in order to
00:03:00 Rene Reuter
give them back an encryption key so they can decrypt their encrypted data, and they blackmailed them with a huge amount of money.
00:03:10 Rene Reuter
In the end, Conti didn't pay the money to the LockBit group, but afterwards, the LockBit group published a lot of confidential data they've stolen from them.
00:03:24 Rene Reuter
Yeah, so why would you basically want to simulate this kind of attack?
00:03:29 Rene Reuter
So what you want to have is you want to actually detect in an early phase if such kind of an attack is going to happen to your company.
00:03:40 Rene Reuter
And this is why it's crucial to reduce this kind of real-world attack simulations.
00:03:46 Rene Reuter
The question is also for whom would it be and what are the prerequisites for such kind of a red teaming?
00:03:54 Wolfgang Neufeld
So that brings us to the topic of red teaming is not for everyone.
00:03:59 Wolfgang Neufeld
Red teaming is not basic testing.
00:04:01 Wolfgang Neufeld
So you should really have a major organization, a mature organization, with all baseline security defenses in place.
00:04:11 Wolfgang Neufeld
And you should know how to handle an incident already.
00:04:16 Wolfgang Neufeld
So you should have a third, a SOC, detection engineers, all that should be in place.
00:04:22 Wolfgang Neufeld
Be it in your company, with your own employees, or have some
00:04:27 Wolfgang Neufeld
external company that helps you with that.
00:04:29 Wolfgang Neufeld
But if you don't have this, don't even think about doing a red teaming because there are better things that you can do before that.
00:04:37 Wolfgang Neufeld
And it would be a waste of money in most of the times if you do a red teaming.
00:04:42 Wolfgang Neufeld
Red teaming is really then interesting maybe as some kind of
00:04:49 Wolfgang Neufeld
spot awareness.
00:04:50 Wolfgang Neufeld
So if everyone in your company says, no, we are unhackable because we bought something from vendor XYZ, and he said to us, sure, if you just buy the premium version of our product, then you don't have to configure anything and we will detect every security incident.
00:05:10 Wolfgang Neufeld
that is happening in every attack, then it might be also a good thing to use the red teaming to falsify this claim because most of the time this is not right.
00:05:22 Wolfgang Neufeld
But there are other things that you can prove that.
00:05:24 Wolfgang Neufeld
And then red teaming, when do you really should use it?
00:05:28 Wolfgang Neufeld
It's when you have a mature organization and say, okay, now we did everything the way we should do it.
00:05:37 Wolfgang Neufeld
and think, okay, we are well protected.
00:05:40 Wolfgang Neufeld
And now let's see if we can detect an attacker from the outside, and we want to test all our processes and our detections that we have in place, then red teaming is for you.
00:05:53 Wolfgang Neufeld
And it's also important to say red teaming, you should have some kind of open failure culture in your organization.
00:06:01 Wolfgang Neufeld
So if an attacker comes through, and this is most of the time the case,
00:06:06 Wolfgang Neufeld
Even if you have very good protection and very good educated employees, then there should be the will to improve.
00:06:13 Wolfgang Neufeld
So it's a simulation to say, okay, hey, we did it, or the attacker did it.
00:06:19 Wolfgang Neufeld
What could we improve?
00:06:20 Wolfgang Neufeld
How did he slip through?
00:06:22 Wolfgang Neufeld
And then it is done the right way.
00:06:24 Wolfgang Neufeld
If it's done in a blame culture, because red teaming involves something, for example, that is known as initial access,
00:06:34 Wolfgang Neufeld
For that you use social engineering and the employee that clicked the e-mail or input the username and password in that field, it gets blamed.
00:06:44 Wolfgang Neufeld
If you have this kind of culture, then it's not the right thing, I think, for you to use red taming.
00:06:51 Wolfgang Neufeld
With that, coming to the point, how is it usually conducted in a company?
00:06:56 Rene Reuter
Perfect.
00:06:57 Rene Reuter
Thank you.
00:06:57 Rene Reuter
So as Wolfgang explained to you now, for whom it is necessary and what are the prerequisites,
00:07:03 Rene Reuter
Question is, how it is usually conducted?
