What to Consider before Starting a Security Red Team Engagement?
Cyber security red-teaming is a rather new paradigm. A few years ago when we started providing red-team as a service, all references for the term ‘red-team’ yielded results related to military drills. Today, it is much more common practice among security-aware organizations, and many providers offer this service.
As often happens with numerous new paradigms, one can find different approaches to and ambiguous meanings for the term. This article tries to put things in order, define the differences between a ‘penetration test’ and a ‘red-team exercise,’ explain the diverse types of ‘red-team,’ and highlight what the main value of each is and when an organization should decide to engage in such an activity.
What is Security Red-Team?
A security red-team is a test that aims to assess the security level of an organization, identify main weaknesses in its security posture, provide insights about the organization’s resilience level, and reveal how prepared it is to withstand a real-life attack.
The way to provide such assessment is by simulating real cyber-attack. The standard process of a security red-team involves the following stages:
Planning - working with a client to define the scope, timeline objectives. Rules of engagements and etc.
Information Gathering - This stage may be also called threat intelligence or reconnaissance. This is the stage where the team collects information about the potential attack surface and build an attack plan
Initial Penetration - Finding the first point of access which may be an external facing server, a user endpoint or any other endpoint in the organization network
Establishing control - Usually involves elevation of privileges and establishing some method of remote control (reverse shell, web shell, RDP access and etc.)
Lateral movement and Trophy Hunt - Once the team has established some type of control of internal resources in the network, it is time to move forward and access the most valuable assets of the organizations (e.g. access the payment system and prove you can make a transaction). These trophies are defined together with the customer at the planning stage.
What is the Difference between a Red-Team and Security Penetration Test?
The main differences between a penetration test and a red-team are:
Scope - The scope of a penetration test is usually narrow and consists of a specific system and a limited set of IP addresses. The scope of a red-team exercise is usually much wider and may include the entire organization. Penetration testing is done for business-critical systems, while a red-teamer may focus on a negligible server that was overlooked on all previous pen-tests, but could be used as a pivot to gain access to other critical servers in the network.
Depth - A penetration tester will provide some type of PoC that may serve as evidence of the vulnerability that was detected. A red-teamer will strive to exploit the vulnerability and gain access to business-critical data. If the vulnerability is not exploitable or cannot be used to reach the defined target, it will be ignored.
Goal - The goal of a penetration test is to validate that the security control of a system is intact. The result of a pen-test would be a list of vulnerabilities ranked by criticality. There may not only be high and critical vulnerabilities, but also low and medium ones. Although low and medium risk means low probability for an exploit, it is good to handle such vulnerabilities in order to enforce security best practices among developers and IT, comply with standards and regulations, and improve overall security posture. On the other hand, the goal of a red-team exercise is quite different. It aims to find critical vulnerabilities and to validate the entire security infrastructure — not only how resilient it is to breaches, but how much time it takes the organization to detect a breach and how equipped it is to respond.
Coverage - 'pen-test’ tries to provide full coverage and detect all vulnerabilities in a given system, whereas a red team tries to detect only enough vulnerabilities to achieve its goal. Much like a robber will not try to also crack the door lock after he already got into the bank through the window. On the other hand, penetration test does try to both window and door as well as other potential breaking points.
Simulation of real attacks - A red-team usually will try to simulate real attacks, meaning that the starting point is with zero access to the organization and all security controls are in place. In penetration testing, you would want to increase the effectivity of the test so you will bypass security controls such as WAF or IPS and provide the pen-tester with easy access to the tested environment. In that sense, a penetration test does not simulate a real attack scenario.
Different Types of Red-Team
TIBER-EU- The European central bank has published a framework for conducting Threat Intelligence-based Ethical Red Teaming. This approach assumes that the test simulates a real attack scenario in which the organization is not aware of the preparations for the attack and is not expecting an attack to happen. This type of activity takes several months to complete. The general idea is as follows:
The Red-Team has no inside information, thus needs to collect intelligence by itself. The intelligence gathering (reconnaissance) is part of the test results that are delivered as part of a summary report.
Red-Team can choose the way to get in, can use social engineering, can exploit critical vulnerabilities, or can even gain physical access in order to gain control of the organization’s ‘crown jewels.’
IT and SOC are unaware of the project; they need to react as if they detect a real cyber-attack.
There is at least one person in the organization who is aware and responsible for defining the rules of engagement.
Red vs Blue - The main goal of this activity is to help the blue-team practice detection and response in as close as it can get to real life events. In this scenario, we can assume that the attacker has already found a way in and is now trying to move forward and obtain access to critical organizational assets. The blue team's goal is to detect the attacker and block their way before the critical assets are breached. Status meetings can take place on a daily or weekly basis, depending on the maturity level of the blue-team. In these meetings, if the blue-team were not able to detect the red-team actions, they are helped in order to improve detection in the future.
Internal Threat - This type of activity simulates either an employee who has logical access to the network (valid username & password) or a contractor who has physical access to the network but no credentials.
Limited - Red-Team is usually an extensive effort that may span several months and include team members with different types of expertise. It can also be a short and limited effort that tests a specific aspect only. Since red-team is such a wide domain that incorporates many security paradigms, it has the flexibility to define small humble objectives, for instance:
Social engineering - a limited spear phishing campaign to collect users’ passwords.
Port in the wall scenario - what can an attacker with physical access to a network port accomplish in a few days?
Breach the perimeter - test the external perimeter, but stop as soon as a critical vulnerability is found.
Who Should Perform a Cyber Red-Team?
Every type of organization can engage in a red-team activity, however, it is best suited for organizations with any of the following characteristics:
Large attack surface - The larger the attack surface, the harder it is to keep it secure. A large attack surface means over 200 IP addresses open to the internet and usually ownership's of several class B ranges.
Mature security level - Organizations that bought and implemented all types of ‘next-generation’ security controls that are supposed to identify and block all threats before an attacker even thinks about it. A red-team activity is a good way to test how effective your security controls are (by the way, it often takes minor configuration changes for a product to improve dramatically and that can be revealed during such tests).
Active SOC - Organizations invest a great deal of money in building operation security. SOC members may constantly be reviewing security alerts, but over 90% of the alerts are false -positive. The Red-Team can help the SOC detect real events and make sure they manage to separate the wheat from the chaff.
Specific concern - If you need to know whether an attacker can gain access to your most valuable assets.
What are the Benefits of Performing Security Red-Team?
By now you probably have a good picture of what the benefits of red-team activities are. You have built an impressive security framework, based on state-of-the-art tools, best practice processes, and the best people. But a critical security event does not happen every day, in fact, it actually happens very rarely. So you need to simulate one in order to train your people and test and improve your systems.
In summary:
Simulate a real-life security event.
Test the detection and response capability of your entire organization (and not just one system).
Test against a large range of attacks (applications, network, social engineering, etc.).
Focus on your critical assets (maybe attackers can breach your network, but can they get access to your crown jewels?)
Increase security awareness among the entire IT – When red-team gets access to an organization’s most valuable assets, it has a strong impact on every employee and almost always implies an immediate improvement of security.
Train defensive teams to detect and react to cyber-attacks.