Red Teaming is a simulation of the behavior of a real attacker, which is based on up-to-date information about threats relevant to a particular organization. Part one of this article looked at the technique and how an organization can get started. Rather than employing a do-it-yourself approach, an alternative is to work with a service provider that offers Red Team services.
Below are a few factors to consider when choosing a Red Team:
- The number of successful projects completed.
- Internal assessment of the vendor carried out by your security department.
- Absence of a criminal record of Red Team members.
- References provided by other industry players.
In fact, this is a normal market situation. Qualification and experience are important here. And these qualifications and experience should be confirmed by other customers.
Articles and reports in specialized publications, activity in communities, conference talks, and other relevant things are also taken into account.
In some cases, personal acquaintance with the Red Team specialists is also relevant.
How to eliminate customers’ fears?
What if the customer is afraid that someone from the Red Team will act against his interests? The opinions of experts often differ.
If a service provider is big, well-known, and public, then this will impose more restrictions, and serious responsibility in the event sensitive information falls into his hands. In general, there is no way to protect yourself from such things. It is always possible, for example, to find a vulnerability and not add it to the report.
Many subtle points can be discussed and resolved through tight communication between both parties. In order to survive in the market and not be involved in litigation, the vendor must arrange the work of the Red Team in such a way that everything is safe for the customer and that the customer feels comfortable.
What makes expensive Red Teaming different?
The price of a Red Team project is formed on the basis of the labor intensity and the resources spent: what risks are present, which attack vectors should be worked out, etc. Each project will be unique in terms of costs, goals, and team members. This is exclusively individual work based on a case-by-case approach. Completely different goals can be chosen and set.
A large service provider can build a team and support its work throughout the year. A small group will most likely have limited resources. More tasks will fall on one specialist, which, of course, will affect the quality. A small team can be incredibly talented, but if we talk about extensive coverage, about scaling, then here small teams lose to large companies that provide such services. If a small team suddenly breaks up for some reason, then further customer support will be in question. With large companies, this is impossible. The customer can always count on long-term professional cooperation.
The Red Team project report
The report is not only a recommendation for hardening protection. The report indicates which goals were achieved and how, how much time was planned and how much actually spent. Vulnerabilities, the time, and methods of their exploitation are also reflected. Detailed information about the attack is provided: what difficulties arose, where the attack was blocked and where protection was bypassed, etc.
The general format of the report is discussed at the initial meetings. The customer can provide the form that he needs. Again, points reflected in the report should help the customer understand which processes to optimize.
When the work is finished, both teams get together and discuss the results reflected in the report of the Red Team. The Blue Team also practices reporting.
In the report of pentesters, a technical unit is a detected vulnerability, described in detail. The Red Team report describes the chains of actions that led to the realization of specific risks.
What is the major deterrent to using Red Teaming?
For most organizations, this is a lack of internal resources, followed by the project's high cost. Some clients do not see the point in Red Teaming at all; they only need pentests.
Do the Red Teams disclose their best practices and tools to the customer?
Service providers that offer high-level Red Teaming have their own CI/CD, tools, prepared approaches. If the customer asks a question about the found artifact, then the Red Team can quickly confirm authorship by checking and submitting a prepared list. If a zero-day vulnerability is used, it is unnecessary to provide the exploit directly; it is enough to inform the customer.
When should you re-run the Red Team project?
First, you need to analyze the security of individual network parts. You can do it on your own or by ordering a penetration test. This is also a kind of preparation. When all the security processes are in place, the company will mature to clearly formulate the risks for the Red Team. Many customers actually return and conduct second and subsequent Read Team tests. Red Teaming is an attribute of information security and is an ongoing process.
How to tell the difference between good and bad Red Teaming?
A decrease in threat detection and response time can be a metric and indicator of the result. It can be measured. However, everything related to services and the provision of metrics is always a fine line. How helpful has Red Teaming been to the company? Effective interaction appears when a customer understands his problem and the service provider understands what to do to solve this problem. They should hear each other and make efforts from both sides.
A vulnerability was discovered that during the Red Team test might disrupt the performance of the customer's infrastructure. What will the Red Team do?
Two paths can be distinguished. The first one is to agree that no destructive actions will be taken during the Red Teaming. The second is to describe to the customer the possible consequences and allow him to make a decision (in exceptional cases). Such things should be put into the statement of work.
Although the Red Team works stealthily, both parties work together in one way or another. You can single out one person from both sides who will agree on subtle points but not transfer secret working information to the teams.
Red Teaming market trends and forecasts
Pentest is a derivative of information security, and Red Teaming is a derivative of pentest. Today, penetration testing is quickly growing and developing. Red Teaming will also grow and develop. Companies that conduct pentests will improve their skills and protection and mature to run the Red Team test.
International standards will also evolve. Security experts are interested in exchanging experience, which we now lack: it could be conferences, meetings, events, etc. I am sure we will soon have a clearer understanding of what the Red Team is and how to work better.
The number of companies that have grown to the Red Team test is increasing. Demand is growing, and an understanding is being formed of why such a service is needed.
Red Teaming allows you to assess the actual level of security of your IT infrastructure. Compared to penetration testing, Red Teaming provides a more extensive and in-depth analysis that identifies threats relevant to the specific organization and reveals gaps in perimeter protection. Consequently, the level of Blue Team specialists rises, the protection of the company is strengthened. It is a complex and always unique process that constantly requires active communication between both parties.
It is important to have mature information security processes to clearly formulate goals for the Red Team.
The Red Team is formed individually for each project and consists of specialists of different classes and specializations.
In terms of duration, Red Teaming can take a week, a month, or six months. The time and cost of the project are calculated individually, based on the customer's tasks.
In the future, we will see an active growth of the Red Team services, an improvement in quality, a more precise definition of Red Teaming, and the formation of standards for an in-depth security assessment.
Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis.