SBN

What Is Red Team in Cyber Security?

How can we be satisfied with cybersecurity defense capabilities
that are only theoretical?
We no longer have to wait to be bombarded by cybercriminals
to realize whether our threat detectors,
firewalls and other defensive strategies
and security controls are efficient.
We no longer have to wait for malicious hackers
to detect vulnerabilities in our systems
to be able to act on them.
Although it may seem counterintuitive,
in the cybersecurity field,
we can request the service of being attacked.
These attacks are done,
though, in an ethical and regulated manner
to find out how strong we are.
We can hire professionals to show us vividly
what an attacker could do against us
and how well we and our systems would respond
to those real threats.
In this post,
we will talk about red teams and red teaming
so that you can better understand this solution.

What is a red team?

We are not referring to Liverpool,
Bayern Munich,
or some similar team here.
We are focused on a red team in cybersecurity.
This red team is a group of individual security experts,
inside or outside the target company,
with the required skills and,
of course,
the permission to simulate “real-world” cyberattacks.
In these attacks,
they must emulate tactics,
techniques and procedures used by today’s threat actors
to compromise an organization’s systems and cyber defenses.
Red team testing evaluates the effectiveness of the company’s
threat prevention, detection and response strategies.
It delivers reports of detected vulnerabilities
and exploitation impacts
as feedback for vulnerability remediation
and improvement of the organization’s cyber defenses.
Typically,
when we talk about red teams,
blue teams often come up in the conversation.

Red team vs. blue team

A red team is made up of specialists in offensive security
(ethical hackers)
whose mission,
as mentioned above,
is to impact and compromise an information system and its defenses.
The size of this team is variable
and sometimes depends on the complexity of the tasks.
The members of this team are expected to have extensive technical knowledge,
creativity and cunning to gain access to systems
and move through them undetected.
Ideally,
their skills and backgrounds are miscellaneous.
Some may be more adept,
for example,
in software development, penetration testing, social engineering,
business knowledge, IT administration, threat intelligence
or security controls and tools.

A blue team is made up of specialists in defensive security,
including incident response consultants,
for example.
They must guide the organization to assess its environment
and organize, implement and improve security controls
to identify and stop or deal with red team intrusions
or real threat actors.
Their defensive work seeks to prevent damage to the structure
and operations of the organization’s systems.
In some cases,
the blue team may intervene in the planning
or implementation of recovery measures.
The members of this team must fully understand security strategies,
both at the technological and human levels.
They must be highly skilled in the detection of threats,
the appropriate response to them
and the correct use of tools
that support these purposes.

Both teams can have as a knowledge source of tactics,
techniques and procedures of threat actors
the MITRE ATT&CK Framework,
which is a product of real-world experiences.
Usually,
the red and blue teams have a leading role in the red teaming practice.
However,
the presence of the latter may not be indispensable.

What is red teaming?

In line with the above,
to define red teaming,
we refer to the offensive art
with which we can help a company know how secure its systems are.
Apparently,
this was a practice that originated in the military context.
In an adversarial approach,
the idea was to confront two teams simulating reality
to evaluate the quality and strength of their strategies.
(Something like this happens in Attack-Defense style CTF contests
for hacker groups.)
This gave rise to the red team and the blue team.
In a controlled environment,
a red team attack tests an organization’s threat prevention,
detection and response capabilities and strategies
—factors in which a blue team may be involved with plans,
systems and standards.

Many times,
the blue team or the members of the security team of the company
under evaluation
may not be aware that red teaming or simulated attacks are taking place.
(In fact, this is ideal;
see “Attacking Without Announcing.”)
As we discussed some time ago
in regard to the TIBER-EU tests,
a white team,
close to the blue team,
may also come into play.
A white team is a small group in the organization
that may be the only one aware of the red teaming.
This team is responsible for approving and requesting the initiation
and interruption of attacks.
It also acts as a liaison between the other two groups.
It is always expected that,
after red teaming exercises,
the target organization will mature its security
by refining its controls and remediating its vulnerabilities.
Incidentally,
it is the company’s mission
to ensure that what it receives is red teaming
and not just penetration testing.

Red teaming vs. pentesting

Both red teaming and pentesting are offensive security approaches.
In both cases,
“real-world” cyberattacks are simulated under controlled conditions
to evaluate system security.
Among the differences often mentioned is that
penetration testing acts on a narrower scope.
For instance,
applications under development
or individual components belonging to a network are evaluated.
On the other hand,
red teaming is more oriented
towards testing a complete enterprise environment in production
with all its systems involved simultaneously.
It may not focus on finding and reporting all vulnerabilities
as pentesting does.
The red team may concentrate
on meeting specific infiltration and impact objectives.
Further,
some say that pentesting can be conducted by a single individual,
while red teaming must involve several.

Both approaches can be integrated.
A vendor can initially apply several pentesting cycles
within a company’s DevSecOps model.
Based on what’s shown in the reports,
the company can perform vulnerability remediation on its systems.
After these cycles,
a more mature security organization can open the way to red teaming.
Then,
with specific objectives such as accessing a particular network element
or sensitive information,
for example,
it is possible to test how effective the remediations have been
and what security gaps there are in the systems
in the face of certain types of attacks.

