What is Red Teaming?The red team attacks, the blue team defends. The simple rules of military-born games have entered the cybersecurity realm and are used as part of red teaming projects – a regular simulation of targeted attacks that utilize the methods and tools from the arsenal of real hacker groups. In information security, there are many options when it comes to evaluating the security level of an organization. These include an analysis of the security of applications and systems, penetration testing, assessment of personnel security awareness, etc. However, ted teaming tends to be the most advanced security assessment approach. To better understand the red teaming approach, let’s first talk about penetration testing. The essence of the pentest is to find ways to penetrate the network from the outside or from the inside of the network perimeter. Initially, the penetration test is intended only to highlight the possible ways of breaking through the perimeter or escalating user privileges. The pentest is not obliged to offer solutions to the problems found. Before the pentest, the customer sometimes says: “We worked hard to strengthen our protection. We are sure that we will not be hacked. Please check if this is really so.” The subject of the pentest is the system itself, security settings, network devices and users but not the ability of the security team to detect and resist cyber threats. In the process of implementing pentests, the contractor may request to disable certain security features and add addresses to the white lists. This is an ordinary situation since, during pentesting, you are always often limited in time. Within 30 days or so, you need to find all the weak points. In real life, attackers are not limited in time. It is not good to spend the customer’s money, for example, on third-party WAF workarounds. Even more ridiculous situations arise when the customer proudly blocks the pentester by IP (all the addresses of the pentester are always provided during the project planning) and considers that he passed the pentest. In this situation, the customer just steals a piece of project time from himself.
Pentesting is an assessment of passive security of information systems; red teaming is an assessment of active security.Even though red teaming and penetration testing use similar tools for cyber-attacks, the goals and results of both methods are very different. Red teaming is focused on the “depth” of the assessment, while the pentest is aimed at covering the largest number of attack vectors – covering the “width.” The main objective of red teaming is to test and strengthen the organization’s ability to detect and respond to advanced cyber-attacks, including APT. By conducting the red teaming exercises and practicing the response to controlled attacks, the internal security team can enhance its skills in detecting previously unknown threats to stop real attackers in the initial stages of an attack (or even in the preparatory phase) and to prevent material and reputational damage to the company. What needs to be added to the pentest to make it red teaming?
Regularity of Cyber-DrillsWe all remember that security is not a state but a process that involves constant changes. The IT department adds and changes services, often testing their functionality without the knowledge of the information security team. Top management requires simplifying remote connections to corporate systems, which also challenges the security. Finally, mergers and acquisitions bring new partners and contractors onto corporate networks. These and many other similar processes lead to the fact that the infrastructure built several months ago becomes completely different. To protect any system, you must regularly assess its security posture. For dynamically developing companies, the red team exercises that happen once every three months are quite enough but not the limit. With a regular network and application changes, a lot of things get accumulated for new and new security assessments.
Unpredictability of AttacksWhen the problem of sudden changes in the network landscape (and, therefore, the emergence of new attack vectors) is identified during regular checks, when IT and IS teams agree to control all changes, and when new pentests and application analyzes provide fewer results, then the time of red teaming begins. Here, the emphasis is shifted to controlling the readiness of the information security division to withstand the attacks. The emphasis is shifted from searching for vulnerabilities to simulating targeted attacks. More social engineering tricks and technical measures come out, the “width” gives way to the “depth.” The project should include a comparison of two timelines – simulated attacks and response actions by the IS (blue) team. During the red teaming project, the security guards are not notified about what and when is planned to do. As part of the ongoing red teaming project, responding to sudden attacks is becoming commonplace for security personnel. And here we can talk about security as such.
Knowledge and SkillsThe goal of red teaming is not to humiliate the blue team but to achieve the goals set at the initial stage, to document the process of their achievement in as much detail as possible, and to tell the defending side about the mistakes made and ways to avoid them in the future. Thus, in each iteration of the read team project, the skills and knowledge of the blue team are growing. The red team, with each new iteration, is studying the target systems better and better, providing an ever-higher level of attacks, since, in the course of the project, the techniques used earlier are already identified and neutralized by the defending side. And so, a self-sustaining system of practical training gets formed.
Several Stages of Red TeamingThe red teaming project can be divided into several successive stages, among which the most important ones are the development of threat intelligence scenarios and their implementation, that is, the active testing phase. At the first stage, the red team carries out threat intelligence, which may involve thousands of profiles of possible cybercriminals. With the help of threat intelligence, a targeted threat analysis report gets prepared. The second stage is the actual attacking activities. Some companies may purchase threat intelligence and conduct red teaming using their own employees. To do this, you need to have a thoroughly trained information security team consisting of 5-10 people (pentesters and technical auditors), create a SOC, and purchase TI from several large market players. Unfortunately, obstacles such as budgets, expediency, and common sense arise on the way to this ideal picture of the world. Not every organization has the need to invest so seriously in its own security, even if it is a large financial institution. If some organizations do not want to hire third-party contractors to run red teaming, they may find ways to save money without significant damage to the level of security. There may be fewer members of the red and blue teams. The main thing here is that there should remain the possibility of controlling incidents outside of working hours. SOC can be outsourced without loss of quality, or even with its increase as a contractor who encounters incidents on a daily basis, is likely to be much more competent than your own analyst. The duration of red teaming depends on the number of agreed scenarios. The average project duration is three to six months, but there are also one-year or even five-year projects. Of course, the most useful red team project is the one that never ends.
ConclusionRed teaming as a service is primarily of interest to medium and big businesses that do not have dedicated information security departments. If such companies operate significant funds or customer records, they are a welcome target for attackers. Numerous recent ransomware attacks prove this. Today, information security officers need to be prepared to resist the cyberattacks of different types. It is worth mentioning that the growing number of medium-sized businesses has recently tended to outsource information security, and it is natural to check the quality of work of those contractors. Companies with basic levels of information security do not need red teaming; they should start with classic services like pentests and technical security audits.