Red team assessment phases: Overview
Computer systems and networks contain valuable information, and hackers are out there trying to steal that data. This has led to the development of the red team assessment, a test to help an organization identify and correct vulnerabilities and flaws in their cybersecurity defenses before a hacker can find and exploit them.
To do so, an organization hires a red team to perform an assessment. The red team’s job is to think and act as a hacker does in order to find the vulnerabilities in an organization’s network that are the most likely to be exploited. Once they’ve done so, the red team reports their results to the organization.
Earn two pentesting certifications at once!
Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.
Every red team assessment is unique, but they tend to follow a flow through seven main phases, as described in the following section.
[On-Demand Webinar — "Red Team Operations: Attack and Think Like a Criminal"]
Breaking down the red team assessment phases
The basic steps of a red team assessment can be broken up into seven main phases, and most red team assessments will include all phases in roughly that order. However, the specifics of the situation may mean that certain phases are skipped (as in a white-box assessment) or performed out of order (for example, if an attempt to gain access fails and the red team has to start over). The phases of a red team assessment are useful in understanding how a red team assessment works but are not set in stone.
Planning/setting objectives
The first phase of a red team assessment usually involves planning and setting objectives for the assessment. The organization being assessed may have specific wishes for the red team assessment. For example, the red team may only be required to demonstrate the ability to access sensitive information, not exfiltrate it. A common limitation is disallowing the use of social engineering as part of the assessment.
A crucial part of this phase of a red team assessment is ensuring that all parties involved are in sync regarding the “rules” of the assessment.
Once the ground rules for the assessment have been laid out, the team can start planning their strategy. Based on the specifics of the assessment, certain avenues of attack may be more or less promising for the assessment. Creating a rough plan for the assessment in advance minimizes the probability of wasted effort and unintended consequences and facilitates assignment of roles within the team.
Reconnaissance
Once the planning phase is complete, the assessment can begin in earnest. Collecting information about the target environment is vital to performing a red team assessment against it. Every organization has its own digital and physical defenses and the state and configuration of these defenses dictates how they can be circumvented or overcome. In the reconnaissance phase, a red team tester attempts to gather as much as possible about the target while minimizing the probability of being detected.
Target identification
At the end of the reconnaissance phase, the red team should have a large amount of information about the target’s digital and physical habits and defenses. In the target identification stage of the attack, the red team sifts through this information to identify potential vulnerabilities and ways to achieve their objectives. This phase also includes active information-gathering techniques like network scanning and enumeration. Usually, the team will try to identify several different avenues of attack in order to maximize the probability that their attack will be successful.
Gaining access
This stage of the assessment is when the red team makes their first significant active moves against the organization. The actions taken in the reconnaissance phase are intended to be passive or have minimal impact in order to minimize the chances of detection.
In the Gaining Access Phase, the red team takes advantage of the vulnerabilities identified in the previous phases in order to bypass or overcome the organization’s defenses. This may include exploiting software vulnerabilities, using social engineering against employees or bypassing physical defenses. The end goal of the phase is to provide the red team with a foothold inside the target’s defenses that can be expanded to achieve the objectives of the assessment.
Establishing foothold and maintaining presence
Once a red team has access to a system, a primary goal is ensuring that access continues. Depending on the attack vector used to gain access to the system, it may be difficult or impossible to maintain access using the original connection. In this phase of an assessment, the red team expands and deepens their foothold on the target network, establishing communications channels and persistence mechanisms in order to guarantee that they have a sufficient level and duration of access to achieve the objectives of the assessment.
Completing objectives
This phase of the red team assessment is fairly self-explanatory. In the first phase of the assessment, the red team and the customer negotiate the terms of the red team assessment. Typically, this involves identifying certain “flags” or pieces of information that the red team should target in order to prove that they have gained certain levels of access to the system. In this phase of the assessment, the red team takes advantage of the access gained and expanded in the previous two phases to locate and claim the agreed-upon flags on the target network or system.
Reporting
The final, and potentially most important, phase of a red team assessment is the reporting phase. A customer hiring a red team to perform an assessment is doing so in order to gain specific information and actionable guidance about vulnerabilities in their systems, not just a statement that their network is or is not vulnerable. In this phase of the assessment, it is the responsibility of the red team to clearly and comprehensively document the vulnerabilities discovered during their assessment, including how they can be verified and exploited for future testing.
How do red team assessments compare to real attacks?
Red team assessments are designed to be as similar to real attacks as possible. By using the same tools, techniques and procedures as black-hat hackers, red teams maximize the probability that they will identify and report the vulnerabilities that attackers are most likely to target in an organization’s network. However, there are a few ways in which red team assessments may not accurately mirror real attacks.
The first inconsistency is the allowable scope of the assessment. If an organization states that social engineering is out of scope of the assessment, then the red team won’t use social engineering against the target. However, hackers don’t care if an organization doesn’t want to be socially-engineered and will take advantage of any weaknesses that an organization has. A “no-holds-barred” red team assessment is the most like a real-world attack.
The other main difference between real-world attacks and red team assessments is the phases included. Obviously, hackers won’t be sending a detailed vulnerability report to the target organization. Both hackers and red teams may skip phases if the situation warrants it. If an organization has an obvious, gaping vulnerability, a hacker may skip directly to the Gaining Access phase. In a white-box assessment, red teams are given access to the system and can begin by expanding their foothold on the system.
The red team also has limited time to perform the assessment, while hackers typically don’t, so they may focus more on targets of opportunity than a full-scale analysis of the system before exploitation.
Want to read more? Check out some of our other articles, such as:
- Red Team Assessment Phases: Reconnaissance
- Red Team Assessment Phases: Target Identification
- Everything You Need To Know About Red Teaming in 2018
FREE role-guided training plans
Sources
Penetration Testing - Limitations, Tutorialspoint
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- Red team assessment phases: Overview
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness