As defined by the U.S. National Security Agency (NSA), a red team is an entity that specializes in breaking & entering, acquiring classified information, and leaving no trace behind. In the cyber realm, Red teams focus on penetration testing of different systems and their levels of security. They help detect, prevent, and eliminate weaknesses while putting a spotlight on glaring vulnerabilities. A red team goes about this by imitating real-world cyber-using all existing data/network penetration techniques. This helps organizations identify the vulnerabilities that can pose a threat to their system.
Red Teaming assessment:
A red team assessment is a goal-based adversarial activity that requires a big-picture, holistic view of the organization from the perspective of an adversary. This assessment process is designed to meet the needs of complex organizations handling a variety of sensitive assets through technical, physical, or process-based means.
The purpose of conducting a red teaming assessment is to demonstrate how real world attackers can combine seemingly unrelated exploits to achieve their goal. It is an effective way to show that even the most sophisticated firewall in the world means very little if an attacker can walk out of the data center with an unencrypted hard drive. Instead of relying on a single network appliance to secure sensitive data, it’s better to take a defense in depth approach and continuously improve your people, process, and technology.
Prior to the assessment, rules of engagement are established between the Red Team members and the smallest possible set of participants within the organization to be tested. This number will vary but is typically no more than 5 people in key positions to view the organizations0 detection and response activities. Based on the rules of engagement, a Red Team may target any or all of the following areas during the exercise:
- Technology defenses – In order to reveal potential vulnerabilities and risks within hardware and software-based systems like networks, applications, routers, switches, and appliances.
- Human defenses – Often the weakest link in any organization’s cyber defenses, Red Teaming will target staff, independent contractors, departments, and business partners to ensure they’re all as secure as possible.
- Physical defenses – Physical security around offices, warehouses, substations, data centers, and buildings are just as important as technology defenses, and as such should be stress tested against a genuine attack. Something as seemingly innocuous as holding a secure door open for someone without having them tap in can provide the gap an attacker needs to gain access to unauthorized systems.
How does Red Teaming work?
When vulnerabilities that seem small on their own are tied together in an attack path, they can cause significant damage.
Red Team Methodology
Red teams emulate every step that a hacker would follow along the cyber kill chain. Red teaming requires being intelligent, clever, and the ability to think outside of normal processes. The tools used to support a red team are diverse but can be grouped into categories based on the flow shown below.
What are 3 questions to consider before a Red Teaming assessment?
Every red team assessment caters to different organizational elements. However, the methodology always includes the same elements of reconnaissance, enumeration, and attack. Before conducting a red team assessment, talk to your organization’s key stakeholders to learn about their concerns. Here are a few questions to consider when identifying the goals of your upcoming assessment:
- What could happen in my organization to cause serious reputational or revenue-based damage (e.g. ex-filtration of sensitive client data or prolonged service downtime)?
- What is the common infrastructure used throughout the organization (consider both hardware and software)? In other words, is there a common component on which everything relies?
- What are the most valuable assets throughout the organization (data and systems) and what are the repercussions if those are compromised?
What Are the Goals of a Red Team?
A Red Team can be made up of as many as two people and can scale to over 20, depending on the task. That’s what is most important—make sure that your team is built for the task at hand. Find experienced, critical thinkers to form the core of your team and continue building it with a diverse mix of skills. A Red Team should be used alongside your vulnerability assessment and penetration testing in order to realize its full value.
- Have the right condition
Red teamers need an open learning culture with the ability to continuously train and improve their skill set.
- Set clear objective
Plan from the outset. This will not work as an afterthought, but should be an integral part of your security posture and should have measurable goals in mind.
- Get the right tools
Make sure that you provide your team with the right testing, vulnerability management, and further assessment tools for analysis.
- Focus on key issue
Red teaming should produce quality thinking and advice, not qualitative results.