What is red teaming?

Red teaming assesses all the ways in which a company protects against, detects, and responds to attacks. The exercise tests the customer company’s security under conditions that are as close to real life as possible.

Teams involved in red teaming

Red teaming usually involves three teams:

  • Red team: a team of attackers often hired specifically for red teaming.
  • Blue team: the defending team, usually made up of the customer company’s security specialists.
  • White team: a coordinating team that works on the customer side, knows about the exercise, and acts as a link between the red and blue teams.

For the assessment to be as close as possible to a real-life attack, the red team usually acts discreetly and the blue team is not informed about the exercise in advance. If the blue team does detect the red team’s actions, however, the fake attackers might request not to block their access so that they can develop the attack vector further and conduct a more comprehensive assessment. Such interactions are usually handled through an independent observer, i.e. the white team.

What does red teaming assess?

Red teaming, and the analysis of its results, helps customers assess their security controls, attack monitoring procedures, and incident response processes.

Key areas of red team testing:

  • Bypassing security controls. The red team tries to bypass the customer company’s security controls and remain undetected by the blue team. The methods and techniques used by the red team will be described in a report.
  • Assessing attack detection capabilities. The red team checks how quickly and precisely the customer company is able to detect an attack that is either ongoing or being prepared. As a part of this assessment, the red team creates various security events (such as attempting to gain unauthorized access to an account or sending an email with sensitive information to an external address). The blue team’s task is to detect such events and notify the relevant individuals.
  • Assessing incident response capabilities. The red team assesses the actions that the blue team takes to stop an attack. Red teaming can be conducted in various ways depending on the objective and model of the assessment. In the most comprehensive scenario, the blue team blocks the attack as if it was real. Sometimes, however, the defending team will allow the red team to continue their work after making sure that the incident was indeed caused by the red team.

Types of red teaming

Red Teaming includes various attack techniques and methods, which can be categorized by the type of impact on the customer’s infrastructure and specialists as well as by attack vector.

Red team by types of impact

  • Simulation

The red team simulates the actions of threat actors. It chooses a set of techniques and tactics based on its own understanding of how effective they are. The blue team is made to believe that it is dealing with a real-life attack against the organization.

  • Emulation

This method involves recreating the actions of a specific hacker group and is most often used when the customer knows exactly which threat groups pose the biggest threat to the company. In order to be successful in imitating the actions of specific threat groups, the red team must have extensive experience in researching threat groups — as a result of responding to real-life attacks or investigating cybercrimes, for example.

Red team by attack vector

  • Physical penetration and impact

A physical attack is one of the riskiest options because it implies actual physical damage or the possibility that team members could be injured, which is why physical methods are usually not included in red-team assessments, even though actual threat actors do not shy away from such methods.

Physical attacks have different levels of impact. They can include both simple techniques like shoulder surfing (over-the-shoulder attacks), which involves covertly watching employees’ screens and keyboards, and more drastic steps such as breaking locks to access server rooms and disrupting CCTV systems.

The most advanced type of physical attack is using sophisticated technical means such as listening devices, keyloggers, and tools for connecting to hard drives in order to extract account data.

Social engineering is one of the most well-known and effective ways of penetrating a company’s infrastructure. Social engineering involves tricking or manipulating employees into sharing data and then using that data to compromise the organization. This is usually done by sending emails with infected attachments or phishing links, making phone calls, messaging on social media, and so on.

  • External network

Attacks against external networks are among the most common red teaming scenarios. Such attacks are limited by the company’s resources that can be accessed from the outside. Yet this does not prevent the red team from furthering its attack into the infrastructure after it gains initial access.

In a classic scenario, the red team conducts reconnaissance and identifies targets on its own. In other cases, the customer determines which of the company’s resources can be attacked, which helps test the company’s capabilities to fend off attacks against resources whose security the customer prioritizes. Such a scenario also reduces the time it takes to conduct a red-team assessment.

  • Internal network

As part of this scenario, the red team is given initial access to the customer’s internal resources, which makes the red-team assessment faster and more efficient. Such scenarios are less realistic, however, since threat actors must first infiltrate their victim’s infrastructure, which is an attack stage in and of itself.

When commissioning a red-team assessment according to this scenario, the customer must provide access to certain company resources so that the red team can build various attack vectors based on the access rights it is granted.

  • Wireless network

Attacks against the customer’s internal Wi-Fi network are a separate type of vector because potential threat actors must be within an area covered by the customer’s Wi-Fi, i.e. in the network owner’s office or nearby.

Stages of red teaming

As part of red teaming, the red team attempts to stealthily penetrate the protected perimeter using various sets of tools and then ensure persistence in the infrastructure. A red-team assessment can be divided into five stages, each with its own objective and outcome.

Reconnaissance

Objective: To collect as much information about the target as possible.

Reconnaissance is among the key stages because it helps obtain a great deal of information about people, technologies, and environments. This stage includes collecting data to plan the attack and choosing and developing the tools necessary for its implementation.

Planning an attack

Objective: To thoroughly analyze all collected information about the infrastructure, specific targets, and employees.

At this stage, the red team determines the key actions necessary for a successful attack by modeling a kill chain, i.e. the attack stages.

Gaining access

Objective: To start the active attack phase.

The red team attempts to penetrate the protected perimeter and ensure persistence there in order to take the attack further. Gaining access can involve social engineering, attacking wireless networks, carrying out initial exploitation of externally reachable vulnerabilities, and so on.

Movement across the system

Objective: To further the attack and go deeper into the infrastructure.

After establishing persistence during the previous stage, the red team looks for ways to penetrate further and achieve the objective set for the project. The attackers search for vulnerabilities, exploit them, build an attack chain, and gradually move further.

Actions against targets

Objective: To achieve the goals set for the project.

The red team strives to achieve the goals agreed with the customer.

How long does red teaming take?

Red teaming does not have specific timeframes and always depends on the customer’s requirements and goals.

How does red teaming help the customer?

After conducting a red-team assessment, the red team provides a comprehensive report about what actions were taken and what goals were achieved. By studying the recommendations given in the report, the blue team can eliminate vulnerabilities and build or add security measures for detecting and preventing attacks as well as improving the company’s security posture in general. The red team is available to advise the blue team about anything related to the red-team assessment.

What are the differences between red teaming and penetration testing?

Although red teaming and penetration testing involve similar scenarios and vectors, the goals and results of these two tests differ significantly. Red teaming focuses on assessing the blue team’s actions and testing a hypothesis about the customer company’s information security system. The main goal of red teaming is to test and strengthen the customer organization’s capabilities to detect and respond to sophisticated cyberattacks, including attacks by Advanced Persistent Threats (APTs).

The objective of a penetration test, on the other hand, is to assess the possibility of carrying out an attack against the customer organization and to identify the company’s vulnerabilities and weaknesses. Penetration testing primarily assesses technical cybersecurity measures and does not include assessing the skills of infosec specialists in responding to attacks.

Red teaming vs. penetration testing

 

Red teaming Penetration testing
Attack methods All approved methods are used, including  ones that cause any type of damage, if they are authorized by the customer.

The exercise is focused on achieving the agreed goals, highlighting critical impact on the organization, and testing the company’s people, processes and technologies.

 Technical methods of attacking an agreed list of targets are used, and they exclude methods that cause any type of damage.

Social engineering is used if authorized by the customer.

The scope is limited and the focus is on testing the customer organization’s specific assets from a technical point of view.
Bypassing detection systems It is important to bypass intrusion detection systems because if they are triggered, the rules of the game change. It is more important to detect technical vulnerabilities in the system than to bypass intrusion detection systems.
Post-exploitation Vulnerabilities are exploited in order to obtain the necessary data and further the attack. The test ends if access to data is obtained.
Results A detailed report is provided, with descriptions of all the actions taken and of the ways used to achieve the goals set.

Detailed information is given about all compromised assets. The customer’s capability to detect attacks in a timely manner and respond to them suitably is assessed.

 A detailed report is provided, with descriptions of all the vulnerabilities discovered and their risk levels.

Detailed information is given about the checks conducted and their outcomes.

 

How to choose a contractor for red teaming

We recommend considering several criteria that will help ensure a high-quality red teaming service that provides as much value as possible.

  1. Contractor’s location. The customer and contractor do not need to be located in the same city, but the time zone should be considered in order to set the project timeframe correctly.
  2. Certification. The contractor company’s specialists should hold international certificates and the company’s processes should comply with international standards such as ISO-27001 and ISO-9001.
  3. Experience. The more experienced the contractor, the better they will understand their tasks and plan attacks. Further, a contractor with a track record of both successful or unsuccessful attacks will apply their knowledge to upcoming projects, which will make them more effective.
  4. Incident response and forensics. An undeniable advantage is if the contractor has experience in responding to security incidents and participating in cybercrime investigations. This makes a red-team assessment much closer to a real-life attack because the contractor is familiar with the techniques and methods used by threat actors.
  5. Comprehensive cybersecurity expertise. It is beneficial if, in addition to red teaming, the contractor company has experience in protecting information systems in general. Such experience helps look at the customer’s security profile from the point of view of several different experts with various specializations and thus receive more comprehensive recommendations on strengthening the customers’ security posture.

Does Group-IB offer red teaming services?

Yes. Group-IB specialists have extensive experience in responding to cybersecurity incidents and analyzing high-tech crimes, as a result of which they are highly knowledgeable about cyberattacks and know how to simulate them, including tactics and techniques used by specific threat groups.

Our experts use internationally acclaimed frameworks (such as TIBER, CBEST, AASE, iCAST, and FEER) as well as their own methodology, which they tailor to each customer to account for any specific requirements and keep key business processes intact. Learn more about Red Teaming by Group-IB.