+ Intro

IT security is like a multi sport race that never ends. In this race there are many milestones to be achieved by going through a wide variety of exercises. While Red Teaming is only one of many exercises keeping your IT security team fit it is one of the most challenging and insightful. This article is meant to describe what is Red Teaming, who and when should apply it and how it is executed. If you find this article useful – share it.

+ What is Red Teaming

Red Teaming can be described in many ways, but in most cases it is described as an IT exercise meant to simulate a real world cyber attack. The actual way such an exercise is performed might vary due to many variables, but in general Red Teaming involves multiple steps which are meant to analyze the target organization, infiltrate it’s IT systems and achieve a pre-defined goal (gain access to certain systems, “borrow” some documents, read sensitive correspondence, etc.). The purpose of a Red Teaming exercise is to understand if the target is prepared to withstand a targeted cyber attack and what can be done to increase the resilience against such attacks.

While penetration tests are more widely known and performed the Red Teaming might sometimes be confused with it. To better understand the differences between a penetration test and a Red Teaming exercise, take a look at the table below which describes the main differences between these two IT security activities.

+ Who and when should perform Red Teaming

++ Who

Since Red Teaming is mostly focused on simulation of a targeted cyber attack, this activity is most relevant to organizations that fall under at least a couple of the following criteria:

• Is big in size (100+) of employees working with IT technologies on a daily basis
• Possess intellectual property that guarantees competitive advantage in the market (IT, pharmaceuticals, biotech, industrial machinery, etc.)
• Manage financial assets (such as stocks, bonds, crypto/fiat-currency, gold/silver, etc.)
• Deal with sensitive data (political, economical or military related information, private customer data, etc.)

++ When

As mentioned earlier, Red Teaming is just one of many exercises. Like in sports, some IT security activities yield best results when performed in a certain order. To better understand when is the best time to perform a Red Teaming exercise, let’s take a look at the landscape of IT security related steps that can and should be performed. To do so, we will use CIS controls.

As you can see from the graph above many steps should be performed before executing a Red Teaming exercise. It does not make sense to perform Red Teaming before making sure that your team has at least a chance to detect and defend against such an exercise similarly as it does not make a sense to attempt to withstand a bullet without any armor (not even a T-Shirt!).  Therefore, it is recommended to embrace Red Teaming exercises only after you are properly prepared and your IT security teams’ seat belts are properly fastened.

+ Workflow

Since Red Teaming is quite a complicated exercise it needs to be orchestrated properly in order to achieve best return on investment. The following flowchart illustrates the core stages of a Red teaming project.

++ Preparation

The following list covers the main steps performed during a preparation of the Red Teaming exercise:

• Negotiating terms of the engagement
• Assembling teams (at least white and red teams)
• Preparing scenario and setting goals

Along the common paperwork, a letter of authorization (LOA) is prepared so that in case a Red Team member is caught (usually relevant in cases when physical attacks are performed) there are no misunderstandings or legal consequences.

The white team usually consists of just a few members from the target organization who is aware of the exercise and is meant to oversee the process. The Red Team (internal or external) consists of cyber security specialists who are actually performing the exercise – attempt to breach the target company’s IT infrastructure.

The actual scenario might vary on a case-by-case basis, but a fully fledged Red Teaming operation usually covers all of the Advanced Persistent Threat’s life cycle steps, starting with the initial reconnaissance and finishing with exfiltration of confidential data.

++ Execution

Once the terms are agreed and scenario aligned with particular goals of the Red Teaming exercise the Execution stage begins. The execution stage of a fully fledged Red teaming exercise is summarized by the following chart.

Each step of a Red Teaming engagement can be briefly summarized as follows:

1. Reconnaissance – analyzing the target without active attacks. This step involves extensive information gathering, including, but not limited to target organizations employees and their contact details (email, phones, etc.), passive fingerprinting of digital assets (websites, servers, other IT related artifacts), inspecting physical offices/branches, etc.
2. Initial Compromise – based on intelligence gathered during the first step an attack vector for initial intrusion is staged. In most cases it is some sort of a social engineering attack or exploitation of externally facing vulnerable systems. Sometimes, Red Teamers visit target organization’s offices and use pre-texting (false pretense of being someone they are not) in order to install malware on some systems or drop a rogue device onto the network.
3. Persistence – once a successful initial compromise takes place, the Red Team tries to maintain their access on a compromised system. This is done by installing persistent backdoors  on the infected system or hacking into a more stable system on the network.
4. Privilege Escalation – before spreading across the network Red Teamers try to escalate their privileges on the initially compromised systems as this allows extraction of valuable secrets (credentials) and helps in performing more advanced attacks.
5. Internal Recon / Lateral Movement / Data Analysis – this step is a continuous process aimed at navigating across the target organization’s network and looking for important information or sensitive systems. Lateral movement usually happens via the means of credential extraction or exploitation of internal systems.
6. Exfiltration – after the holy grail of the company is found, relevant information (defined during the preparation stage) is exfiltrated to finalize the execution of a pre-defined scenario.

++ Feedback

During the feedback stage the Red Team presents its findings and helps the Blue Team to learn about counter measures which could allow to detect and properly respond to a similar attack. Depending on the agreement, Red Teamers repeat the intrusion step by step together with the Blue Team in order to help them to understand the mindset of an attacker. Such a combined exercise (also known as Purple Teaming) usually yields better results and increases the organization’s readiness against future attacks.

+ Outro

While the idea of a Red Teaming exercise is to simulate a real world cyber attack against the target organization’s network the main goal is not to show that it is possible to get inside no matter what, but to:

• Identify the weakest point (or a few of them) within the organization (whether it’s technological or organizational in nature)
• Perform the exercise in a way that the malicious activity could be somewhat detected (leaving traces or intentionally raising some alarms)
• During the feedback session provide practical guidance on how to better detect and respond to malicious activity on the network

Therefore, the value of a Red Teaming exercise comes from the education based on relevant examples allowing companies to better prepare for upcoming cyber attacks.

If you think we can help you in any way – contact us now!