Red Team Assessment Phases – Everything You Need to Know!
The antagonistic approach of a Red Team makes things challenging to an organization’s system, policies, anticipations and adaptations. These days, organizations want the Red Teams to challenge the physical security in addition to the digital security.
What Exactly Is a Red Team?
The term originally came from the military. In that context, the purpose of a Red Team was to organize a team of skilled professionals to break in or attack the security setup in order to test the security measures in place.
Speaking in terms of information technology, a Red Team comprises of a group of skilled professionals. The organization wants this team to act like real hackers and intruders. This means that the Red Team divides the operation into smaller projects and uses different techniques, replaces one plan to another if needed and even rejects a plan altogether in a given situation.
Before we dig in deeper, it is important to clarify the difference between a Red Team assessment and conventional penetration testing.
Penetration Testing vs. Red Team Assessment
A Red Team assessment is not a component of penetration testing. Even though they may feature similar components at times, they are two different things.
Penetration testing involves the evaluation of configuration and vulnerabilities. It exploits existing vulnerabilities to measure the level of risk
This means that penetration testing is about evaluating the expected or the existing rather than trying to see what else could cause issues. During penetration testing on an organizational level, general objectives revolve around gaining access to:
- Information containing trade secrets
- Personally Identifiable Information
- Protected Health Information
- Domain administrator
The Red Team assessment is well-targeted and goes beyond the identification of vulnerabilities. The Red Team tries to challenge the organization’s ability to
- Detect and anticipate security issues
- Respond to the security issues
What Are the Objectives of the Red Team Assessment?
The main objective of a Red Team assessment is to minimize the risk of cognitive errors. In an organization, being incisive and objective is highly important for critical thinking. The planning can go wrong if there is a lack of objectivity at any level the planning phase.
For an organization, Red Teaming has become a popular practice to ensure foolproof security.
A Red Team tries to challenge an organization’s:
- Existing plans for information security
- Concepts about information security prevailing in the organization
- Security measures in place
The organization’s confidential and sensitive information is the prime target and the Red Team tries to access it invisibly by using any method whatsoever. It is a long procedure and requires as much as a month, whereas penetration testing requires less than a couple of weeks.
Organizations That Need Red Team Assessment
Red Team Assessment is not for every organization. You first need to consider the maturity level of the information security posture. Penetration testing suffices in most of the cases.
The Red Team Assessment is generally meant for:
- Listed companies
- Companies with highly sensitive digital assets
- Capital-intensive industries
- Organizations which require high-end information security to protect sophisticated information
- An organization which need to consistently challenge their information security measures
Planning for Red Team Assessment (Digital Recon and Physical Recon)
Let’s think of a scenario where your organization wants your Red Team to break in its internal network and take away a confidential document.
So the Red Team assessment planning begins with thinking of the possible ways to silently access the organization’s internal network. To keep things simple, there are a couple of possible ways
- Digital Recon: You can opt for a deep scanning of the public-facing system or social hacking
- Physical Recon: You can think of entering the premises, installing a stealth system to share the information over the network
These days, most Red Teams require to work on both.
Experts call this phase the Initial Recon and it requires utmost precision, because the whole operation depends on the accurate collection of necessary information.
A search engine aggregator is a good tool to facilitate the Open Source Intelligence (OSINT). The websites, press releases and domains of the organization often reveal important information about the employees and the executives. This information is crucial for social engineering.
Then comes the Digital Recon, which involves the quest for the company’s security devices, domains and IP address. Most of the big organizations tend to have static IP addresses. They help in identifying the servers. The Digital Recon phase also requires information about open ports, database software along with the version, operating systems and the services facilitating the file transfer.
Physical Recon is also important these days because it has become harder to reveal all the required information by just focusing on the Digital Recon. Marlon Brando’s The Score (2001) is a must-see movie if you want to know how exactly physical recon works. Remember, invisibility is the key!
During Physical Recon, never forget to carry a Wi-Fi antenna booster and wireless signal scanner to sneak in if you have the chance to access a router. It may take a team of two or three intruders to efficiently record each and everything within the premises. Locking technology, employee timing, checkpoints and security features — you need to precisely record each and everything.
Analysis of the Recon Data
This stage begins with sorting the recon data. It is important to reject the useless information, which mainly comes from OSINT.
First, you need to target the individuals: email addresses of the employees and the executives, their social media accounts and so on. You need to determine the relevance of each of these individuals to know which information is useful.
Secondly, focus on the technologies prevailing in the organization. Get to know the infrastructure of the organization and how it works with the networks. DBMS, CRM and other front-end and back-end technologies are important. These are the things which give you an idea of what you can do to use the possible loopholes.
Remember, each and every feature of the organization’s IT infrastructure is going to tell you something. You can’t proceed with guesswork. You can only finalize your line of action if you know the operating systems, file-sharing servers, and software and applications.
Once your Red Team finalizes the plan, you need to go through a trial run. If something goes wrong, you have the chance to make the necessary changes. If you try to jump on your target straight away, the slightest of mistakes can ruin the whole effort.
Don’t focus on one or two weak links. A Red Team assessment is all about contingency plans, so you need to have plan B and plan C in your mind.
The execution phase is not only important for the Red Team but is also highly significant for the organization. The results are going to change the thinking of the executives and decision-makers. Everything must work according to the plan. You don’t control the organizational setup, so you can’t be certain when something unexpected will occur. This is why you need to test plan B and plan C during the Dry Run.
Controlling your nerves is crucial because often it happens that if any member of the Red Team fails to get someone to perform an action for some reason, he/she tends to feel adrenaline rush. You need to train yourself for such a situation. Keep calm, because panic is going to trigger the alarm. For instance, if you fail to access the laptop of a targeted employee, there is no point in blaming him/her for not opening the patched file. Jump to plan B rather than thinking why plan A didn’t work.
The Red Team assessment is far effective than the penetration test, but it doesn’t mean that every organization needs outsource or build a Red Team. It depends on the organization’s security requirements. If penetration testing is continuously generating the desired results, then there is no need to push things further. But if your organization is of a type mentioned under “Organizations That Need Red Team Assessment,” you need to take things seriously.
- Penetration Test vs. Red Team Assessment: The Age Old Debate of Pirates vs. Ninjas Continues, Rapid7
- Red Team Assessment and Penetration Testing, Yash
- Red team assessments and post-assessment posture improvement, TechTarget
- What is red teaming?, TechTarget
- Inside Red Team Operations, Part 1: Planning, Recon and Equipment, Imminent Threat Solutions
- Inside Red Team Operations, Part 2: Analyzing Recon Data and The Dry Run, Imminent Threat Solutions
- Inside Red Team Operations, Part 3: Execute, Execute, Execute!, Imminent Threat Solutions