It’s tough to figure out which vulnerabilities exist within your organization that criminals can exploit. But what if you hired a team of faux cybercriminals to detect the trouble areas before the real bad guys strike? Welcome to the Red Team…
Editor’s Note: This is a guest blog contribution from cybersecurity specialist and pen tester Isla Sibanda. Isla shares her expert perspective on how to safely carry out red teaming exercises and simulated attacks.
Cybersecurity is still a primary concern for technology companies, and many of these businesses participate in red team exercises to fortify their systems using simple penetration testing and vulnerability assessments. However, it is important to do your due diligence and ensure that red teaming is executed appropriately and securely.
According to recent surveys, 68% of companies participating in red team exercises to fortify their systems believe they are superior to blue team exercises for doing so. But carrying out red team exercises doesn’t come without risk; you have to ensure that you execute these simulated attacks appropriately and in the safest way possible. Otherwise, you risk creating attack surfaces for bad guys to target.
Red teaming is an important defense enhancement method, but these exercises must be carried out carefully. Two penetration testers found out the hard way in September 2019 what happens when red team exercises go sideways. This case demonstrates that things can go seriously wrong for offensive security professionals during an actual attack in the real world.
Knowing this, it’s time to explore the red teaming phenomenon and share the knowledge I’ve gained over more than a dozen years as a pen tester and security expert.
Let’s hash it out.
A red team is a team of security experts who play an offensive role in trying to exploit weaknesses in an organization’s security defenses. Typically, this is a group of ethical hackers and other cybersecurity and penetration testing experts who can systematically poke and prod at your technological and human defenses to try to find vulnerabilities they can exploit.
Red team exercises involve allowing a trusted group of people to test and hack your defenses within a controlled environment. It’s all about emulating the behaviors of real-world attackers. These attack scenarios let you see how your system might react during an intruder breach. These real-world exercises are an effective way to understand the strengths and weaknesses of your existing systems. They allow you to explore whether your IT and digital infrastructure can stand up to real-world attack scenarios.
Red teaming is a way for software providers to test their organization’s security fortifications. By testing the defenses of their services and products, companies can better protect their users from future attacks by identifying vulnerabilities bad guys can exploit (so they can be mitigated). Either your in-house IT team plays the hackers, or you can bring in external specialists to do the deed and provide an unbiased and in-depth perspective.
Another important aspect of red team exercises is to report their findings and provide actionable results. This way, you know what weak areas exist and can figure out the best way to prioritize fixing them.
A red team differs from a blue team in more than just the name. While a red team plays the role of an attacker, the blue team plays the defensive role within your organization to defend against their assaults.
In a recent study conducted by Exobeam, 62% of blue teams report encountering difficulties with stopping red teams during simulation exercises. This is why many companies who practice red team/blue team exercises believe that more valuable information about the strength of their cyber defenses comes from the red team. It also demonstrates that most companies have vulnerabilities that need to be addressed.
Red teams aim to help you discover unknown vulnerabilities and figure out how they can be exploited. The goal here is to help inform you, so you can prioritize which potential exploits to address first. Of course, there’s more to it than that, and we’ll get more into that shortly, but that’s the gist of it.
Red team activities typically begin with defining the parameters of the engagement. Examples of some of the information red team documentation should cover include:
- Specific details about the red team activities that are authorized,
- Which exercises or systems to target (if any) are explicitly forbidden,
- How the ethical hackers should handle sensitive personal data during the attack(s).
After the ground rules have been set and authority figures are informed about the activity, the red team starts their job.
Take note that it’s wise to follow existing industry red teaming frameworks and methodologies, such as the MITRE ATT&CK framework, a set of guidelines for identifying different kinds of cyberintrusions and attacks. The MITRE framework is a curated knowledge base that denotes tactics commonly utilized by cybercriminals from which teams can emulate cyberattacks and defense behaviors.
With that said, let’s explore what you can expect red teams to do.
