What Is a Red Team?

Teaming is a cybersecurity exercise that fully simulates a real life attack to help measure how well an organization can withstand the cyber threats and malicious actors of today. A red team serves as the attacker in this simulation, using the same techniques and tools of hackers to evade detection and test the defense readiness of the internal security team.

This includes testing for not just vulnerabilities within the technology, but of the people within the organization as well. Social engineering techniques like phishing or in person visits. Even the security of the physical premises may be tested. Ultimately, teaming serves as a comprehensive assessment of your security infrastructure as a whole.

What Are the Goals of a Red Team?

A Red Team can be made up of as many as two people and can scale to over 20, depending on the task. That’s what is most important—make sure that your team is built for the task at hand. Find experienced, critical thinkers to form the core of your team and continue building it with a diverse mix of skills. A Red Team should be used alongside your vulnerability assessment and penetration testing in order to realize its full value.

Have the Right Conditions

Red teamers need an open learning culture with the ability to continuously train and improve their skill set.

Set Clear Objectives

Plan from the outset. This will not work as an afterthought, but should be an integral part of your security posture and should have measurable goals in mind.

Get the Right Tools

Make sure that you provide your team with the right testing, vulnerability management, and further assessment tools for analysis.

Focus on Key Issues

Red teaming should produce quality thinking and advice, not qualitative results.

Discover the 5 keys to building a red team >

Techniques and Tactics

Red teaming is more than penetration testing. Penetration testing is locating vulnerabilities in a security system and the focus is often on a specific data target. Red teams go beyond singular focuses and attempt to breach a cybersecurity system as if a criminal would. Tactics can range from social engineering to physical security attempts to create a real world advanced persistent threat.

Social Engineering

Red teams gather information about the target. The more they know, the more effective they can be. Open-source intelligence gathering is when a red teamer collects as much publicly shared information as they can. This information is curated from any media reporting, internet searches, social media combing, publicly accessible data, and any other searchable information. It can be used to gain security access, exploit the party in question, or as an offer to another criminal for a price.

Similar to open-source intelligence gathering, red teamers can search for publicly accessible company services. This includes checking web apps, VPN information, email web applications, and any other program that is public facing. Checking publicly accessible apps can show them easy entry points, break into the system, and access sensitive data.

Red teamers can get really crafty when it comes to finding a company weakness. This includes connecting and conversing with existing and former employees. Using these connections, they can get pertinent security information and possibly even retrieve leaked passwords or credentials.

Identifying Misconfigurations

Security misconfigurations happen far more often than companies know about. Red teamers examine DNS records and any other network misconfigurations to see if there is an entry point, they can breach.

Any information they can glean prior to an attack only helps them leverage a deeper cyberattack against an organization. Getting the most out of this public facing information is one of the most important phases when it comes to red team attack engagement.

Benefits of Teaming

Uncover attack vectors that attackers could exploit
Demonstrate how attackers could move throughout your system
Provide insight on your organization's ability to prevent, detect, and respond to advanced threats
Identify alternative options or outcomes of an action or attack plan
Prioritize remediation plans based on what is causing the greatest risk
Build a business case for improvements, deploying new solutions, and other security spending

Red Teams vs. Blue Teams vs. Purple Teams

Red team and blue team tests are named and modeled after military exercises. To ensure soldiers are battle ready, simulations are run to test out the effectiveness of their defense strategies. In these simulations, red teams take on the offensive role of the enemy, while the blue team is on the defensive, shielding their position. In the cybersecurity realm, the roles are the same, but the battlefield is in the digital sphere.

RED TEAM

A red team is formed with the intention of identifying and assessing vulnerabilities, testing assumptions, viewing alternate options for attack, and revealing the limitations and security risks for an organization. This designated group tests the security posture of your organization to see how it will fare against real-time attacks before they actually happen. Because of their roles as the attackers, teaming exercises are sometimes also referred to as red-teaming.

BLUE TEAM

The Blue Team is tasked with detecting adversaries and preventing them from breaking into the organization’s infrastructure. Blue teams can begin to prepare before an attack by evaluating the environment and hardening where needed. During the attack simulation, their goal is to identify breaches swiftly, limit the spread of infection by confining to the system it entered through, and successfully stop the attack. Some simulations may include the Blue Team planning or executing recovery measures.

PURPLE TEAM

More recently, the idea of a purple team has become the latest buzzword in the cybersecurity world. While there is some confusion surrounding the usage and definition of the term, it’s best to focus on the ideal it is promoting. Ultimately, the concept of a purple team is the mindset of seeing and treating red and blue teams as symbiotic. It is not red teams versus blue teams, but rather one large team focusing on the one overarching goal: improving security. The key to becoming a purple team comes down to communication.

**Read Best Practices for Red Teams, Blue Teams, Purple Teams >**

What Is the Difference Between Pen Testing and Teaming?

Penetration Testing

Penetration Testing is a must have for any organization. A pen tester is designated to ethically hack and evaluate your environment. In this role, they will be the point of contact and operate as the brains behind your security scope. An organization may hire someone specifically for pen testing, or may have someone complete penetration testing as part of their duties.

Teaming

A teaming exercise is basically a penetration test, but from a military perspective. The red team is the attacker, which assumes there is also a defender: your organization’s IT security group. The primary difference is that a pen test is scope-based, and that scope may not involve strengthening the organization’s defense. It may also be conducted by a single individual. Red teams, on the other hand, comprise multiple participants, conduct testing without the knowledge of your staff, and may also operate continuously or routinely.

Learn how to choose between a penetration tester and a red team >

Is Red Teaming and Ethical Hacking the Same Thing?

Red teaming is a part of ethical hacking, along with penetration testing. The difference between the two depends on the size of the organization that’s conducting cybersecurity tests. Smaller and medium-sized businesses typically use penetration testing to uncover vulnerabilities and configure security issues.

Larger organizations deploy red teams to test cybersecurity. Utilizing the social engineering threat actor phase, the stealth, undetectable system breaching malware deployment, and breach infiltration and pertinent data theft, a red team is a multi-faceted real world attack simulation. Once completed, attack statistics are generated and reported to a blue team in efforts to show them where these vulnerabilities are and what type of data was “stolen”. This information is used to help remediate any known or unknown security vulnerabilities and strengthen employee security measures.

When Should You Use a Red Team?

When you’ve implemented new security software, programs, or tactics in your organization

You will want to see how it fares against those of true attackers. Your red team should then come in and emulate attacks of adversaries—without the knowledge of your employee base—to see how these implementations stand.

When a new breach or attack occurs

Whether this is happening to your environment or not, when seeing or hearing of the latest attack, you should see how you would fare if it actually happened to you–and hopefully do so before it happens in real-time.

Routinely

As your organization continues to grow, and while the threats seem to be quiet, it’s good to test.

How to Build a Red Team Program

Red teams are about quality, not necessarily quantity. They work to produce high level critical thinking and aren’t the ones that create a list of vulnerabilities. Know what the red team’s objective is, understand how they’re working to complete it, provide them with the right toolset to get the job done, and maintain teamwork between them and your internal IT teams.

Define Objectives and Initiatives

The first (and best) step is to have a clear-cut red teaming plan. Create a direction and clear purpose, and make sure to include measurable goals. Being able to adhere to the plan and achieve the goals can help your team move forward, stay focused and avoid confusion.

Use the Right Toolset

Even the best team can only do so much with incomplete or incorrect tools.

The highest priority red team tools should include a threat emulation tool that can provide covert channels for adversary simulations and red team exercises. Using the same tactics and techniques that threat actors use helps recreate and prepare for a real-world attack.

Stealth and evasion are crucial for any red team tool. Taking a multi-phase approach to remaining undetected requires a red team portfolio of tools for every step of an attack chain. Creating a breach, delivering malware, using a hidden desktop for internal monitoring, and tracking Blue Team activity are some ways a red team can further exploitation testing.

Include offensive security secondary tools, like enterprise-grade penetration testing software, a vulnerability management solution, and any other assessment or scanning solutions. The right security tool stack shouldn’t have redundancies and should have the capability to scale with your team’s needs.

Challenge Your Red Team

Most teams need continual development to perform at a top level. Red teams are no different. Incorporating a plan that involves additional opportunities to learn new skills, expand their techniques, and utilize critical thinking abilities is a great way to maintain an engaged and experienced red team.

What Are Red Teaming Tools?

Of course, the biggest asset for red teaming is the team itself. The skills a team has and how they work together can directly impact the effectiveness of a red teaming exercise. Some organizations may choose to build their own red team. These teams can be quite small, even consisting as few as two people, and can scaled to be over twenty. Ideally, red team members should be spanning across different specialties and functions of your technologies. Building out a team with members possessing a diverse set of skills and backgrounds will help provide coverage for all of the different aspects of an organization's infrastructure that need protection, such as IT, operations, or facilities. Red team members can have diverse backgrounds. Some may come from pen testing, while others may have more knowledge in IT administration, network engineering, or web development, to name a few.

What to Look For in a Red Team Tool

To emulate the same attack methods and techniques of a malicious actor, red teams need the right tools. The purpose of implementing a red team is to safely attack your security system and find the weaknesses before a cybercriminal exploits them, thus educating and informing your internal security team. Red teams need a multitude of resources, from planning and preparation to stealth and post-exploit reporting.

Targeted Attacks

Every security system is unique. Finding vulnerabilities requires more than the same old attack design. Intelligence gathering through social engineering and security system profiling can expose attack surface area and create a list of viable attack points. A list of potential targeted user personnel, applications, and servers can be accumulated to map out the most successful attack path.

Threat Actor Simulation

Deploying embedded actors without being detected helps further a red team attack test. Cloaking activities under the guise of normal traffic and modifying networks to deploy different types of malware are an essential part of threat actors. Once a vulnerability is exploited, a red team needs the ability to hide malicious activity like: script execution, keystroke logging, capturing screenshots, downloading files, and spawning other payloads.

Stealth and Evasion

A huge challenge for a red team is staying invisible to existing security. Bypassing detection tools and remaining undetected is crucial. Evasion measures help red teams reach their full testing capabilities, under-the-radar of existing security measures and exploit vulnerabilities, quietly.

Expansive and Evolving Attack Toolkit

Criminal attacks evolve, so red team attack simulations should too. There is an expansive attack horizon, and having a wide variety of emulated attack options is an absolute necessity. Payload generators that push antivirus evading malware, a hidden desktop that interact with a target’s desktop undetected, and deploying fake ransomware are some of the best tools a red team can utilize against a target.

Red Team Collaboration

Communication and real-time connections while using the same sessions is a key aspect in red teams. Sharing event logs and information helps them stay undetected from the host while they capture and download data.

Comprehensive Reporting

At the heart of red teaming is the post-attack reporting. The point of utilizing a red team is to learn where your organization’s vulnerabilities are and how you can improve your security and blue team efforts. Understandable, comprehensive reporting should easily show the “how, where, and when” anatomy of a red team cyberattack. Then the post-exploitation report can help an organization focus on remediation and security education aspects.

The Role of Threat Emulation Software and Red Teaming

The right security red team needs the right toolset to maximize its effort and effectiveness. Threat emulation tools are necessary for red teams. Emulating attack tactics and techniques, quietly and for a long-term, can help red teamers embed a threat into an IT network.

Cobalt Strike can change network indicators and emulate different malware. It can quietly embed a red team within a company’s cybersecurity and can silently evade a blue team. Plus, it has a solid social engineering process that lets a red team collaborate efforts.

After a simulated attack, reports are generated and designed to aid in blue team training. Post-attack reviews should be used to help IT professionals prepare for a real attack. Red teams should be a trusted partner in the cycle of improving your organizational cybersecurity. It’s not enough to implement security features and teams without testing them and improving upon those processes.