00:07:06 Rene Reuter
So speaking of real life, real world attack simulations, they must be structured somehow.
00:07:12 Rene Reuter
So and what we follow there is we follow the so-called TTPs of an attacker.
00:07:18 Rene Reuter
TTP stands for tactics, techniques, and procedures of the attackers.
00:07:24 Rene Reuter
So what we try to do is
00:07:26 Rene Reuter
We try to mimic the attacker as accurate as possible.
00:07:31 Rene Reuter
So using their tools they are using, so the techniques basically.
00:07:36 Rene Reuter
So the exact same kind of attack tools, or we try to reprogram them, and also what kind of commands the attackers are using.
00:07:45 Rene Reuter
So we mimic this as close as possible.
00:07:48 Rene Reuter
But question is also, where do we get this kind of information?
00:07:52 Rene Reuter
Good thing is, we have this already in place.
00:07:55 Rene Reuter
It is from the MITRE Corporation, the so-called attack framework.
00:07:59 Rene Reuter
So the MITRE Corporation is very famous for the CVE database.
00:08:05 Rene Reuter
What does it stand for?
00:08:06 Rene Reuter
It's the Common Vulnerabilities and Exposure System, and it is maintained by the MITRE Corporation, which is basically funded by the US National Cybersecurity Division of the US Department of Homeland Security.
00:08:20 Rene Reuter
CVEs, you might have heard it.
00:08:22 Rene Reuter
So every time someone finds a vulnerability in an application or an operating system or somewhere else, you can basically request a CVE for that, and it gets published later on by the CVE system of MITRE, and you can read all the specs about the vulnerability there, which was found in that specific application.
00:08:43 Rene Reuter
And the attack framework is a little bit different.
00:08:46 Rene Reuter
There, basically, you can search for groups like the LockBit group or also direct attacks like a ransomware attack.
00:08:54 Rene Reuter
What kind of groups are using this kind of attack and what kind of TTPs are they using?
00:08:59 Rene Reuter
And there is really written in detail.
00:09:01 Rene Reuter
okay, they execute the following command under Windows to escalate themselves to become admins, stuff like this.
00:09:07 Rene Reuter
So it's very accurate.
00:09:09 Rene Reuter
And this is what we as red teamers do for the preparation for an attack or for a simulation we are going to do.
00:09:16 Rene Reuter
We basically ask the customer what needs to be simulated, and then we structure our simulation, our attack simulation, based on those TTPs.
00:09:27 Rene Reuter
And
00:09:28 Rene Reuter
We have seen this in the past and I think coming back to the lock bit, what I've shared previously, one of the biggest tier ones was compromised of.
00:09:38 Rene Reuter
Question is what next arise?
00:09:40 Rene Reuter
And I think Wolfgang can explain this a little bit more better and more in technical depth like I can do.
00:09:46 Rene Reuter
What is actually the difference between red teaming and penetration testing, Wolfgang?
00:09:51 Wolfgang Neufeld
I'm happy to answer that, but I want to also add something to one more thing, because this is one type of red team we are doing.
00:10:00 Wolfgang Neufeld
So we are trying to simulate exactly what is out there.
00:10:04 Wolfgang Neufeld
So if you ask us to mimic a lock bit for you, we are happy to do that.
00:10:08 Wolfgang Neufeld
But additional to that, we are also able to do a red team and derive more or less from the procedures or the tactics that they have.
00:10:18 Wolfgang Neufeld
and change them a little bit.
00:10:20 Wolfgang Neufeld
Because that's what's always out there.
00:10:23 Wolfgang Neufeld
If you buy some shiny new security product, they say, hey, we have a 100% MITRE detection rate of everything that's out there.
00:10:31 Wolfgang Neufeld
And I believe them.
00:10:33 Wolfgang Neufeld
They might have that if you just copy and paste exactly this command, you are good to go and they will detect it.
00:10:41 Wolfgang Neufeld
And if you have it in a mode that you can't use in real life because there are too many false positives,
00:10:48 Wolfgang Neufeld
But for the test case, you will definitely detect and you might get the 100%.
00:10:53 Wolfgang Neufeld
But what if an attacker changes something?
00:10:55 Wolfgang Neufeld
So this is where our research also hits in.
00:10:58 Wolfgang Neufeld
And for example, there are different ways on how to escalate things on Windows.
00:11:05 Wolfgang Neufeld
And if you just change them slightly, things show then the EDRs are not the 100% security defense that is often told that they would be.
00:11:17 Wolfgang Neufeld
So this is something that we also do.
00:11:19 Wolfgang Neufeld
So in the end, red teaming is about a mission where it's that, okay, steal something, for example, from the CEO, try to ransom one of our PC or two or three of our PCs, and we try to detect it or change some files.
00:11:35 Wolfgang Neufeld
And we can do that either way, either the structured way, which is known, and that should definitely be detected.
00:11:43 Wolfgang Neufeld
or the other way with our research where we do something on top.
00:11:48 Wolfgang Neufeld
Now, back to the point, what is red teaming and what is a penetration test?
00:11:52 Wolfgang Neufeld
Why should I do a red team, which is much more expensive than a penetration test most of the time?
00:11:59 Wolfgang Neufeld
And they are quite different in the end.
00:12:02 Wolfgang Neufeld
If you do a penetration test, you most likely have some kind of product.
00:12:06 Wolfgang Neufeld
You're also talking about some kind of scope, at least with the good
00:12:11 Wolfgang Neufeld
penetration testing companies, you try to define some kind of scope, what should be tested.
00:12:17 Wolfgang Neufeld
And in the end, you most likely try as a company to convince the customer that he should give you all kind of information about the product because in a pentest, you really want to have more likely a white box pentest where you have all the technical details, how it's set up, all the configuration files.
00:12:38 Wolfgang Neufeld
It's about using and finding all kind of bugs in the software.
00:12:44 Wolfgang Neufeld
You really want to find all kind of severe bugs that are, or less severe bugs that are security bugs that are in that software.
00:12:54 Wolfgang Neufeld
You want to find all of them.
00:12:56 Wolfgang Neufeld
And then you get a documentation out of that in the end.
00:13:00 Wolfgang Neufeld
And then you say, okay, here you have 20 critical bugs.
00:13:03 Wolfgang Neufeld
All of them can be misused for all kind of bad things, information disclosure, config file changes, whatever you can think of.
00:13:12 Wolfgang Neufeld
This is the penetration test.
00:13:14 Wolfgang Neufeld
And in the red teaming, if you make one, if you have one vulnerability,
00:13:20 Wolfgang Neufeld
that's enough and the attacker will abuse it.
00:13:23 Wolfgang Neufeld
It's more about then abusing known or unknown security problems that you might have and then try to get the files or whatever the mission is for the red teaming and get things done.
00:13:39 Wolfgang Neufeld
So you don't care about the completeness and you want
00:13:43 Wolfgang Neufeld
to get root or want to be admin of the Active Directory.
00:13:47 Wolfgang Neufeld
It's not about that.
00:13:48 Wolfgang Neufeld
If it's enough to steal the e-mail of the CEO, and if you just need to guess his password and to just infiltrate the secretary in front of him, that's done.
00:14:00 Wolfgang Neufeld
That's your job.
00:14:01 Wolfgang Neufeld
And this is the main difference.
00:14:03 Wolfgang Neufeld
So both make sense.
00:14:04 Wolfgang Neufeld
And the penetration test is mostly done with all the defenses of
00:14:10 Wolfgang Neufeld
And the red team is there to check if all the processes and also the detections, the technical stuff is right.
00:14:17 Wolfgang Neufeld
So one thing is to detect some kind of thing.
00:14:21 Wolfgang Neufeld
But in red teaming, we have often seen that technical stuff works quite well.
00:14:26 Wolfgang Neufeld
And there's a lot of alarming then.
00:14:28 Wolfgang Neufeld
And hey, some attacker is doing this and that.
00:14:31 Wolfgang Neufeld
But then the process in the end, nobody is doing anything with that information.
00:14:37 Wolfgang Neufeld
And this is also something that is checked with the red teaming.
00:14:40 Wolfgang Neufeld
And for that, it will check both.
00:14:42 Wolfgang Neufeld
And this is what makes red teaming so interesting to see, okay, first thing you have to detect it, but then you also have to react.