Red teaming can be seen as a deeper,
holistic and more complex penetration testing.
Because of this,
red teaming can take longer than pentesting.
A red team has to employ stealth and evasion.
It is often said that in red teaming,
as compared to pentesting,
the surprise factor prevails
(i.e., the blue team is unaware of the attack simulation).
Nevertheless,
this will depend on what is defined between the provider and the client.
Also,
red teaming expands the range of attack types to be used,
adding,
for example,
physical penetration and social engineering
(e.g., phishing).
This means that not only the systems are put to the test,
but also the personnel who manages them.
That is why it can provide more and better ideas than pentesting
for improving plans for prevention,
detection and response to threats.

Usual objectives in red teaming

Red teams in their work can establish different objectives
from the beginning,
among which we highlight the following:

  • To attack systems in production environments.

  • To escalate privileges and take administrative control of critical systems.

  • To access system files and sensitive information,
    even extract and modify it.

  • To not affect the availability of any service to external customers or users.
    However, they can demonstrate it can be done.

  • To not be detected at any stage of the attack.

  • To inject custom Trojans.

  • To install backdoors for future access
    and determine how easy it is to notice their existence.

  • To maximize the level of penetration and impact.

How are red teaming exercises performed?

As we pointed out earlier,
and as Rafael Alvarez,
CTO of Fluid Attacks,
once said,
ideally,
the blue team should not be aware of the execution of the red teaming.
In particular,
for the blue team to know the times and places
where the red team intends to attack
may be seen as inappropriate.
“In order to know with certainty the security level of your company,
these exercises must be as close to reality as possible,”
says Alvarez.
The few members of the organization,
i.e., its highest authorities,
who will be aware of the red teaming,
are the ones who will give the red team express authorization
and legal protection for its offensive security exercise.

Red teaming must begin with the establishment of clear objectives,
such as those outlined in the previous section.
Once these are defined,
the red team starts a passive and active target reconnaissance.
In this step,
the team collects all the information it can
and believes necessary about context,
infrastructure, equipment, operations,
people involved and more.
This process leads the red team
to acquire and develop a variety of red teaming tools,
including assessment, password cracking,
social engineering and exploitation tools,
that suit the objectives and the target company.
The team also carries out weaponization,
where,
for example,
the creation of malicious payloads or pieces of code takes place.

The red team then assesses the attack surface
to identify vulnerabilities and entry points,
including human weaknesses.
Then,
it defines vulnerabilities to exploit.
Through social engineering,
exploitation of a software vulnerability,
or any other attack vector,
the red team gains access to the target
and executes the payload on it.
This allows the team to compromise system components
and bypass security controls.
Attackers always take measures
to prevent the blue team from becoming aware of the intrusion.
If the latter succeeds,
the former is compelled to struggle against any containment effort.

Subsequently,
the red team tries to move within the target,
keeping in mind the objectives that were initially set.
If necessary,
it looks for new vulnerabilities to exploit
in order to escalate privileges
and continue moving through the systems.
Once the purposes of the exercise have been achieved,
the team proceeds to a reporting and analysis stage.
The experts report on what they achieved,
the key identified vulnerabilities
and the performance of the security controls and the blue team
(if there was blue team engagement).
The owners of the assessed systems can then receive support
for vulnerability remediation
and improvement of their procedures to prevent,
detect and respond
to the types of attacks involved in the red teaming.

What are the benefits of red teaming?

In general terms,
red teaming provides a broad view of the security status of your organization
for a consequent maturation.
Some of the specific benefits of red teaming
we choose to highlight
are the following:

  • Testing prevention controls
    (e.g., firewalls, access controls)
    and detection controls (e.g., SOC, AntiX, XDR)

  • Identifying misconfigurations and security vulnerabilities
    in the technology that’s developed and used
    as well as weaknesses in the behavior of people within the organization.

  • In relation to the previous benefit,
    increasing team awareness
    about how the human factor can jeopardize
    the security of the organization’s assets and operations.

  • Disclosing attack vectors
    and how malicious attackers can move through the target
    if weaknesses are not resolved.

  • Boosting vulnerability remediation rates.

  • Recognizing that
    implementing defensive measures without testing them
    is not reliable enough.

  • Strengthening strategies and procedures
    for detection and response to cyberattacks.

Red teaming by Fluid Attacks

At Fluid Attacks,
we are experts in security testing.
Our red team can perform both penetration testing
and red teaming services
for your organization
as both parties agree to carry them out.
In line with what’s been described above,
we recommend starting with the first method
to continue with the second one
as the security of your organization and its systems matures.
A red team external to your work environment,
unaffected by conflicts of interest,
would perform evaluations without absurd inhibitions
and deliver transparent reports on your prevention,
detection and response measures.
Our ethical hackers have certifications
such as OSCP, CEH, CRTP, CRTE, CRTO, eWPTv1, and eCPTXv2,
among many others.
They are also very experienced,
possess diverse backgrounds and skills,
and work in different roles.
On average,
we offer more than 15 ethical hackers per project.

Contact us
and let our red team hacking tell you for sure,
with substantial evidence,
what havoc cybercriminals could wreak on your organization’s systems.

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/what-is-red-team-in-cyber-security/