14 August 2019

With cyber threats evolving at an unprecedented rate, testing your organisation’s ability to prevent, detect and respond to attacks is vital.


Just like in other fields, preparation is essential in cyber security. To effectively defend against the latest threats, a proactive approach is required, whereby security controls and processes are regularly assessed to ensure they are fit for purpose.

This blog explores how red teaming, a type of ethical hacking engagement, could help you to better understand your organisation’s cyber security risks, uncover and address gaps in defences, and prioritise future security investments.


What is red teaming?


Red teaming is an intelligence-led security assessment that mirrors the approach of real-life cyber-attacks to thoroughly test organisations’ cyber resilience plus threat detection and incident response capabilities.

Red teaming is performed by ethical hackers, who utilise the tactics, techniques and procedures (TTPs) of criminal adversaries to ensure that engagements are as realistic as possible and fully challenge the effectiveness of technology, personnel and processes. Typically, engagements are performed over a period of one to two months.


Benefits of red teaming


By commissioning an organisation to perform red teaming, organisations will be able to:

• Assess preparedness to defend against genuine cyber-attacks
• Test the effectiveness of security technology, people and processes
• Identify and classify a wide range of security risks
• Improve the effectiveness of detection and response procedures
• Uncover weaknesses invisible to other forms of testing
• Address risks and mitigate vulnerabilities
• Obtain guidance on future security investments


Key learnings from red teaming


Unlike a penetration test, the focus of a red team engagement is not simply to identify as many security vulnerabilities as possible. Redteam engagements can help organisations to:

• Map exploitable routes and processes which provide access to IT systems and facilities
• Learn how easy it is for a hacker to access privileged client data
• Identify methods that could be used to disrupt business continuity
• Expose gaps in surveillance which allow criminals to evade detection
• Understand the effectiveness of incident response plans


Supporting blue teams


For organisations that a have a dedicated security operations centre or use an outsourced SOC service, red teaming is a great means of validating their effectiveness. For this reason, red teaming exercises are often commissioned at board level without the knowledge of IT and security teams. Organisations also used red teaming to help foster a collaborative ‘purple team’ culture of continual improvement.

The duration of a Red Team Operation is dependent upon the scope and objective(s) of the exercise. A full end-to-end red team engagement is typically performed over one to two months, however specific scenario-based operations with a narrower focus can be performed over 11-18 days. Shorter operations are usually based on an assumed compromise and mapped to scenarios aligned to frameworks such as MITRE ATT&CK™.


Red teaming methodology


Red teaming typically follows an intelligence-driven, black-box methodology to rigorously test organisations’ detection and response capabilities. This approach is likely to include:

High-quality intelligence is critical to the success of any red teaming engagement. Ethical hackers utilise a variety of open-source intelligence tools, techniques and resources to collect information that could be used to help successfully compromise the target organisation. This could include details about employees, infrastructure and deployed technologies.

Staging & Weaponisation
Once vulnerabilities have been identified and a plan of attack has been formulated, the next stage of an engagement is staging – obtaining, configuring and obfuscating the resources needed to conduct the attack. This could include setting up servers to perform Command & Control (C2) and social engineering activity as well as the development of malicious code and custom malware.

Attack Delivery
This stage of red teaming involves compromising and obtaining a foothold on the target network. In the course of pursuing their objective, ethical hackers may attempt to exploit discovered vulnerabilities, use bruteforce to crack weak employee passwords, and create fake email communications to launch phishing attacks and drop malicious payloads such as malware.

Internal Compromise
Once a foothold is obtained on the target network, the next phase is focussed on achieving the agreed objective(s) of the redteam engagement. Activities at this stage could include lateral movement across the network, privilege escalation, physical compromise, command and control activity and data exfiltration.

Reporting and Analysis
Following completion of the red teaming engagement, a comprehensive client report is prepared to help technical and non-technical personnel understand the success of the exercise, including an overview of vulnerabilities discovered, attack vectors used and recommendations about how to remediate and mitigate any risks identified.


Why choose Redscan for red teaming?


When commissioning a red teaming engagement, it’s important to look for a provider that has the necessary skills and experience to not just accurately simulate an attack, but also conduct a safe and controlled assessment that provides actionable security outcomes for your business.

Redscan’s CREST accredited team of red teaming experts have a deep knowledge of information security and can help to ensure that any exercise is realistic is possible yet performed to the highest technical and legal standards.

By adopting the mindset of the adversary, utilising the latest blackhat tools and providing in-depth analysis and complete post-test care, Redscan’s dedicated professionals can help organisations of all sizes make significant improvements to their cyber security. Our engagements have a 100% success rate.


Read more:

Redscan shortlisted as UK Managed Services Awards finalist

A guide to insider threats in cyber security

Types of pen testing: white box, black box and everything in between


back to all posts