It seems like everyone is talking about red teaming these days, and for good reason. Red teaming can be an incredibly useful exercise for organizations looking to test their threat detection and response capabilities as well as their maturity as whole. It’s an evolution of the traditional network pentest, but there are key differences in when they should be used, how they’re executed and what type of information they provide. If you’re considering a red team engagement, consider this your guide to getting started.
What is red teaming?
In essence, red teaming is a vertical attack that demonstrates the feasibility of real-world scenarios by identifying and chaining together vulnerabilities in a client’s network to reach a specific objective. The objective of the red teaming exercise could be exfiltrating sensitive data from the internal infrastructure or establishing domain admin access in Active Directory or anything else the client desires.
Red teaming vs. pentesting
Both red teaming and pentesting fall under the category of Offensive Security. However, where red teaming is considered a vertical attack, pentesting is a more horizontal attack. The goal of a pentest is to identify as many network vulnerabilities as possible and flaws in assessing existing security controls.
A red team exercise, on the other hand focuses on identifying the weakest vulnerabilities in an organization’s processes, technologies and staff. This is done in order to form a fully functional attack path with the primary goal of reaching a specific asset or completing a specific action. In other words, it simulates what a motivated attacker would be capable of without having any information about the infrastructure.
Despite their differences, it’s important to note that red teaming and pentesting are not opposites, but complementary. They can work together to show the entire company’s exposure as well as the feasibility and impact of a full attack path against it.
|Horizontal attack that identifies as many vulnerabilities as possible||Demonstration of the feasibility of a real advanced attack (vertical path)|
|Goal is to uncover total attack surface||Goal is to reach a specific objective undetected|
|Testing for flaws in network infrastructure and security controls||Testing for vulnerabilities in processes, staff, and technologies|
|Automated scanning and manual testing and manipulation||Advanced techniques and custom tools|
|Focused on exposure of digital assets||Transcends digital boundaries|
|Periodic||Situational or periodic|
|Can be known to employees||Unknown to employees|
How red teaming works
Because red teaming is limited in time and has a range of potential attack vectors, it’s important to have a repeatable methodology in order to ensure you’re able to reach the objective set by the client. At Kudelski Security, we use the following five-phase methodology.
Phase 1 – Passive reconnaissance
The first step is to conduct manual research using open-source intelligence, or OSINT. The goal is to gain context about the company — number of employees, email addresses, leaked passwords, company-owned domains, web applications, etc.
Phase 2 – Active reconnaissance
Based on the information gathered from Phase 1 — for example, which IP address is exposed on the internet — we can use automated tools to scan the network for vulnerabilities that could be exploited later. The scan is carried out silently so as not to be detected by security equipment or the SOC.
Phase 3 – Exploitation
After phases 1 and 2 are complete, we have enough information to build out different scenarios to exploit. During exploitation, we can use all the vulnerabilities we’ve identified and chain them together to reach the client objective. Exploits can be very targeted. For example, a broad phishing test done during a pentesting exercise may not be very successful. But a red team phishing test will be very targeted based on specific roles and the information those roles would have access to. Those types of phishing campaigns tend to be much more successful.
When we achieve a successful exploitation, we can move to either phase 4 or phase 5. It all depends on what part of the IT infrastructure we’re facing.
Phase 4 – Lateral movement
When we succeed in infiltrating the infrastructure, the next objective is to expand access through lateral movement in order to reach our targets. The first thing to do is to figure out what we can reach with our current level of access. Then, once we reach it, identify what’s reachable from that place in the network. We do that until we’re able to reach the target data or assets. Once there, we can go to phase 5.
Phase 5 – Stabilize footprint and exfiltrate data
Even once they’re able to connect to the internal infrastructures, attackers still want to establish a stable connection in order to exfiltrate data. Typically, this means installing a backdoor on the server in order to ease exploitation, gain and elevate privilege, install other tools and eventually exfiltrate the target data — all while evading detection.
When to Use a Red Team Exercise
When you want to move beyond theory into practice. A pentest, unlike a red team exercise, does not show feasibility of an attack, only all the points where you are vulnerable. It would be impossible to fix all those vulnerabilities without knowing how they could be used to reach an asset. Because a red team exercise exploits everything in order to form a full attack path. It’s concrete proof that an attack is possible with clear steps for remediation.
When you want to put vulnerabilities into a business context. With red teaming, you are able to demonstrate the consequences of a successful attack scenario. This is important when talking to management about a vulnerability, because most of the time they will not have the technical background necessary to make the connection between a vulnerability and the business impact. After a red teaming exercise, you will be able to clearly show how an attacker would be able to gain control of the infrastructure and block operations because of a chain of vulnerabilities.
When you want to understand your blind spots. After a successful red team, you will have a report that shows all the tools and techniques that were used during the exercise. Many times, red teamers are able to evade detection because the techniques they’re using are unknown to the client. With the report, the client can learn about these new methods and use that information to harden their defenses.
When you need to get buy-in from the C-suite. If you are a CISO tasked with presenting risk to the C-suite or board, it’s important to parlay that risk with facts about the consequences of not acting. If it’s not a clearly demonstrated fact, you’re going to have trouble building the trust you need to get buy-in. With a red teaming exercise, you have a proof of concept that can help you gain support of management to develop your cybersecurity defenses.
The content in this blog was originally presented in the webinar “Continuous Improvement to Your Application Security.” To learn more about Kudelski Security’s pentesting and red teaming services, visit https://kudelskisecurity.com/solutions/by-capability/penetration-testing/.