Everything You Need To Know About Red Teaming in 2018
Introduction
An old military saying states that in a long-running conflict, the opposing parties eventually adopt similar tactics. Well, if there is a long-standing conflict in the digital world today, it is between the intrepid professionals who work to protect their organizations' data against the ever-present threat of cybercrime — a phenomenon that has continued to evolve in terms of tactics and tools over the last decade.
In this context, there’s nothing more natural than for security teams to adopt the practices employed by cybercriminals to their own benefit. No, your security team will not become a group of digital vigilantes and go out looking for opportunities to attack potential enemies; but if your goal is to stay protected and remain law-abiding, a much more efficient approach is to use the same tools and tactics employed by your adversaries to understand the true level of resilience of your own defenses.
FREE role-guided training plans
[On-Demand Webinar — "Red Team Operations: Attack and Think Like a Criminal"]
The concept is not new: For many years, we have done vulnerability assessments and intrusion testing. But in a world where new digital threats are constantly appearing, it is necessary to go further. And that's exactly where the concept of Red Teaming comes in.
What Is Red Teaming?
As defined by Bryce G. Hoffman, author of one of the leading books on the subject: “Red Teaming is a revolutionary new way to make critical and contrarian thinking part of the planning process of any organization, allowing companies to stress-test their strategies, flush out hidden threats and missed opportunities and avoid being sandbagged by competitors.”
In the context of cybersecurity, Red Teaming is a complete simulation of the behavior of a real adversary such as a cybercriminal. This includes a multilayer approach to security testing that not only exploits vulnerabilities in technology, but also weaknesses in people and processes within the organization, allowing you to create an independent, unbiased view of the effectiveness of both security controls and the team responsible for detecting and responding to security incidents.
Red Teaming can be best understood as an advanced form of ethical hacking which is not limited to simply discovering and exploiting vulnerabilities, but also focus on emulating (with the highest level of precision possible) the behavior of an adversary. It is possible to argue that a traditional intrusion test performs similar work, but there is a distinct difference in approaches.
In terms of scope, the intrusion test has clearer boundaries and is much more restricted, while the Red Team — even though it still has goals and a scope — has much more flexibility and uses a “do everything possible” approach, just as a real attacker would do. But that's not even the major difference! A key factor is the fact that intrusion tests are limited to a point in time, it can be considered a photograph of how information security performed at a specific time. Contrary to that, in a red teaming approach, the simulations are carried out continuously, making sure the blue team (the people protecting corporate data) is always alert against possible attacks, and this is one of the greatest benefits of this methodology.
Why Is Red Teaming So Important?
One of the most important points of a Red Team assessment is to demonstrate how an adversary could combine seemingly unrelated vulnerabilities to achieve their goals. This is to prove that, even with the best of protection technologies, an organization is never 100% protected against an advanced threat.
It is common for a Red Team to combine traditional techniques, such as exploiting technologically-related vulnerabilities, with tactics such as social engineering, that can be performed by email, telephone or even physically in the assessed environment. This will create a complete, real-world view of your information security effectiveness and help to prove how inefficient it is to rely on a single type of technology to protect corporate data, even if this technology is the most advanced available.
In the end, a Red Team assessment will demonstrate the value of adopting a layered approach to cybersecurity, that is defense-in-depth, by combining the best technology with reliable processes and people both aware and prepared to deal with any information security threat.
Of course, it is always important to remember that all of this is done continuously, enabling a steady improvement to security controls and teams.
Who Should Use Red Teaming?
A common mistake is believing that security testing should be restricted to large corporations that have huge volumes of valuable data. After all, cybercriminals would not be interested in small and medium-sized companies, correct? No! This sort of thinking could not be further from reality.
In the current cybersecurity threat context anyone can be a victim, from corporations to small businesses or even individuals. Attackers are not limited to stealing data, but they are also very interested into gaining access to all types of IT infrastructure, even small servers or mobile devices such as smartphones and tablets can be hacked, become part of a botnet and be the drones responsible for the next major Denial of Service attack.
In addition to that, there are a number of new/updated privacy laws and regulations around the world, such as the GDPR or California’s Consumer Privacy Act of 2018, and in most cases they apply to businesses of all types and sizes. In this case, a single incident that violates the security requirements of private information may result in fines so heavy that it could make a company go out of business.
Red Teaming is one of the best options to ensure that your organization will be prepared to deal with real adversaries whose lack of morals means they have no problem in destroying even a small business in order to achieve their goals.
What Are the Possible Outcomes from Not Using Red Teaming?
For a long time, vulnerability assessments and traditional penetration testing have been the most commonly used approaches to testing organizations' security controls. Unfortunately, this is no longer enough to ensure adequate levels of protection.
Traditional tests are limited to identifying problems at a specific point in time, in addition to that, they also have limited scopes and often leave the emulation of an adversary's behavior completely out of the picture. The result is an incomplete view of the threat landscape, which significantly reduces the security team's ability to respond to a real attack.
To put it simply, we live in a world where cybersecurity threats are constantly evolving, new vulnerabilities, tools and techniques emerge every day. When the goal is to ensure adequate protection against real threats, new approaches like threat hunting and Red Teaming are key pieces to any strong cybersecurity strategy.
Concluding Thoughts
Since the era of the famous strategist Sun Tzu, the practice of knowing yourself as a way to defeat the enemy has been preached for millennia in military academies. It applies perfectly to the context of information security.
Not only the constant threat evolution but the development of security-related laws and regulations make it is essential to take an effective and continuous tactic to corporate data protection.
Adopting a Red Teaming approach means that you will be thinking and acting just like your worst enemy, allowing you not only to gain an understanding of the approach used by an adversary, but also ensuring that your security team will be prepared to create swift and decisive responses, even against the most complex attacks. That is an undeniable benefit to your business and will make sure your CISO can sleep peacefully.
Want to read more? Check out some of our other articles, such as:
Red Team Assessment Phases: Overview
Red Team Assessment Phases: Reconnaissance
Red Team Assessment Phases: Target Identification
Sources
Red Teaming, Bryce Hoffman
What should you learn next?
Pentesting and Red Teams, Gartner Blog Network
In this Series
- Everything You Need To Know About Red Teaming in 2018
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness