Red Teaming

We've all heard this saying practice makes perfect. This commonly applies to activities such as sports, playing music, strategy games, etc. What if this could be applied to your cyber security environment?

As someone responsible for the cyber security in your environment have you ever wondered:

• Will we be alerted to an active attacker within our network?

• Can we identify insider threats in our cloud or on prem infrastructure?

• How far inside could an attacker get?  

• Can we detect and block these activities right now?

• Are our defences enough?

Participating in a Red Teaming exercise can help to answer these questions.

Red Teaming is a step above a cyber security table-top exercise and Penetration Testing, by allowing a trusted Red Team to emulate real-world cyber-attacks within your environment. Based on typical adversarial Tactics, Techniques and Procedures (TTPs) these attacks are designed to be non-destructive and are meant to be detected (e.g. Purple Teaming) or, in some cases, intentionally obfuscated to test how well your organization can spot and respond to realistic threats while detecting vulnerabilities within your environment (e.g. Red vs. Blue Teaming).  

This activity provides a structured way to evaluate your ability to identify, defend against, and respond to both external and internal attackers and update your Blue Team’s Playbooks.

A good Red Team will work with you to identify the processes and controls in your environment to target, concerns specific to your organization, software and unique configurations, ensuring that these areas are put to the test during the engagement.

While a Red Team provides the role of adversary emulation, your Blue Team will play the role of the Defender. You’ll be responsible for watching for suspicious activity, interfacing with reporting/escalation processes (e.g. phishing/foreign media reporting), investigating alerts, and stopping the attack as quickly as possible. This activity is crucial in helping your Blue Team learn how attackers really behave, allowing them to adjust their security tools, consider new options, and update response plans to fix any weaknesses found.

What Steps Can You Expect During a Red Team Engagement?

A Red Team engagement should progress through some clearly defined phases including but not limited to:

Pre-engagement, planning and setup

This planning stage is critical to ensure that the correct scope, expectations, rules and boundaries are defined, ensuring that the engagement proceeds safely and legally. This includes confirming the scope of testing, such as Wi-Fi, mobile devices, media, call centre procedures, cloud environments, physical access and supporting processes. Clear Rules of Engagement that specify permitted techniques (including social engineering), what information can flow between teams, and which systems or actions are strictly out of scope, especially anything destructive are essential in Red Teaming. A Red Team operation which leads to out of scope/unwanted destructive consequences can be highly counter productive, requiring more time by your organization to fix the consequences rather than focus on the intended in-scope control/process mitigations.

Execution

This step includes the actual adversarial emulation, something that is also experienced in a traditional penetration testing scenario. Actions will include reconnaissance, initial access, privilege escalation and/or lateral movement, exploitation(establish persistence, data exfil, etc.), reporting, and clean-up.

Depending on your prior agreements with a Red Team, they can take a pause after each attack (or steps in the attack) to consult with the Blue Team, checking to see if the malicious activity was detected and exposing to the Blue Team the step-by-step actions taken. This type of collaboration, referred to as Purple Teaming, helps both sides to learn together in a progressive manner.

Wrap-up

Wrap up of the engagement takes the form of debriefing and remediation reviews to provide a clear summary of the Red Team’s findings, lessons learned and actions, while guiding the organization through prioritized steps to fix identified weaknesses. Finally, cleaning up, or assisting with a clean up of the in-scope environments is necessary to remove any artifacts left by the adversarial emulation activities. If left unaddressed, you’ve left evidence of breach-related activities behind which could assist a true adversary or add confusion to future incident resolution.

Choosing the right type of engagement will depend on what your organization wants to learn or test, and possibly what Playbooks you want to assess/update. Although Penetration Tests are good for finding basic vulnerabilities, Red Teaming is your best bet for emulating real attack scenarios against your controls and processes without harming your environment. The Red vs Blue Team exercises also help you assess how well your defenders can detect and respond while Purple Teaming sessions are a collaborative effort where both sides can learn together. When combined, these approaches can help your organization become far more resilient (and confident) against modern Cyber threats.

If you want to hear more about TENUMBRA’s Red Team offerings, please reach out to      inquiry@tenumbra.com

‍