Red Team testing explained: what is Red Teaming?

September 2, 2020 | Nick Cavalancia

This blog was written by a third party author.

In the world of cybersecurity preparedness, there are a variety of strategies organizations large and small can take to help protect their networks and data from cyber-attacks. One such strategy involves an organization testing its own environment for security vulnerabilities. But because security weaknesses come in different forms, it’s necessary to have a focused security team that comprehensively searches for vulnerabilities that go beyond simple risk assessments. Part of this dedicated security team can include a Red Team.

What is a Red Team?

Whether internal or external, Red Teams are responsible for running simulated cyberattacks on either their own organization (in the case of an internal Red Team) or other organizations (in the case of Red Team services as part of contracted external security services) to establish the effectiveness of the organization’s security programs.  While Red Teams use many of the same tools and techniques used in penetration tests or “ethical hacking”, the objective of a Red Team is different.  Attacks employed by Red Teams are multi-layered simulations designed to gauge how well a company’s people, networks, applications, and physical security controls can detect, alert and respond to a genuine attack.

What is Red Team testing?

Red Team testing is also known as an Adversary Simulation or simply Red Teaming. During Red Team testing, highly experienced security professionals take on the guise of a real attacker and attempt to breach the organization’s cyber defenses. The attack scenarios they enact are designed to exercise various attack surfaces presented by the organization and identify gaps in preventative, detective, and response related security controls. These attacks leverage a full range of tools available to the most persistent attackers—including social engineering and physical attack vectors, from careful crafted phishing emails to genuine attempts to breach onsite security and gain access to server rooms.

Prior to the assessment, rules of engagement are established between the Red Team members and the smallest possible set of participants within the organization to be tested.  This number will vary but is typically no more than 5 people in key positions to view the organizations detection and response activities.  Based on the rules of engagement, a Red Team may target any or all of the following areas during the exercise:

  • Technology defenses – In order to reveal potential vulnerabilities and risks within hardware and software-based systems like networks, applications, routers, switches, and appliances.
  • Human defenses – Often the weakest link in any organization’s cyber defenses, Red Teaming will target staff, independent contractors, departments, and business partners to ensure they’re all as secure as possible.
  • Physical defenses – Physical security around offices, warehouses, substations, data centers, and buildings are just as important as technology defenses, and as such should be stress tested against a genuine attack. Something as seemingly innocuous as holding a secure door open for someone without having them tap in can provide the gap an attacker needs to gain access to unauthorized systems.

Through this process, Red Team testing helps security teams identify any loopholes or weak points that could provide opportunities for attackers (either internal or external) to gain access to a company’s systems, which could then result in a serious data breach. Most importantly, this highlights gaps in the detective and response capabilities of the organization meant to identify and counter such malicious activities on a day to day basis. 

Adversary Simulation Service

Lets customers test their security operations and detection capabilities against advanced penetration testing techniques.

Learn more

Who is Red Team testing suitable for?

The harsh reality of today’s security landscape is that every size of business is a target for cyber-attacks; and many compliance frameworks include penetration testing recommendations to test security posture as a result  However, organizations that have a mature information security program and associated Secure Operation Center (SOC) processes they want to assess will benefit most from a Red Team exercise. However, because of the depth of testing involved, Red Teaming can be a costly process. The value and importance of Red Teaming to an organization can also depend on the nature of your business and the value of your data or intellectual property. Naturally, for larger organizations this may be easier to justify.

Red Team assessments vs Penetration Tests

Penetration Testing (or Pen Testing, as it’s often referred to) is similar to Red Teaming; however, the objectives are different.

Though specific scope will vary widely, a Pen Test is a simulated cyberattack against a collection of network, system, and application resources and people that use and administer the resources to identify and exercise exploitable vulnerabilities.  By contrast, Red Teaming will often involve more people, resources, and time, and will dig deeper into a company’s defenses than a Pen Test. This allows the team to more fully understand the true level of risk the company is exposed to and specifically help gauge the effectiveness and coverage of preventative, detective and response controls and the operational processes that administer them.  As a result, Red teaming is typically undertaken by organizations with more mature security postures.

Some of the most common ways Red Teaming goes beyond Pen Testing, include:

  • Attempting to evade detection through various techniques
  • Noting when actions are taken by the security administrators in response to the Red Team, such as sink-holing an IP address
  • Providing specific recommendations for tuning detective controls that were able to be bypassed during the exercise

Benefits of Red Team testing

Every CISO can relate to the struggle to stay on top of the latest security threats, shore up company defenses, and justify the allocation of security resources. Red Team testing can be a powerful tool in this process, helping you assesses an organization’s ability to detect, respond, and prevent sophisticated and targeted threats, as well as identify and quantify gaps in existing security defenses, and inform future processes.

It can also help define a baseline of security which can be regularly reassessed and re-evaluated. In the face of a growing cybersecurity threat landscape, Red Team testing helps organizations identify the risks and susceptibility of attack against key business information assets.

Nick Cavalancia

About the Author: Nick Cavalancia

Nick Cavalancia is a Microsoft Cloud and Datacenter MVP, has over 25 years of enterprise IT experience, is an accomplished consultant, speaker, trainer, writer, and columnist, and has achieved industry certifications including MCSE, MCT, Master CNE, Master CNI. Nick regularly speaks, writes and blogs for some of the most recognized tech companies today on topics including cybersecurity, cloud adoption, business continuity, and compliance.

Read more posts from Nick Cavalancia ›

TAGS:

‹ BACK TO ALL BLOGS