Red teaming overview, assessment & methodology
As we all know today, the cybersecurity threat landscape is a dynamic one and is constantly changing. The cyberattacker of today uses a mix of both traditional and advanced hacking techniques. On top of this, they even create new variants of them.
A perfect example of this is phishing. Traditionally, this involved sending a malicious attachment and/or link. But now the concepts of social engineering are being incorporated into it, as it is in the case of Business Email Compromise (BEC).
The cyberattacker of today is also much more patient when launching their threat vectors. For instance, rather than use a brute-force, all-or-nothing approach, they prefer a slow, methodical one. They are now taking their own time to select and study their targets. They are also trying to find the weakest link in the security chain of a corporation or business.
Once they find this, the cyberattacker cautiously makes their way into this gap and slowly starts to deploy their malicious payloads. The goal now is not to just get the proverbial crown jewels all at once, but rather take them slowly, so that they can stay in an IT Infrastructure for long periods of time while going unnoticed.
Thus, organizations are having much a harder time detecting this new modus operandi of the cyberattacker. The only way to prevent this is to discover any unknown holes or weaknesses in their lines of defense. One of the surefire ways of detecting these is through penetration testing. With this, you have individuals or even teams working in harmony with each other to find them and recommending ways to make them secure.
If the penetration testing engagement is an extensive and long one, there will typically be three types of teams involved:
- The Red Team: This group acts like the cyberattacker and tries to break through the defense perimeter of the business or corporation by using any means that are available to them
- The Blue Team: This group acts like the IT security staff of an organization and attempts to thwart of the cyberattacks that have been launched by the Red Team
- The Purple Team: This is a combination of both the Red and Blue Teams and works with both sides in order to yield the maximum results for the client.
In this article, we focus on examining the Red Team in more detail and some of the strategies that they use.
The Red team — conducting the assessment
In order to execute the work for the client (which is essentially launching various types and kinds of cyberattacks at their lines of defense), the Red Team must first conduct an assessment. By doing this, team members can get a broad overview of the organization’s IT and network infrastructures by taking the mindset of a real cyberattacker. In particular, all of the associated tangible/intangible items are closely examined thoroughly, including the following:
- Digital assets
- Physical assets
- Technical processes
- Operational processes
In streamlining this particular assessment, the Red Team is guided by trying to answer three questions:
- If the business entity were to be impacted by a major cyberattack, what are the major repercussions that could be experienced? For instance, will there be long periods of downtime? What kinds of impacts will be felt by the organization, from both a reputational and financial perspective?
- Do all of the abovementioned assets and processes rely on some sort of common infrastructure in which they are all joined together? If this were to be hit, how serious would the cascading effect be?
- What are the most valuable assets and processes that can be easily compromised?
The Red team — major activity engagements
Once all of this has been carefully scrutinized and answered, the Red Team then decide on the various types of cyberattacks they feel are necessary to unearth any unknown weaknesses or vulnerabilities. Of course, the “list” that this is initially created by conducting this assessment is not by any means an all-inclusive one. For instance, once the Penetration Testing exercise(s) have actually begun, the Red Team could subsequently add in more threat vectors as they deem appropriate.
The following are some examples of the initial tactics that the Red Team engages in:
- Email and Telephony-Based Social Engineering: This is typically the first “hook” that is used to gain some sort of entry into the business or corporation, and from there, discover any other backdoors that might be unknowingly open to the outside world. In these instances, phishing emails and social engineering style of attacks are launched. One of the primary objectives here is to hijack any and/or all of the username and password combinations that are possible to obtain in order to make the first severe crack in the defense perimeter.
- Exploitation Tactics: Once the Red Team has established the first point of entry into the organization, the next step is to find out what areas in the IT/network infrastructure can be further exploited for financial gain. This involves three main facets:
- The Network Services: Weaknesses here include both the servers and the network traffic that flows between all of them. The most vulnerable ones here (and which the Red Team will take full advantage) are those assets that have not been patched, or which have been completely misconfigured
- The Physical Layer: At this level, the Red Team is trying to find any weaknesses that can be exploited at the physical premises of the business or the corporation. For instance, do employees often let others in without having their credentials examined first? Are there any areas inside the organization that just use one layer of security which can be easily broken into? If the data center inside the organization utilizes multiple entry points, what is the lag time in between the opening and closing of these doors? (In other words, is there hypothetically enough time for an impostor to get through without having to use any kind of fake or stolen credentials?)
- The Application Layer: This typically involves the Red Team going after Web-based applications (which are usually the back-end items, mainly the databases) and quickly determining the vulnerabilities and the weaknesses that lie within them. Once these are discovered, the typical threat vectors to be launched are those SQL injection attacks, cross-site scripting attacks, cross-site request forgery attacks and similar
Some of these activities also form the backbone for the Red Team methodology, which is examined in more detail in the next section.
The Red team — methodology
As mentioned earlier, the types of penetration tests carried out by the Red Team are highly dependent upon the security needs of the client. For example, the entire IT and network infrastructure might be evaluated, or just certain parts of them. Once this has been decided upon, then the specific functionalities of what will be tested is then critically examined. Software applications (such as those that are Web-based) could become targets, the physical infrastructure could get hit, or even a combination of both.
But whatever is pentested in the end, there is a common methodology that the Red Team follows:
- The Scope: This part defines the entire goals and objectives during the penetration testing exercise, such as:
- Coming up with the goals or the “flags” that are to be met or captured
- The compilation of the “Rules of Engagement” — this defines the kinds of cyberattacks that are allowed to be carried out
- Determine any exceptions that will not be targeted on the attack surface
- Confirm the actual timetable for executing the penetration testing exercises in conjunction with the client.
- Obtain a “Letter of Authorization” from the client which grants explicit permission to conduct cyberattacks on their lines of defense and the assets that reside within them
- Reconnaissance and Intelligence Gathering: This phase involves collecting information and data about the targets that are going to be hit by the Red Team. Examples of this include the following:
- The network IP address range that has been assigned to the business or the corporation, as well as determining any open network ports and related services
- The API endpoints related to any mobile or wireless devices
- Gathering both the work-related and personal information/data of each employee in the organization. This typically includes email addresses, social media profiles, phone numbers, employee ID numbers and so on
- Any employee credentials that have been previously targeted by a cyberattack, if any
- Locating any embedded systems that reside in the IT and network infrastructure.
- Planning and Mapping the Cyberattacks: At this stage, the types of cyberattacks that will be launched by the Red Team are mapped out, as well as how they will be executed. Some of the factors that are taken into consideration here:
- Determining any subdomains that are hidden from public access
- Any misconfigurations in the cloud-based infrastructure used by the client
- Ascertaining any weak forms of authentication
- Making note of any vulnerabilities and weaknesses that are known to exist in any network- or Web-based applications
- Determining how to further exploit these known weaknesses and vulnerabilities
- Creating any phone call scripts that are to be used in a social engineering attack (assuming that they are telephony-based)
- Launching the Cyberattacks: At this point, the cyberattacks that have been mapped out are now launched towards their intended targets. Examples of this are:
- Hitting and further exploiting those targets with known weaknesses and vulnerabilities
- Impacting any testing or sandboxing environments that are used for developing software applications
- Accessing any and/or all hardware that resides in the IT and network infrastructure. This includes workstations, all forms of mobile and wireless devices, servers, any network security tools (such as firewalls, routers, network intrusion devices and so on
- Attacking any client-side applications (primarily those that are Web-based)
- Documentation and Reporting: This is considered to be the last phase of the methodology cycle, and it primarily consists of creating a final, documented reported to be given to the client at the end of the penetration testing exercise(s). It consists of the following components:
- The types and kinds of cyberattacks that were launched, and their impacts
- The discovery of any unknown security weaknesses and vulnerabilities
- The degree of exploitation of the above by a real-world cyberattacker
- The corrective actions that are to be taken to remediate all known and unknown (but were later discovered) security gaps and holes
- The consequences that could occur from not taking action or implementing the recommended solutions
The Red team — cyberattacker emulations
Although one of the ultimate objectives of the Red Team is to get into the overall mindset of the cyberattacker and launch threat vectors like real attackers would, they also take on other types of threat actor roles as well. The main intention of this is to expose the business or the corporation to anything that is possible in a real-world scenario. The following are examples of these other roles:
- Organized Crime: In this kind of role, the Red Team uses the more traditional threat vectors (such as a Trojan horse) in order to get to the tangible assets of the organization. Typically, these are the financial accounts. Although obtaining usernames and passwords is one of the key methods in order to get to the money, the cyberattacker may also resort to pure extortion methods as well. In these instances, after the profit has been obtained the cyberattacker usually tries to cover up any backdoors, thus eradicating any sort of “forensic footprints” to the greatest extent possible