00:14:50 Wolfgang Neufeld
And the reaction is something that has to be in time and it has to be done with knowledge and effectively.
00:14:57 Wolfgang Neufeld
And this is where we normally help organizations quite a lot because there is much to improve from our experience.
00:15:06 Wolfgang Neufeld
So, going from there, we mostly talked about enterprise things now, but is red teaming also a thing in the SDV context?
00:15:15 Wolfgang Neufeld
This is what we asked us, and Rene will answer that.
00:15:19 Rene Reuter
Thank you, Wolfgang.
00:15:20 Rene Reuter
So, as Wolfgang already mentioned, so red teaming is quite common in the enterprise slash off-board world with all the cloud servers, with on-premise networks,
00:15:32 Rene Reuter
So since a couple of years, red teaming is quite standardized also for the enterprise off-board world.
00:15:39 Rene Reuter
But question is, now we have the software-defined vehicle, and so the cars are connected more and more.
00:15:46 Rene Reuter
So you have your mobile application on your phone where you can basically see
00:15:52 Rene Reuter
What is the geolocation of your car?
00:15:54 Rene Reuter
Where is it located?
00:15:55 Rene Reuter
What's the fuel consumption?
00:15:58 Rene Reuter
You can even open the trunk via API.
00:16:01 Rene Reuter
You just push a button on your mobile app.
00:16:03 Rene Reuter
So what actually happens there?
00:16:04 Rene Reuter
So you have your mobile application.
00:16:07 Rene Reuter
This basically connects to a back-end system residing somewhere either at the OEM on-premise network or on the cloud or be a hyperscaler, whatever you can think of.
00:16:18 Rene Reuter
And the request is basically then routed throughout the back end towards your car, using usually an API token or some other secret token to actually authenticate you that you're valid.
00:16:32 Rene Reuter
So basically that means
00:16:34 Rene Reuter
The car is not what the car is like 20 years ago, where there were no interconnectivity to other systems.
00:16:42 Rene Reuter
Basically, the car was on its own.
00:16:44 Rene Reuter
So nowadays, if we look a little bit also in the past, there were also hacks possible.
00:16:50 Rene Reuter
So there was a very famous, like 10 years ago, Jeep Cherokee hack by Charlie Miller.
00:16:54 Rene Reuter
I think he manipulated even the brakes in the end.
00:16:57 Rene Reuter
I'm not so familiar with that hack.
00:16:59 Rene Reuter
I'm sorry, can't give any details there.
00:17:01 Rene Reuter
But also, I think two or three years ago, there was one of the famous Tesla 3, Model 3 hacks, where they basically, they found a way to extract this kind of secret token, this API token, from an unauthenticated endpoint.
00:17:19 Rene Reuter
And we're basically misusing this, what I just mentioned before with the examples.
00:17:24 Rene Reuter
to actually determine the geolocation of a Tesla Model 3, they were able to open the trunk, they were able to read a lot of statistics like energy capacity, battery lifetime, how many...
00:17:38 Rene Reuter
charging life cycles the battery has gone through.
00:17:41 Rene Reuter
So a lot of also sensitive information were readable by that.
00:17:45 Rene Reuter
And Tesla provides a huge API for their cars.
00:17:48 Rene Reuter
So if you look it up on Tesla API on their homepage, you will find a very good documentation that basically you can extract a lot of information and also execute commands within Tesla if you have access via this API token.
00:18:05 Rene Reuter
So this is very crucial.
00:18:06 Rene Reuter
So what we see now is the onboard and offboard world, they are more getting closer and closer together.
00:18:13 Rene Reuter
And this would also make sense then to do some kind of real-world attack simulations, covering offboard and onboard as well.
00:18:21 Rene Reuter
But besides the cars, we think there might be also a different kind of attack possible.
00:18:27 Rene Reuter
Instead of attacking directly the car, how about the supply chain, Wolfgang?
00:18:32 Wolfgang Neufeld
Yeah, this is something where we were thinking about, okay, how can we do some kind of red teaming in the SDV context?
00:18:39 Wolfgang Neufeld
And we came up with an attack that we talked about a lot with developers of the SDV.
