A Red Team has the responsibility to challenge established defenses and policies, looking for vulnerabilities that can potentially be exploited. The red team can perform as a consulting team working with external companies, they also perform internally doing various exercises to determine the risk vectors of their own company, no matter where they perform the approach is the same, they take the place of the "bad guy" of the story, carrying out an attack from the roll of the criminal.
Cyber threats are a constant risk for companies today, attacks such as Ransomware or data leaks can be reflected in significant losses for the company, both in monetary and reputation. Red Team exercises arise to detect those potential threats considering real scenarios and using a series of activities and tools that will help companies improve their security with the help of experts.
Red Team Methodology
To carry out a successful exercise, the Red Team must follow a series of steps, establishing clear goals and a full report presenting the discoveries to the client, although the methodology will be adapted according to the scenario, they may include the following points:
Exercise Goal: The Client determines what the objectives will be for the red team.
Targets: The team plans a list of targets (Instances, Servers, machines, etc.) where latent vulnerabilities can be found.
Exploit Vulnerabilities: Using different vectors, the team sets out to access its objectives.
Reconnaissance: The team checks the real scope of the attack, seeing how much information they can collect or how far they can go.
Reporting and Analysis: After simulating the attack, the team reports its findings to the client, contemplating the results of the attack and the employees’ response.
Scenarios
The different scenarios vary according to the needs and specifications of the client, here are some common interest scenarios:
Infrastructure: The Red Team raises a scenario where criminals target the client's facilities, usually seeking to impact the client's production/services.
Social engineering: A scenario arises where a criminal uses social engineering to obtain credentials or access usually restricted sites, challenging the awareness of employees and their knowledge of the different procedures.
Malware: The team tries to access a network to deploy different types of malware, depending on the client's specifications the objective may vary between obtaining credentials, deploying spyware, deploy ransomware. They take advantage of vulnerable computers and networks.
Penetration Test and Red Team Exercises
While both activities share a common goal, finding the risk vectors by carrying out an attack with security professionals, details and scope differentiate them.
A penetration test (Pentest) is more related to attacks aimed at the client's computer network, trying to infiltrate their network and find those vulnerable points. On the other hand, a Red Team exercise has a more extensive approach, using different "What if?" scenarios, testing more than software, and using different methods or tactics, for example, the use of social engineering to go beyond physical security. While the Pentest focuses on finding as many risk vectors as possible, the red team focuses on finding a way to access the target, perform lateral movements and access the most sensitive information (the objective varies according to the goal set by the client).
Cybercriminals are a latent threat for many companies, so it is a serious mistake to underestimate them, while technology advances different vectors are also created that can be exploited by criminals, sometimes it is not enough for us to know the different vulnerabilities, it is important to be aware of what people may be able to do with this, A Red team can give a company a real view of the perspective of criminals, since these professionals know the methods used by these evildoers, without coinciding with their intentions. While a Red Team exercise is not something that can be done overnight, the benefits are substantial, helping the customer to be aware and prepared, while reducing the risks to which the company is subjected.
Author
Adiel Lizama
Junior Security Engineer
References
(n.d.). Retrieved from Techtarget: https://www.techtarget.com/whatis/definition/red-teaming
(2021, Mar 03). Retrieved from mitnicksecurity: https://www.mitnicksecurity.com/blog/red-team-operations-vs.-penetration-testing
(2022, Mar 31). Retrieved from Coralogix: https://coralogix.com/blog/red-teaming-cybersecurity/
Harrington, D. (2022, Jun 29). Retrieved from Varonis: https://www.varonis.com/blog/red-teaming#:~:text=Red%20teaming%20is%20similar%20to,are%20until%20they%20are%20attacked.
Mahar, B. (2022, Jun 12). Retrieved from kroll: https://www.kroll.com/en/insights/publications/cyber/why-conduct-a-red-team-exercise