The term ‘Red Team’ was borrowed from military and intelligence operations; the Red Team would try to challenge the plan for offensive/defensive operations and identify gaps that could result in failure. The objective of a Red Team operation in the cyber security world is much the same; challenge the organisation’s security operation to identify gaps in the defences and demonstrate how the organisation would fare against real adversaries. This is extremely valuable should it ever come under cyber-attack by terrorists, state-sponsored attackers, organised crime gangs, corporate spies or any other type of adversary.
A Red Team operation aims to manoeuvre against the organisation as a real threat actor would, targeting your operational environment in three dimensions:
- People – gaining initial access to your environment or elevating access within the environment through social engineering; or abusing gaps in the capabilities of the defensive personnel, such as the SOC, Threat Hunting team, or Incident Response team.
- Process – abusing internal processes to gain access to systems/facilities or introduce change; or leverage weaknesses in the detection/response processes to persist in the environment while manoeuvring towards the objectives.
- Technology – exploiting vulnerabilities in systems to gain unauthorised access or move laterally; abusing gaps in security solutions to evade detection or bypass restrictions.
How does it work?
A Red Team operation involves hackers - ‘the Red Team’ – executing an attack plan tailored specifically for your operational environment, while the ‘Blue Team’ attempts to detect and respond to the attack.
The objective for the Red Team is typically to compromise your ‘Crown Jewels’, which would be sensitive data, such as customer information; or a critical system, such as an industrial control system (ICS) on your segregated OT network.
In order to achieve the objectives, the Red Team will study your operational environment and apply the art and science of adversary tactics when designing and planning the operation. The team will then meticulously execute the operation, and work through the stages of the attack chain to gain initial access, and then manoeuvre towards the objectives. All the while, the Red Team will observe the environment to gain situational awareness, and carefully select attack techniques or adapt their procedures to select the most suitable approach for your environment and to blend in with the normal activity.
In accomplishing their mission, the Red Team will meet your organisation’s broader goals to:
- Train the Blue Team to detect and respond to a security breach
- Assess the effectiveness of your investment in security solutions, personnel, and processes
- Exercise your response plan to identify gaps that would limit your ability to thwart real attacks
- Identify opportunities to harden the environment and mitigate paths to compromise
- Measure your organisations’ time-to-detect and time-to-respond to determine whether your blue team meets the organisation’s requirements and demonstrate improvements or trends.
So, what does success look like?
In one word – insight. The Red Team will challenge assumptions and misconceptions about risks in your environment or your capabilities, which will allow you to allocate your efforts and resources to where they will make the most significant impact.
Some of the most common insights our clients gain are:
- The Blue Team lacks visibility or control in certain areas, which impairs its capability to detect and respond to malicious activity.
- The response plan is inadequate and would fail to contain a real threat actor.
- The shiny security solutions in place are not fool-proof, and areas, where defence-in-depth was inadequately applied, are still exposed.
- Known vulnerabilities that were considered low-risk are actually feasible, and they would have a catastrophic impact, and should therefore not be risk accepted by the business.
Additionally, Penetration Tests often result in a false sense of security, for example when security solutions detect malicious activity even though the penetration testers did not attempt to evade detection; or a false sense of insecurity, when critical vulnerabilities are identified even though exploiting them when all the mitigating controls are in place is not likely. A good Red Team can rectify those wrong impressions by negotiating the security solutions in the environment with finesse and sophistication, and fully exploiting vulnerabilities in the context of an attack chain.
A Trusted Adversary
To meet the goals of a Red Team operation, you’ll need to engage an adversary that you can trust at the deepest level. That’s because you’re going to give them carte blanche to use every tactic available to them to break down the barriers and gain access to your most critical assets.
As a CREST approved company, you can be assured that The Missing Link upholds strict standards of ethical and professional conduct.
We recognise that Penetration Testing and Red Teaming require different sets of skills and expertise. Our Red Team operators are well-versed in the art and science of adversary tactics, are specially trained to run Red Team operations, and conduct cutting-edge security research and development used by red teams throughout the industry, both in Australia and globally.
If you’re interested in Red Teaming and how it can help prepare your organisation in the event of an attack, call us today. We’d love to chat about your needs and advise you on your options.
If you liked this article, you may also like:
Should you outsource your Red Team operations?
Red Teaming: getting down to basics
Red Teaming and Penetration Testing: what’s the difference?
