What Is a Red Team?
Teaming is a cybersecurity exercise that fully simulates a real life attack to help measure how well an organization can withstand the cyber threats and malicious actors of today. A red team serves as the attacker in this simulation, using the same techniques and tools of hackers to evade detection and test the defense readiness of the internal security team.
This includes testing for not just vulnerabilities within the technology, but of the people within the organization as well. Social engineering techniques like phishing or in person visits. Even the security of the physical premises may be tested. Ultimately, teaming serves as a comprehensive assessment of your security infrastructure as a whole.
What Are the Goals of a Red Team?
A Red Team can be made up of as many as two people and can scale to over 20, depending on the task. That’s what is most important—make sure that your team is built for the task at hand. Find experienced, critical thinkers to form the core of your team and continue building it with a diverse mix of skills. A Red Team should be used alongside your vulnerability assessment and penetration testing in order to realize its full value.
Red teamers need an open learning culture with the ability to continuously train and improve their skill set.
Plan from the outset. This will not work as an afterthought, but should be an integral part of your security posture and should have measurable goals in mind.
Make sure that you provide your team with the right testing, vulnerability management, and further assessment tools for analysis.
Red teaming should produce quality thinking and advice, not qualitative results.
Techniques and Tactics
Red teaming is more than penetration testing. Penetration testing is locating vulnerabilities in a security system and the focus is often on a specific data target. Red teams go beyond singular focuses and attempt to breach a cybersecurity system as if a criminal would. Tactics can range from social engineering to physical security attempts to create a real world advanced persistent threat.
Red teams gather information about the target. The more they know, the more effective they can be. Open-source intelligence gathering is when a red teamer collects as much publicly shared information as they can. This information is curated from any media reporting, internet searches, social media combing, publicly accessible data, and any other searchable information. It can be used to gain security access, exploit the party in question, or as an offer to another criminal for a price.
Similar to open-source intelligence gathering, red teamers can search for publicly accessible company services. This includes checking web apps, VPN information, email web applications, and any other program that is public facing. Checking publicly accessible apps can show them easy entry points, break into the system, and access sensitive data.
Red teamers can get really crafty when it comes to finding a company weakness. This includes connecting and conversing with existing and former employees. Using these connections, they can get pertinent security information and possibly even retrieve leaked passwords or credentials.
Security misconfigurations happen far more often than companies know about. Red teamers examine DNS records and any other network misconfigurations to see if there is an entry point, they can breach.
Any information they can glean prior to an attack only helps them leverage a deeper cyberattack against an organization. Getting the most out of this public facing information is one of the most important phases when it comes to red team attack engagement.
Benefits of Teaming
- Uncover attack vectors that attackers could exploit
- Demonstrate how attackers could move throughout your system
- Provide insight on your organization's ability to prevent, detect, and respond to advanced threats
- Identify alternative options or outcomes of an action or attack plan
- Prioritize remediation plans based on what is causing the greatest risk
- Build a business case for improvements, deploying new solutions, and other security spending
Red Teams vs. Blue Teams vs. Purple Teams
Red team and blue team tests are named and modeled after military exercises. To ensure soldiers are battle ready, simulations are run to test out the effectiveness of their defense strategies. In these simulations, red teams take on the offensive role of the enemy, while the blue team is on the defensive, shielding their position. In the cybersecurity realm, the roles are the same, but the battlefield is in the digital sphere.
What Is the Difference Between Pen Testing and Teaming?
Penetration Testing is a must have for any organization. A pen tester is designated to ethically hack and evaluate your environment. In this role, they will be the point of contact and operate as the brains behind your security scope. An organization may hire someone specifically for pen testing, or may have someone complete penetration testing as part of their duties.
A teaming exercise is basically a penetration test, but from a military perspective. The red team is the attacker, which assumes there is also a defender: your organization’s IT security group. The primary difference is that a pen test is scope-based, and that scope may not involve strengthening the organization’s defense. It may also be conducted by a single individual. Red teams, on the other hand, comprise multiple participants, conduct testing without the knowledge of your staff, and may also operate continuously or routinely.
Is Red Teaming and Ethical Hacking the Same Thing?
Red teaming is a part of ethical hacking, along with penetration testing. The difference between the two depends on the size of the organization that’s conducting cybersecurity tests. Smaller and medium-sized businesses typically use penetration testing to uncover vulnerabilities and configure security issues.
Larger organizations deploy red teams to test cybersecurity. Utilizing the social engineering threat actor phase, the stealth, undetectable system breaching malware deployment, and breach infiltration and pertinent data theft, a red team is a multi-faceted real world attack simulation. Once completed, attack statistics are generated and reported to a blue team in efforts to show them where these vulnerabilities are and what type of data was “stolen”. This information is used to help remediate any known or unknown security vulnerabilities and strengthen employee security measures.
