By: Randy Duprey
What is Red Teaming?
Red teaming in general can be defined as a goal-based adversarial testing process. The concept has existed since the sixth Century BCE when the ancient military genius Sun Tzu stated that “…one who knows the enemy and knows himself will not be endangered in a hundred engagements.” The execution of the modern day red teaming process originated in the U.S. Military during the 1960s during the height of the Cold War with the Soviet Union. The term “red team” emerged from game-theory approaches applied to war-gaming and scenario simulations designed to evaluate strategic decisions. The same Red Teaming concepts are applied while testing security defenses in today’s ever evolving cyber environment.
- Goal-Based adversarial testing process
- Organizational assessment vs specific targets
- Measures how an organization will respond to an attack
- Incorporates many elements of an organization’s overall security posture
What is a Red Team Engagement
We’re often asked what a red team engagement entails. A red team engagement consists of a full scope, multi-layered adversarial attack simulation created to measure how well an organizations staff, networks, applications and physical security controls can withstand a real-life attack.
Red team engagements are conducted by highly trained security engineers who understand and utilize real world attack scenarios to reveal and exploit potential physical, application, and network vulnerabilities. The engineers work to challenge normal testing procedures and find unexpected vulnerabilities in policies, procedures, systems and people.
The red team methodology takes a holistic organization-wide approach. Goals for the engagement are defined at the start of the assessment and can be customer or red team driven. Items such as data compromise, gaining internal network access, and cryptographic key compromise are all goals routinely set. During the engagement red teams will utilize the same tools, tactics, and techniques utilized by adversaries to provide the most accurate attack picture possible.
What is a Blue Team
We often hear the concept of Red Team vs Blue team. You may be wondering what a Blue Team is? The term Blue Team refers to the group responsible for defending an organization’s use of information systems by maintaining its security posture against a group of attackers (Red Team). Typically, the Blue Team and its supporters must defend against real or simulated attacks 1) over a significant period, 2) in a representative operational context (e.g., as part of an operational exercise), and 3) according to rules established and monitored with the help of a neutral group refereeing the simulation or exercise (i.e., the White Team).
Although operationally the two teams function differently they both share the same goal: Improve the Security Posture of the Organization
Why Organizations want a Red Team Engagement
Organizations can have many different driving factors for wanting to conduct a red team engagement. These may stem from regulatory demands, customer requirements, and system/process validation. Because red team engagements incorporate different elements from across an organization’s security posture, a much more accurate response picture is developed.
Differences between Red Team and Penetration Test
In today’s convoluted security industry the term Red Team Assessment and Penetration Test are used synonymously. Although the two share some commonalities, the reality is they differ greatly in approach and result. Another main difference between the two are the goals for conducting the assessment. Both assessments have strengths and weaknesses that make them suitable for achieving your organizational goals.
The goal of penetration testing is to look at an environment and attempt to discover as many vulnerabilities and misconfigurations as possible. During the engagement process the testing engineer will attempt to exploit the discovered vulnerabilities and misconfigurations. By attempting to exploit the vulnerabilities it provides validation that the vulnerabilities are truly vulnerabilities. At the end of the engagement the testing engineer produces a report that lists all the vulnerabilities in an environment and the risk those vulnerabilities present. The report will also explain how the engineer exploited the systems and provide reproduction steps for the attack. Ultimately the goal and focus of a penetration test is on the environment and the systems within that environment.
A red team engagement shares some similarities with a penetration test, but the goal is different. The goal of a red team engagement is not just to test the environment and the systems within the environment but to test your people and processes as well. How will your SOC or Blue Team react to an Advanced Persistent Threat? Will they notice an intern exfiltrating data from the network? If presented with an infected USB drive will your receptionist be willing to insert it into their computer. Red teams will utilize the same tools, tactics, and techniques utilized by adversaries with the hopes of providing blue teams an accurate attack signature.
What Assessment Do I Need?
You may be wondering “Well which assessment do I need”. What are your goals? Are you looking to test your systems? Do you want to know which vulnerabilities exists in those systems and more importantly can those vulnerabilities be exploited? If so you would benefit from a Penetration Test.
Do you want to learn more about your organization as a whole? What if we were attacked? How would we respond? How quickly can we recover from something like ransomware? Without taking a holistic view of the entire organization you may never know.
Either way NuHarbor Secuirity can help you achieve those goals. Whether it’s a traditional penetration test or red team assessment we have the experience you need to effectively assess your organization.
Frequently Asked Questions regarding Red Team Engagements
How long is a typical engagement?
Engagement length varies based on assessment goals and the size of the environment/organization. Historically speaking penetration tests usually last 1-2 weeks and Red Team Engagements typically run 4-6 weeks.
We do vulnerability scanning why do we need a Red Team Engagement?
Vulnerability scanning is a great process for determining vulnerabilities in an environment but generally do not validate those vulnerabilities. Also, even the best in class vulnerability scanning software falls short of detecting outside the box vulnerabilities that are found and exploited during a Red Team Engagement.