00:18:47 Wolfgang Neufeld
And yeah, they are using the normal Mac, the normal Windows, the normal Linux system for development for programming their firmware, their software that in the end lands on an ECU.
00:18:59 Wolfgang Neufeld
And if you look at that,
00:19:01 Wolfgang Neufeld
What is the difference to compromise a developer for an SDV context to a normal developer for websites or for cloud things?
00:19:11 Wolfgang Neufeld
Nothing in the end.
00:19:13 Wolfgang Neufeld
So what we came up with was some kind of supply chain attack that simulates exactly that.
00:19:19 Wolfgang Neufeld
So we wanted to infiltrate one of the developers that is developing something for the firmware and then overtake his PC.
00:19:29 Wolfgang Neufeld
and then inject some malicious code into his code base, then hope that the 4i principle fails in the end.
00:19:38 Wolfgang Neufeld
This is something that is quite good if you have that as a security principle.
00:19:43 Wolfgang Neufeld
But most of the time, if we are realistic in the end, if a senior developer puts something in and you know that guy, why, and he always writes good code, and then it's in the evening,
00:19:59 Wolfgang Neufeld
most of the time this will go through.
00:20:01 Wolfgang Neufeld
And then everything, the whole security that you have nowadays in the automotive context might be compromised in the end.
00:20:09 Wolfgang Neufeld
Because if you have a signed firmware image that is then distributed over the air in the end to all the automotive systems,
00:20:18 Wolfgang Neufeld
Yeah, they will happily accept this kind of firmware.
00:20:21 Wolfgang Neufeld
So it's mostly about then designing systems and finding out, okay, what can be compromised over there.
00:20:30 Wolfgang Neufeld
are some security measures for sure and safety things that you can't manipulate over that way.
00:20:36 Wolfgang Neufeld
But in the end, it's quite a powerful attack and it could compromise quite a lot of fleets in the end if that goes undetected.
00:20:45 Wolfgang Neufeld
So this is what we came up with.
00:20:47 Wolfgang Neufeld
And
00:20:47 Wolfgang Neufeld
Yeah, we did that for some customers already and it was really interesting to see the outcome in the end.
00:20:57 Rene Reuter
Okay, perfect.
00:20:59 Rene Reuter
Thank you very much for the explanation for this kind of supply chain attack.
00:21:02 Rene Reuter
Sounds really interesting.
00:21:04 Rene Reuter
I do have one last question for you, Wolfgang, which I would like to discuss with you.
00:21:08 Rene Reuter
I think it's not
00:21:10 Rene Reuter
A really easy question because there is no black and white or right or wrong answer directly.
00:21:15 Rene Reuter
But I wanted to discuss with you a little bit the question, what do you think would be preferred, an internal red team or a red team coming from an external or a different company?
00:21:25 Rene Reuter
What would you prefer?
00:21:27 Wolfgang Neufeld
Oh yeah, that's really a difficult question.
00:21:31 Wolfgang Neufeld
And I like both in the end because, we are doing it, of course, we are doing it for Bosch at one point.
00:21:37 Wolfgang Neufeld
So we are also more or less internals.
00:21:40 Wolfgang Neufeld
Also, we are seen as externals as ETAS for them, but we are part of the Bosch group.
00:21:46 Wolfgang Neufeld
We definitely have more information to Bosch than an external.
00:21:52 Wolfgang Neufeld
And so I think it makes sense to have this kind of red teaming also, because in the end, it's more about
00:22:01 Wolfgang Neufeld
It's all about having a skilled attacker.
00:22:03 Wolfgang Neufeld
So if he somehow gets that information and an external can get that information, it all depends on how much time and money he is spending on that, he might get to the knowledge of an internal.
00:22:14 Wolfgang Neufeld
So you're taking a shortcut and then testing from that and having some internal weak spots.
00:22:21 Wolfgang Neufeld
that you think, okay, nobody knows this because he would have to know this and this and that.
00:22:28 Wolfgang Neufeld
And then in the end, okay, but if an attacker knows, then you get compromised, if he somehow gets that information.
00:22:35 Wolfgang Neufeld
So it makes sense, in my opinion, to have an internal team if you can afford it.
00:22:42 Wolfgang Neufeld
But you have to be a quite big company.
