Related Posts
Subscribe via Email
Subscribe to our blog to get insights sent directly to your inbox.
Red teaming can generally be defined as a goal-based adversarial testing process. The concept has existed since the sixth century B.C.E. when ancient military genius Sun Tzu stated, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” The execution of the modern day red teaming process originated with the U.S. Armed Forces during the 1960s at the height of the Cold War with the Soviet Union. The term “red team” emerged from game theory approaches applied to wargaming and scenario simulations designed to evaluate strategic decisions. The same red teaming concepts are applied when testing security defenses in today’s ever-evolving cyber environment to measure how an organization with respond to an attack:
We’re often asked what a red team engagement entails. A red team engagement consists of a full scope, multi-layered adversarial attack simulation created to measure resilience. In other words, how well an organization’s staff, networks, applications, and physical security controls can withstand a real-life attack.
Red team engagements are conducted by highly trained security engineers who understand and utilize real world attack scenarios to reveal and exploit potential physical, application, and network vulnerabilities. The engineers work to challenge normal testing procedures and find unexpected vulnerabilities in policies, procedures, systems, and people.
The red team methodology takes a holistic, enterprise-wide approach. Goals for the engagement are defined at the start of the assessment and can be customer- or red team-driven. Items such as data compromise, gaining internal network access, and cryptographic key compromise are all routinely set goals. During the engagement, red teams will utilize the same tools, tactics, and techniques utilized by adversaries to provide the most accurate attack picture possible.
We often hear the concept of red team vs. blue team. The term blue team refers to the group responsible for defending an organization’s use of information systems by maintaining its security posture against a group of attackers (i.e., red team). Typically, the blue team and its supporters must defend against real or simulated attacks:
Although operationally the two teams function differently, they share the same goal: improve the security posture of the organization.
Organizations can have many different driving factors for wanting to conduct a red team engagement. These may stem from regulatory demands, customer requirements, and system/process validation. Because red team engagements incorporate different elements from across an organization’s security posture, a much more accurate response picture is developed.
In today’s convoluted security industry the terms “red team assessment” and “penetration test” are used synonymously. Although the two share some commonalities, they differ greatly in approach and result. Another main difference between the two are the goals for conducting the assessment. Both assessments have strengths and weaknesses that make them suitable for achieving your organizational goals.
The goal of penetration testing is to look at an environment and attempt to discover as many vulnerabilities and misconfigurations as possible. During the engagement process the testing engineer will attempt to exploit the discovered vulnerabilities and misconfigurations. By attempting to exploit the vulnerabilities, the simulation provides validation that the vulnerabilities are true vulnerabilities. At the end of the engagement the testing engineer produces a report that lists all the vulnerabilities in an environment and the risk those vulnerabilities present. The report also explains how the engineer exploited the systems and provides reproduction steps for the attack. Ultimately the goal and focus of a penetration test is on the environment and the systems within that environment.
A red team engagement shares some similarities with a penetration test, but the goal is different. The goal of a red team engagement is not just to test the environment and the systems within the environment, but to test people and processes as well. How will your SOC or blue team react to an advanced persistent threat (APT)? Will they notice an intern exfiltrating data from the network? If presented with an infected USB drive will your receptionist be willing to insert it into their computer? Red teams utilize the same tools, tactics, and techniques utilized by adversaries with the hopes of providing blue teams an accurate attack signature.
You may be wondering which assessment you need. What are your goals? Are you looking to test your systems? Do you want to know which vulnerabilities exist in those systems, and more importantly, can those vulnerabilities be exploited? If so, you would benefit from a penetration test.
Do you want to learn more about your organization as a whole? What if you were attacked? How would your organization respond? How quickly can you recover from something like ransomware? Without taking a holistic view of the entire organization you may never know.
Either way NuHarbor can help you achieve your goals. Whether it’s a traditional penetration test or red team assessment, we have the experience required to effectively assess your organization.
How long is a typical engagement?
Engagement length varies based on assessment goals and the size of the environment/organization. Historically, penetration tests usually last 1-2 weeks and red team engagements typically run 4-6 weeks.
We do vulnerability scanning, so why do we need a red team engagement?
Vulnerability scanning is a great process for determining vulnerabilities in an environment, but generally does not validate those vulnerabilities. Also, even best-in-class vulnerability scanning software falls short of detecting outside-the-box vulnerabilities that are found and exploited during a red team engagement.
Randy is the Special Operations Group (SOG) Manager at NuHarbor Security where he spearheads the team of Offensive Operators known as REDSEC. Randy spends most of his time working with the REDSEC team to ensure NuHarbor Security remains at the forefront of Adversary Emulation and strives to make cybersecurity easier for clients. Prior to joining NuHarbor Security, Randy spent 21 years in the US Army working in both defensive and offensive Cyber positions.
Subscribe to our blog to get insights sent directly to your inbox.