You can assess the current state of security of the network perimeter using a penetration test, vulnerability assessment, or the Red Team services. Red Teaming allows you to significantly strengthen IT infrastructure protection, identifying security gaps throughout various vectors. But how to understand that the company has matured enough to work with the Red Team? Might a pentest be enough? How to choose a contractor and not put the company at risk? What kind of Red Teaming provides the highest quality? Let me try to answer these difficult questions.
What is Red Teaming?
Red Teaming is a simulation of the behavior of a real attacker, which is based on up-to-date information about threats relevant to a particular organization. Red Teaming is most often understood as modeling APT attacks when large-scale work is conducted to assess security risks.
In general, Red Teaming is a complex interaction with IT infrastructure, the task of which is to improve the processes of monitoring and responding to various cyber threats. Red Teaming helps to optimize detection and response time.
The duration of a Red Team operation
When it comes to project duration, the question is more about what the customer expects at the end. Red Teaming is not a demonstration of speed; it is about quality, hard work, and the high value of the results. This process will often take a long time compared to the penetration test. Again, it is about secrecy and multi-vector approaches to achieving the goal. The work of the Red Team can last a week, a month, or even six months. In real life, hackers have a lot of time to carry out an attack. They steadily collect information about the victim and often take months to prepare for their attacks.
If we have a big Red Team, a lot of goals, serious scenarios, then it is advised to plan a project for two, four, or even six months. In practice, unfortunately, businesses are rarely ready to let the Red Team into their infrastructure for six months.
I would like to highlight the importance of maturity of the customer. You must understand why it is necessary to run the Red Team operation and how exactly to work with the Red Team. Again, quality is always more important here than quantity.
How does the Read Team operation begin?
Reconnaissance and actualization of threats are carried out, a map of scenarios is created. All goals should be indicated in the action plan. It is challenging to write the action plan in each detail, as in practice, there will always be some deviations. The customer can come with a specific problem, offer ready-made scenarios. All these things are discussed and agreed upon during the preparation period.
Pentest or Red Teaming?
When we think only about vulnerabilities, this is essentially a penetration test. But for businesses, it is not always important what kind of vulnerability is found. It is crucial to know what happens after its exploitation.
Actually, you can start assessing your security posture with a pentest. Again, a company needs to mature first. Those customers who already understand that they have carried out a penetration test of certain parts of the infrastructure and want to evaluate the protection more thoroughly resort to Red Teaming.
For a successful attack, several factors are essential:
- The presence of a vulnerability.
- Incorrect operation of protective equipment or software.
- The incompetent reaction of the security team.
Red Teaming helps not only to identify relevant threats but also identify actual gaps in perimeter protection. On the other side, the Blue Team (the defenders) improve their skills. The efficiency of detecting attacks and responding to incidents increases.
So, Red Teaming is a more profound and larger-scale work when compared to a pentest. During the penetration test, the customer provides a specific system or a specific network, where it is necessary only to find vulnerabilities.
Before simulating a hacker and applying real attack techniques and procedures, certain goals should be set. For example, increasing privileges in the system. Red Teaming allows you to choose how the set goals will be achieved.
Is it possible to transform Red Teaming into a cyber polygon?
In fact, these are quite different things. Some technical points, of course, overlap, but the cyber polygon is just an opportunity to practice and to work out coherence. It is also an open platform for specialists of different levels. Red Teaming is an internal, closed workflow and a specially formed high-class team.
Cyber polygons are gaining popularity. However, they often teach security managers how to respond to standard situations. Red Teaming is held not to teach but to strengthen protection and reduce risks. Red Teaming represents a real case. It is not a testing ground. Everything happens live on real infrastructure.
Can BAS systems replace Red Teaming?
No, they cannot. Breach and attack simulation solutions (BAS) represent essentially a complex scanner, but not a human. BAS is effective for internal use. It is impossible to assess external threats with its help. Red Team can attack physical vulnerabilities, apply social engineering, use any approaches that will allow achieving the goal. BAS is helpful, but it cannot replace a living person.
How to create your own Red Team, and what experience is needed for such work?
You can first take a pentest specialist and look at his work. For example, to what extent his actions are reflected in logs. Usually, you do not hire new employees to form the Red Team. Such people grow inside the company, being initially penetration testers, application security specialists, etc. In any case, the candidate's past achievements are carefully studied.
The Red Team consists of different specialists. As a rule, a team is formed for a specific project based on particular tasks. For example, if it is necessary to carry out reverse engineering (security assessment without access to the source code), such a specialist is added to the team.
In part two of this article, we’ll explore using a Red Team service provider.
Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis.