To keep up with the emerging threats, red team engagements were designed to shift the focus from regular penetration tests into a process that allows us to clearly see our defensive teamโs capabilities atย detectingย andย respondingย to a real threat actor. They donโt replace traditional penetration tests, but complement them by focusing on detection and response rather than prevention.
Red teaming is a term borrowed from the military. In military exercises, a group would take the role of a red team to simulate attack techniques to test the reaction capabilities of a defending team, generally known asย blue team, against known adversary strategies. Translated into the world of cybersecurity, red team engagements consist of emulating a real threat actorโsย Tactics, Techniques and Procedures (TTPs)ย so that we can measure how well our blue team responds to them and ultimately improve any security controls in place.
Every red team engagement will start by defining clear goals, often referenced asย crown jewelsย orย flags, ranging from compromising a given critical host to stealing some sensitive information from the target. Usually, the blue team wonโt be informed of such exercises to avoid introducing any biases in their analysis. The red team will do everything they can to achieve the goals while remaining undetected and evading any existing security mechanisms like firewalls, antivirus, EDR, IPS and others. Notice how on a red team engagement, not all of the hosts on a network will be checked for vulnerabilities. A real attacker would only need to find a single path to its goal and is not interested in performing noisy scans that the blue team could detect.
Taking the same network as before, on a red team engagement where the goal is to compromise the intranet server, we would plan for a way to reach our objective while interacting as little as possible with other hosts. Meanwhile, the blue teamโs capacity to detect and respond accordingly to the attack can be evaluated:
It is important to note that the final objective of such exercises should never be for the red team to โbeatโ the blue team, but rather simulate enough TTPs for the blue team to learn to react to a real ongoing threat adequately. If needed, they could tweak or add security controls that help to improve their detection capabilities.
Red team engagements also improve on regular penetration tests by considering several attack surfaces:
- Technical Infrastructure:ย Like in a regular penetration test, a red team will try to uncover technical vulnerabilities, with a much higher emphasis on stealth and evasion.
- Social Engineering: Targeting people through phishing campaigns, phone calls or social media to trick them into revealing information that should be private.
- Physical Intrusion: Using techniques like lockpicking, RFID cloning, exploiting weaknesses in electronic access control devices to access restricted areas of facilities.
Depending on the resources available, the red team exercise can be run in several ways:
- Full Engagement: Simulate an attackerโs full workflow, from initial compromise until final goals have been achieved.
- Assumed Breach: Start by assuming the attacker has already gained control over some assets, and try to achieve the goals from there. As an example, the red team could receive access to some userโs credentials or even a workstation in the internal network.
- Table-top Exercise:ย An over the table simulation where scenarios are discussed between the red and blue teams to evaluate how they would theoretically respond to certain threats. Ideal for situations where doing live simulations might be complicated.