With cyber threats evolving at an unprecedented rate, testing your organisation’s ability to prevent, detect and respond to attacks is vital.
Preparation is as essential in cyber security as it is in any other walk of life. To effectively defend against the latest threats, a proactive approach is required, whereby security controls and processes are regularly assessed to ensure they are fit for purpose.
This blog explores how red teaming, an in-depth form of ethical hacking engagement, could help you to better understand your organisation’s cyber security risks, uncover and address gaps in defences, and prioritise future security investments.
What is red teaming?
Red teaming is an intelligence-led security assessment designed to thoroughly test organisations’ cyber resilience plus threat detection and incident response capabilities.
Red teaming is performed by ethical hackers, who mirror the conditions of a genuine cyber-attack by utilising the same tactics, techniques and procedures (TTPs) used by criminal adversaries. This ensures that engagements are as realistic as possible and fully challenge the effectiveness of technology, personnel and processes. Typically, engagements are performed over a longer period than other assessments – typically weeks but sometimes even months.
The benefits of red teaming
By commissioning an organisation to perform red teaming, organisations will be able to:
• Assess preparedness to defend against genuine cyber-attacks
• Test the effectiveness of security technology, people and processes
• Identify and classify a wide range of security risks
• Improve the effectiveness of detection and response procedures
• Uncover weaknesses missed by other forms of testing
• Address risks and mitigate vulnerabilities
• Obtain guidance on future security investments
Key learnings from red teaming
Unlike a penetration test, the focus of a red team engagement is not simply to identify as many security vulnerabilities as possible. Redteam engagements can help organisations to:
• Map exploitable routes and processes which provide access to IT systems and facilities
• Learn how easy it is for a hacker to access privileged client data
• Identify methods that could be used to disrupt business continuity
• Expose gaps in surveillance which allow criminals to evade detection
• Understand the effectiveness of incident response plans
Supporting blue teams
For organisations that a have a dedicated Security Operations Centre (SOC) or use an outsourced SOC service, red teaming is a great means of validating their effectiveness. For this reason, red teaming exercises are often commissioned at board level without the knowledge of IT and security teams. Organisations also use red teaming to help foster a collaborative ‘purple team’ culture of continual improvement.
The duration of a Red Team Operation is dependent upon the scope and objective(s) of the exercise. A full end-to-end red team engagement is typically performed over one to two months, however specific scenario-based operations with a narrower focus can be performed over 10-20 days. Shorter operations are usually based on an assumed compromise and mapped to scenarios aligned to frameworks such as MITRE ATT&CK™.
Red teaming methodology
Red teaming typically follows an intelligence-driven, black-box methodology to rigorously test organisations’ detection and response capabilities. This approach is likely to include:
Reconnaissance
High-quality intelligence is critical to the success of any red teaming engagement. Ethical hackers utilise a variety of open-source intelligence tools, techniques and resources to collect information that could be used to help successfully compromise the target organisation. This could include details about employees, infrastructure and deployed technologies.
Staging & Weaponisation
Once vulnerabilities have been identified and a plan of attack has been formulated, the next stage of an engagement is staging – obtaining, configuring and obfuscating the resources needed to conduct the attack. This could include setting up servers to perform Command & Control (C2) and social engineering activity or the development of malicious code and custom malware.
Attack Delivery
This stage of red teaming involves compromising and obtaining a foothold on the target network. In the course of pursuing their objective, ethical hackers may attempt to exploit discovered vulnerabilities, use bruteforce to crack weak employee passwords, and create fake email communications to launch phishing attacks and drop malicious payloads such as malware.
Internal Compromise
Once a foothold is obtained on the target network, the next phase is focussed on achieving the agreed objective(s) of the redteam engagement. Activities at this stage could include lateral movement across the network, privilege escalation, physical compromise, command and control activity and data exfiltration.
Reporting and Analysis
Following completion of the red teaming engagement, a comprehensive client report is prepared to help technical and non-technical personnel understand the success of the exercise, including an overview of vulnerabilities discovered, attack vectors used and recommendations about how to remediate and mitigate any risks identified.
Why choose Redscan for red teaming?
When commissioning a red teaming operation, it’s important to look for a provider that has the necessary skills and experience to not just accurately simulate an attack, but also conduct a safe and controlled assessment that provides actionable security outcomes for your business.
Redscan’s CREST accredited team of red teaming experts have a deep knowledge of data security and can help to ensure that any exercise is realistic is possible, but also performed to the highest technical and legal standards.
By adopting the mindset of the adversary, utilising the latest blackhat tools and providing in-depth analysis and complete post-test care, Redscan’s dedicated professionals can help organisations of all sizes make significant improvements to their cyber security. Our engagements have a 100% success rate.