- The Cyberspy: In these types of situations, the goal for the Red Team is not to get access to the financial assets of the business entity. Rather, the objective here is to gather as much information as possible on future victims and learning more about their processes. Thus, any attacks launched in this category are typically much slower, characterized by a large of amount of patience and persistence on part of the cyberattacker
- The Cyberterrorist: This is one of the most extreme forms of cyberattack, and the ultimate goal here is to cause as much physical destruction as possible in the critical infrastructure. This includes such items as oil/gas pipelines, the electrical power grid, nuclear power plants, large-scale industrial plants, water supply lines, power generation hubs and so on
- The Cyberactivist: In this category, the objective for the Red Team is not so much that of financial gain or causing physical destruction. Rather, the goal here are to find ways in which a business or corporation’s brand reputation can be completely tarnished. The tactics utilized here include leaking confidential information and data to the public, hacking into their social media accounts, spreading false rumors and more
The Red team — benefits gained by the client
At the end of any penetration testing exercise(s), there are number of key benefits that the client will gain after making full usage of a Red Team. These are as follows:
- Responses to Cyberattacks Can Be Validated: By being exposed to a series of cyberattacks, an organization will truly know how good their lines defenses are and if the mitigation response is enough to thwart off any future threats. If they are not adequate enough, then the IT security staff must come up with the appropriate countermeasures, which are formulated with guidance from the Red Team
- Create a Security Risk Classification scheme: Once the business entity becomes aware of all of the vulnerabilities and weaknesses that exist in their IT and network infrastructure, then all of the related assets can be properly classified according to their level of risk exposure
- All Security Weaknesses Will Be Exposed and Revealed: As described earlier in this article, it is only through exhaustive penetration testing by the Red Team that all security gaps and holes will be revealed, including those that were never known before to have actually existed
- Maximize the Return on Investment (ROI) on Security Technologies: One of the biggest issues that corporations and businesses face today is discovering if the money that is being spent on security technologies is also being used wisely. For example, the error in thinking is that by simply implementing all of the latest and most sophisticated security technologies, the lines of defenses will be rock-solid. But this only increases the attack surface for the cyberattacker. After having the exercise(s) conducted by the Red Team, the IT security staff as well as the “C-Suite” will then have a much better idea if they are getting a positive ROI on their current security technology investments. If not, then the appropriate adjustments will have to be made to ensure that critical financial resources are being used wisely
In summary, this article has provided an overview into some of the major engagements and the methodology of the Red Team. The benefits gained by penetration testing were also examined, as well as some the of major cyberattacker roles that the Red Team must assume when launching their particular threat vectors. In fact, the Red Team has been considered to be one of the most critical aspects when it comes to conducting any sort of penetration testing exercise(s). The primary reason for this is that it takes a unique blend of technical, quantitative and qualitative skills in order to be a successful Red Team member. This can be a very intense role, as they are responsible for discovering any IT asset that is at risk to a cyberattack.
In terms of technical skills, it is imperative that the Red Team members have knowledge of the following security domains:
- Network port scanning
- Network infrastructure surveying
- IT system identification
- Operating system “fingerprinting”
- Security vulnerability research
- Internet application testing
- The ability to perform legal assessments of the IT/network infrastructure of the business or corporation
- Physical and digital-based dumpster diving
- The ability to conduct competitive intelligence
- Looking for weaknesses on remote connections
- Countermeasure deployment and implementation
- Firewall and access-control list testing
- Intrusion detection system testing
- Social engineering
- Trusted systems testing
- Password hacking and cracking
- Distributed Denial-of-Service investigation and testing
Often, the Red Team does not go after the proverbial crown jewels of an organization first. Rather, they often go after the low-hanging fruit, which is very often ignored by the IT security staff. From there, the Red Team work their way into the most prized possessions of the business entity. But before launching any cyberattack, it is very important to note that the Red Team must first get explicit consent from the client. If the Red Team conducts any exercise(s) outside of this scope, they could be held legally responsible for the ramifications of any threat vector that they launch.
Finally, the terms of Red Teaming and penetration testing are used synonymously together, and as a result, the thinking is that the two are the same activity. In reality, they are not. Penetration testing is actually viewed as a subset of Red Teaming. The primary difference is that it is the Red Team that creates and designs the cyberattacks, while penetration testing executes them.
- Red Teaming vs. Penetration Testing, NuHarbor Security
- Security Think Tank: Time to look at red teaming?, ComputerWeekly
- Redteaming from Zero to One — Part 1, Payatu
- What is Red Teaming?, Synopsys
- Targeted Assessments for Mature Security Teams, Rhino Security Labs
- Red Team – “Train Like You Fight”, NCC Group
- Red Team Operations, Redscan