The first step is to identify possible attack paths that an attacker could use to:
- Steal, modify or delete your sensitive data
- Disrupt your company’s operations
- Trigger a massive collapse of the company
- Inflict significant financial harm
- Cause issues with regulations and compliance
A red team is responsible for documenting and mapping a company’s attack surfaces. This documentation helps determine the areas that could be vulnerable to hacks. Most importantly, it incorporates data gleaned from hacker-perceived enumeration activities (or the process of extracting network resources or sensitive data such as usernames from a system) as an additional input source.
A red team’s primary discipline is hacking and systems penetration. A red team must periodically test attack routes to infrastructure essential to business operations. The attack methods and tactics a red team uses vary depending on what you’re testing specifically. For example, red teams may try the following measures:
- Application exploitations — identifying any vulnerabilities in your company’s web applications and using these exploits to carry out further attacks.
- Network exploitations — identifying misconfigurations or unpatched holes in the company’s network that can create backdoors to access sensitive systems and information.
- Email social engineering testing — utilizing tactics such as phishing scams to try and trick employees or contractors into clicking on a malicious link.
Moreover, finding ways to circumvent your existing security measures is a must. The more diverse the IT landscape is, the more varied the skillsets of the red team members must be. A single team of experts can’t cover every technology.
In some cases, red teams may use their cunning social engineering skills to gain access to your organization’s physical facility (and maybe even your server room). Here, they can steal physical hardware or install malware directly onto your servers. It’s a brazen tactic that can help you identify potential physical security weaknesses that must be addressed quickly (for obvious reasons).
Focusing on real-world threats is the primary advantage of a red team’s awareness delivery method, as it’s also central to all practical cybersecurity training. The data collected from red team simulations can be used to make improvements and to prioritize vulnerabilities that must be mitigated. This data is a gold mine for blue teams.
For example, the aforementioned Exobeam study revealed that 50% of companies that conducted red team exercises decided to increase their security investments following their respective simulations.
Help Increase Cyber Awareness Among Employees
These exercises also provide a plethora of real-world data you can use to train your employees, contractors, other network users, and relevant stakeholders to increase their cybersecurity awareness. So, how do you spread awareness? There are several ways to spread the word about a topic:
- Make videos
- Live hacking sessions
- Tell your hacking story to the staff
- Do small awareness sessions
- Resource guides
- Internal use case studies
- Training documentation
So, what are some examples of red teaming activities?
- Using penetration techniques to access your company’s software or web applications.
- Utilizing social engineering methods to try and trick employees into revealing network credentials.
- Replicating administrator access cards to acquire access to areas that are restricted.
- Utilizing tactics such as phishing attacks to try and gain access to the company’s critical systems and data.
- Using SQL injections to pull sensitive data from insecure systems.
- Expropriating or infiltrating internal company communications so security measures can be bypassed in the future.
- Conducting probing and reconnaissance to see how far an attack can be carried out.
While red teaming is essential to improving the security of your IT infrastructure and overall organization, you must ensure it is conducted properly. Be sure to adhere to and follow industry standards and frameworks during implementation. Here are a few tips for safe red teaming.
A red team should ideally include either internal or external resources (hiring third-party vendors is common). Blue teams are usually people you can tap to monitor threats, risks, and attack surfaces. Besides that, it is critical to have an outside-in perspective provided by a team of independent experts familiar with your market.
A red team should be composed of individuals interested in learning everything there is to know about the world around them. Your red teams’ ability to excel is bolstered by their curiosity, not their technical expertise. Specific technical and non-technical skills alike needed for red teams include:
- Penetration testing
- Ethical hacking
- Social engineering
- Threat intelligence
- Physical infiltration tactics (in some cases)
- Communication and reporting skills
- Interpersonal skills
- Social intelligence
Having an offensive mindset is also highly important.
Successful red teamers also communicate and collaborate well. They should be willing to work with the following groups to close security gaps and improve detection and mitigation:
- Internal or third-party SOC team member (Security Operations Center — a team of cybersecurity experts who monitor and protect your organization’s assets on a never-ending basis), and
- Blue teams
Having a clearly defined purpose and defining applicable parameters ahead of time is essential to a successful red team exercise. Any parts of your security program that you do not want to be tested should be made clear to the pentesters.
To be safe, always remember that a skilled penetration tester comes up with the most unusual ways to get past your security measures. Unless stated beforehand, they may try multiple tactics during a real-world attack simulation, including:
- Installing malware
- Using social engineering tactics and launching phishing attacks
- Disabling or circumventing physical security measures.
Set the parameters for the red teaming exercise in advance, just like leaders do in military war games.
Physical and information security penetration testing laws vary significantly between countries and regions. Red teams will need to ensure that any offensive practices they follow are in compliance with industry and regional laws and regulations. For example, the Computer Fraud and Abuse Act.
It’s especially important to ensure that personal and financial customer information data will not be exposed or threatened during red teaming offensive operations. This includes:
- General Data Protection Regulation, or GDPR (if operating in Europe),
- Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability & Accountability Act (HIPAA), and the Homeland Security Act (if operating in the United States), and
- Payment Card Industry Data Security Standards (PCI DSS) (which also applies around the world, and not just the USA)
If your red team exercise is strictly internal, ensure your pen testers know what actions are legally risky. Your legal department should consult even if a contractor assists with your red teaming exercise. For example, it’s critical to figure out how to keep customer payment information encrypted even while a red team attack simulation is being carried out to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS).
Preventing problems from occurring is smarter and more cost-effective than fixing them later. Network Assured says that red team penetration can cost anywhere from $10,000 to $85,000 on average, depending on the scale and length of engagement and whether any retesting will be necessary. This starkly contrasts to the average cost of a data breach, which can run in the millions regarding direct and indirect costs.
Even though your security team or the blue team is supposed to be completely unaware of a red team engagement, someone in a position of authority should know about these upcoming activities. You should also be aware of what your vendors’ pen testing policies are. For example, Amazon outlines what can or can’t be done regarding pen testing on AWS accounts.
5. Secure Your Digital Assets and Systems
The goal of a red team exercise is to demonstrate an attack proof of concept; it’s not to carry out an actual attack that discloses your sensitive data or causes damage to your systems. But even if everyone on the team is diligent and professional, accidents can still occur that can put confidential information at risk. Companies should create a complete inventory list of all of their digital assets, including:
- Financial data,
- Customer information,
- Internal and external web apps and sites, and
- Intellectual property.
Generally, access to these digital assets should be tightly restricted on a need-to-know basis. For red teams, their goal is to see whether there’s a way to get access to these resources.
Ensure to safeguard the assets used in penetration testing in physical security and cybersecurity. For example, a penetration test should never be performed unless all sensitive data, configurations, and systems are backed up. Use protective agreements as needed, and all business partners and team members should commit to confidentiality. Red teaming is a vital security exercise because it confirms any security weaknesses in your organization…his way, you can strengthen your defenses by remedying those vulnerabilities later.
Recent cyber crime statistics show that the annual average cost of a data breach is $4.24 million (according to IBM and the Ponemon Institute), so red teams have become a necessity for every organization to prevent such a significant loss.
Red teaming helps you discover and fix the gaps in your defenses that you wouldn’t likely find using other methods and that leave you vulnerable to attack or compromise. But what makes it so effective? Hackers tend to be pretty creative people; they love to find new ways to get around (or through) cyber defenses.
The following are some of the direct and indirect advantages of implementing the red team methodology in an organization:
- Helps you identify configuration errors and security holes in current security products.
- Helps you discover gaps in your defenses that traditional tools (e.g., vulnerability scanning) can’t detect.
- Encourages cooperation between your IT and security teams.
- Enables you to find out how secure your policies are (by evaluating their defense systems while subjected to various cyberattacks).
- Allows you to assess your organization’s physical and digital defenses.
- Improves breakout time and network security to recognize targeted attacks.
- Provides you with data you can use to increase staff awareness of how human weaknesses could jeopardize the organization’s security.
Red teaming is best when testing your systems and your organization’s defenses against a cyber attack. As a developer, you must ensure that your products and services are secure to prevent your customers from being hacked.
Regardless of who conducts the red team exercise, it only benefits your team if done correctly. One way to maximize red teaming is by making it a regular practice and ensuring all findings are communicated and actioned.