When Should You Use a Red Team?
When you’ve implemented new security software, programs, or tactics in your organization
You will want to see how it fares against those of true attackers. Your red team should then come in and emulate attacks of adversaries—without the knowledge of your employee base—to see how these implementations stand.
When a new breach or attack occurs
Whether this is happening to your environment or not, when seeing or hearing of the latest attack, you should see how you would fare if it actually happened to you–and hopefully do so before it happens in real-time.
As your organization continues to grow, and while the threats seem to be quiet, it’s good to test.
How to Build a Red Team Program
Red teams are about quality, not necessarily quantity. They work to produce high level critical thinking and aren’t the ones that create a list of vulnerabilities. Know what the red team’s objective is, understand how they’re working to complete it, provide them with the right toolset to get the job done, and maintain teamwork between them and your internal IT teams.
The first (and best) step is to have a clear-cut red teaming plan. Create a direction and clear purpose, and make sure to include measurable goals. Being able to adhere to the plan and achieve the goals can help your team move forward, stay focused and avoid confusion.
Even the best team can only do so much with incomplete or incorrect tools.
The highest priority red team tools should include a threat emulation tool that can provide covert channels for adversary simulations and red team exercises. Using the same tactics and techniques that threat actors use helps recreate and prepare for a real-world attack.
Stealth and evasion are crucial for any red team tool. Taking a multi-phase approach to remaining undetected requires a red team portfolio of tools for every step of an attack chain. Creating a breach, delivering malware, using a hidden desktop for internal monitoring, and tracking Blue Team activity are some ways a red team can further exploitation testing.
Include offensive security secondary tools, like enterprise-grade penetration testing software, a vulnerability management solution, and any other assessment or scanning solutions. The right security tool stack shouldn’t have redundancies and should have the capability to scale with your team’s needs.
Most teams need continual development to perform at a top level. Red teams are no different. Incorporating a plan that involves additional opportunities to learn new skills, expand their techniques, and utilize critical thinking abilities is a great way to maintain an engaged and experienced red team.
What Are Red Teaming Tools?
Of course, the biggest asset for red teaming is the team itself. The skills a team has and how they work together can directly impact the effectiveness of a red teaming exercise. Some organizations may choose to build their own red team. These teams can be quite small, even consisting as few as two people, and can scaled to be over twenty. Ideally, red team members should be spanning across different specialties and functions of your technologies. Building out a team with members possessing a diverse set of skills and backgrounds will help provide coverage for all of the different aspects of an organization's infrastructure that need protection, such as IT, operations, or facilities. Red team members can have diverse backgrounds. Some may come from pen testing, while others may have more knowledge in IT administration, network engineering, or web development, to name a few.
Third party red teams are also regularly utilized. Organizations often choose to rotate between different security firms because each red team operates a little bit differently, using different approaches and tools. Since an external team can bring in a true outside perspective, third party teams are even used by organizations who have an internal red team, as they may uncover issues that have been overlooked due to the on site security team’s familiarity with the environment.
Teaming tools are as diverse as the teams themselves. Just like with penetration testing, there is no comprehensive tool that can be used. Instead, teams rely on creating their own toolkit, including many commonly used in pen testing. Such adversary simulation tools could include vulnerability scans, assessment or reconnaissance tools, password crackers, phishing tools, exploitation tools, post-exploitation agents, and more.
What to Look For in a Red Team Tool
To emulate the same attack methods and techniques of a malicious actor, red teams need the right tools. The purpose of implementing a red team is to safely attack your security system and find the weaknesses before a cybercriminal exploits them, thus educating and informing your internal security team. Red teams need a multitude of resources, from planning and preparation to stealth and post-exploit reporting.
The Role of Threat Emulation Software and Red Teaming
The right security red team needs the right toolset to maximize its effort and effectiveness. Threat emulation tools are necessary for red teams. Emulating attack tactics and techniques, quietly and for a long-term, can help red teamers embed a threat into an IT network.
Cobalt Strike can change network indicators and emulate different malware. It can quietly embed a red team within a company’s cybersecurity and can silently evade a blue team. Plus, it has a solid social engineering process that lets a red team collaborate efforts.
After a simulated attack, reports are generated and designed to aid in blue team training. Post-attack reviews should be used to help IT professionals prepare for a real attack. Red teams should be a trusted partner in the cycle of improving your organizational cybersecurity. It’s not enough to implement security features and teams without testing them and improving upon those processes.
Red Teaming Solutions from Core Security
Software for adversary simulations and red team operations.
Penetration Testing Services
Identify the security gaps that are putting your organization at risk.
Outflank Security Tooling (OST)
Evasive Attack Similartion