When it comes to protecting your organisation from the ever-increasing risks of cyberattacks, preparation is essential to effectively defend against the latest threats. It’s one thing to spend countless hours and dollars on implementing security controls and developing processes, but how do you know if they are really fit for purpose against the current threat landscape. “Cybersecurity attacks have become more frequent, severe, and sophisticated. A proactive cyber threat approach is the only way to keep up in an asymmetric fight. Red Teaming is an approach that is commonly used and is a process designed to detect network and system vulnerabilities and test security by taking an attacker-like approach to system/network/data access. In this article, we will explore red teaming, and how can it improve your organisation’s cyber security posture?
What is red teaming?
Most would associate the term red teaming with a military term whereby a red team has the objective to attack and the blue team to defend. When used in a cyber security context, red teaming involves employing a group of white-hat hackers to perform a number of different types of penetration testing techniques to attack an organization’s digital & web infrastructure. Red teaming is the practice of rigorously challenging plans, policies, systems and assumptions by adopting an adversarial approach. A red team may be a contracted external party or an internal group that uses strategies to encourage an outsider perspective. Typically, engagements are performed over a longer period than other assessments – typically weeks but sometimes even months.
A blue team, on the other hand, is a group of internal IT employees used to simulate the actions of individuals within a given company or organization, often a security team. If the red team poses as a group of cybercriminals, the blue team’s goal is to stop them from committing a hypothetical data breach. This type of interaction is what is known as a red team-blue team simulation.
The benefits of red teaming
The key benefits of executing the Red Team Methodology in an organization are as follows:
- helps assess the current security program and implemented security controls
- helps the organization develop and fine-tune its policies and procedures
- helps to classify all the associated assets according to their level of risk.
- Identifies and classifies a wide range of security risks
- helps map exploitable routes and processes which provide access to IT systems and facilities
- exposes gaps in surveillance that allow criminals to evade detection
- helps understand the effectiveness of incident response plans
- helps to maximize the return from the investment made in securing an organization.
- provides guidance and direction on future security investments
Red teaming methodology
Red teaming typically follows an intelligence-driven, black-box methodology to rigorously test organisations’ detection and response capabilities. If you have ever heard of the Cyber kill chain model, you will understand the sequence of steps the attacker goes through as they are trying to compromise your system. The red team methodology will follow the same principles in this model. This approach is likely to include:
Reconnaissance
High-quality intelligence is critical to the success of any red teaming engagement. Ethical hackers utilise a variety of open-source intelligence tools, techniques and resources to collect information that could be used to help successfully compromise the target organisation. This could include details about employees, infrastructure and deployed technologies.
Staging & Weaponisation
Once vulnerabilities have been identified and a plan of attack has been formulated, the next stage of an engagement is staging – obtaining, configuring and obfuscating the resources needed to conduct the attack. This could include setting up servers to perform Command & Control (C2) and social engineering activity or the development of malicious code and custom malware.
Attack Delivery
This stage of red teaming involves compromising and obtaining a foothold on the target network. In the course of pursuing their objective, ethical hackers may attempt to exploit discovered vulnerabilities, use brute force to crack weak employee passwords, and create fake email communications to launch phishing attacks and drop malicious payloads such as malware.
Internal Compromise
Once a foothold is obtained on the target network, the next phase is focused on achieving the agreed objective(s) of the red team engagement. Activities at this stage could include lateral movement across the network, privilege escalation, physical compromise, command and control activity and data exfiltration.
Reporting and Analysis
Following completion of the red teaming engagement, a comprehensive client report is prepared to help technical and non-technical personnel understand the success of the exercise, including an overview of vulnerabilities discovered, attack vectors used and recommendations about how to remediate and mitigate any risks identified.
