Red Teaming is flavour of the month within the cyber security industry. But what does it mean? And should I really be considering it for my organisation/business?
Many people these days have an established vulnerability scanning programme to check for poor configuration and bad patching issues. Many others conduct their annual penetration tests – so is Red Teaming just another sales and marketing ploy to invent another unnecessary security service? To answer that question, we first need to answer the question, what is a red team exercise?
What is Red Teaming?
Read teaming is a cyber security assurance test. It builds on Penetration Testing by having a much wider scope and remit both in terms of attack surfaces looked at, and in the level on controls that are tested.
- Vulnerability scanning will find your low hanging issues, but is limited in its automation to only touching the surfaces.
- Penetration testing will test a component of your environment to great depth, but doesn’t look at the context, the gaps around that component or the real targets malicious users will go for.
- Red Teaming sets out to answer the question, if when targeted, can those assets of great importance to me actually be compromised?
It’s a senior stakeholder question and red teaming can answer it.
What approach is taken?
The 3 attributes below help to shape our understanding of a red team exercise:
- Scope is defined by objectives, rather than a narrow set of IP addresses, domains or URL’s. For example, can you access data on your customers? Can you affect the availability of system ABC? Can you impact the integrity of the transactions flowing from A to B?
- Approach the test in a way a real threat actor would. The Red Team must look at the environment through the attacker’s eyes. How would they behave? How would they react and adapt? What would they do to meet their objectives?
- Wider business polices and controls are tested. For example, the physical access policy into the building, the patching policy, the induction process, the detection and response process or the effectiveness of other security controls.
The primary purpose of the Red Team is to validate your organisations effectiveness against credible and realistic cyber threats. The controls implemented by your existing cyber strategy are stressed and tested to see how the overall security posture reacts and behaves.
Red teaming may be more or less structured, and a wide range of approaches can be taken, as would be done in real life by a threat actor.
The Red Team's focus is on emulating a real attackers actions in order to determine the existing levels of assurance and to improve the effectiveness of any response to the required levels.
The 10 reasons…
So, what are these 10 reasons why a red team exercise should be conducted?
A red team exercise will:
- Simulate real attacks from a threat actors position – How will your organisation react when attacked? The starting point is the vantage point of an attacker. How do they see and view your organisation and attack surface.
- Focus on your critical assets – The targets are set because of their importance and value to your business. It’s less about defining how they might be breached, rather focusing on any means possible to impact them.
- Remove internal bias from your scope – In a traditional penetration test, you start with a defined scope. This will be set by your own teams and may be influenced by internal bias about what should/should not be included. Red Teaming removes this bias but by removing the constraint of setting this scope. The scope can be far wider, and the actual attack path will be chosen based on the viewpoint of an outsider and the threat actor level being simulated.
- Test your detection and response Capability – A Red Team exercise will test your organisations wider processes and security controls. How will you detect, react and behave at different levels of the organisation? How will the separate units or business functions behave when put into a real world scenario.
- Be a cost effective way to stress/test your wider organisations capabilities – Investment in this level of testing is a far better way to achieve a level of assurance and comfort, rather than wait for the real attack to take place and happen.
- Use bespoke toolsets – Threat actors often use custom toolsets and a red team should be able to mimic threat actors in a highly sophisticated, targeted manner. This tooling allows the red team to simulate real world threats against your organisation in the closest manner to a real attack as you can get.
- Simulate Threat Attack Paths to your assets (and not just compromise your perimeter) – A red team will create in depth attack paths mimic a wide range of sophisticated scenarios. This will help your detection and response teams to know exactly what they should be looking for and detecting at every stage of the attack.
- Use a big bag of tricks – Red Teams will have a wealth of tools, techniques and capabilities specialising in many areas including financial systems and services, core banking, web frameworks, malware analysis and creation, botnet tracking and many, many social engineering techniques. This bag will be adapted and used to test you at the points that are most relevant and most likely for you to be breached.
- Educate you around Threat Actor activities – You will learn more about the types of actions threat actors will take and understand where your weaknesses are within your people, processes and technology. A red team exercise will not find every hole, but it will tell you if enough holes are present to indicate an unacceptable impact could be had from a cyber-attack.
- Combine real world offensive and defensive teams – Red Teamers understand both the attack (red team) and protective (blue team) sides of the coin. Ultimately, you can consider the governance of this 2 sided approach under the name ‘Purple Teaming’ but that’s another topic and another blog article…
The result from a red team exercise should land on the CEO’s desk and inform them clearly of the current assurance levels around a cyber-attack.
The board and security governance processes within your business should then take these results and direct, change and influence the security programme to address the risks faced by the organisations critical functions.
Nettitude can help you deliver these tests, find out more here.