00:22:44 Wolfgang Neufeld
It's definitely not something
00:22:46 Wolfgang Neufeld
where you have, if you have a company with less than 50 or 100 employees, don't ever think about building up an internal red team.
00:22:56 Wolfgang Neufeld
This is something for global companies like Bosch and the big ones.
00:23:03 Wolfgang Neufeld
Then it makes sense, in my opinion.
00:23:06 Wolfgang Neufeld
And also to have this on an ongoing basis.
00:23:10 Wolfgang Neufeld
So let's say, okay, we have three or four tests internally,
00:23:14 Wolfgang Neufeld
and see if that works.
00:23:16 Wolfgang Neufeld
And they can also better align some topics where we say, okay, we have heard of this and that security problem.
00:23:25 Wolfgang Neufeld
Hey, dear internal pentest, can you just go that maybe taking some shortcuts, maybe having something, yeah, done quicker than doing the whole alignment with an external partner.
00:23:40 Wolfgang Neufeld
So there are benefits.
00:23:42 Wolfgang Neufeld
And from the other side, the external partners, they really also know what they are doing.
00:23:47 Wolfgang Neufeld
And having a different view on that topic and new ideas, what an internal might be blind to after years, that's also something very valuable.
00:23:58 Wolfgang Neufeld
And then also exchanging the teams with their research, the really, really very good red teamers out there that
00:24:07 Wolfgang Neufeld
more or less can simulate real world advanced persistence threat and real APTs, not something, yeah, real APTs, they can simulate that.
00:24:19 Wolfgang Neufeld
There are a few out there, but they can really do it.
00:24:22 Wolfgang Neufeld
So it makes sense in both ways to me.
00:24:26 Rene Reuter
I totally agree with you, especially for this continuous or continuous red teaming where you have it regularly.
00:24:35 Rene Reuter
There would make sense to have some kind of internal team instead of having this huge external campaigns.
00:24:42 Rene Reuter
But I think where it might make sense to have really an external red team is a part which we have not covered today is basically that red teaming is not only technical.
00:24:52 Rene Reuter
There could also be that you do social engineering engagements.
00:24:56 Rene Reuter
And for that, I would say usually, okay, this must nearly, must be done by an external red team because the chances to get detected because someone knows you, if you're an internal red team, I would say are much more higher than if you're really an external company, nobody knows.
00:25:15 Rene Reuter
But that only covered for this kind of special simulation.
00:25:21 Wolfgang Neufeld
And especially if you do some kind of physical and social engineering.
00:25:25 Wolfgang Neufeld
if you go there and try to break into something, then I know you, okay, then you can already stop.
00:25:33 Wolfgang Neufeld
Yes.
00:25:34 Wolfgang Neufeld
But there is some kind of trust already there, and yeah, and then you falsify.
00:25:39 Rene Reuter
The results, yeah.
00:25:40 Rene Reuter
The results, yeah.
00:25:41 Wolfgang Neufeld
Exactly.
00:25:43 Rene Reuter
Okay, I think we got...
00:25:45 Rene Reuter
the topic red teaming briefly covered.
00:25:48 Rene Reuter
I hope you enjoyed our little introduction to this topic.
00:25:52 Rene Reuter
More will come.
00:25:53 Rene Reuter
So in the next episode, we will talk a little bit more about blue teaming.
00:25:58 Rene Reuter
So what are the defense teams are doing?
00:26:00 Rene Reuter
And then we also planned a third episode where we basically will talk about purple teaming.
00:26:05 Rene Reuter
So bringing it all together.
00:26:07 Rene Reuter
So again, thank you very much for listening.
00:26:09 Rene Reuter
I hope you enjoyed it.
00:26:11 Rene Reuter
Wish you a good one.
00:26:12 Rene Reuter
Bye-bye.
00:26:15 Voiceover
Thank you for joining this episode of the Empowering Tomorrow's Automotive Software Podcast.
00:26:20 Voiceover
Please leave a comment or review with your feedback or what you'd like to hear in future episodes.
00:26:25 Voiceover
To learn more about Automotive Embedded Systems and ETAS's capabilities, visit our website at ETAS.
00:26:31 Voiceover
That's ETAS.com.