Red team testing is increasingly being employed by organisations across the business spectrum, but particularly in the banking and finance sector, to identify vulnerabilities that could leave them open to attack. This no holds barred approach of a red team exercise is somewhat different from the standard penetration test you are most likely familiar with. In a red team exercise, professional ethical testers 'attack' an organisation's digital defences in a very real world scenario, using everything from custom-developed Trojans, social engineering and even physical engagement.
When people talk of penetration testing in the traditional sense, this is often considered a 'breadth first' exercise. So a wide coverage approach is taken whereby as many different weaknesses as possible are uncovered, although not all will be exploited. The red team test flips this on its head somewhat, in that it's more of a 'depth first' concept that sees a chain of weaknesses exploited to reach a defined target.
Another difference between pen tests and red teaming is that of scope. Whereas a standard penetration test might have a narrow scope (application A or network B for example) the red team is much broader in being a range of critical assets or the entire company itself.
A penetration test usually relies upon the client providing relevant information such as the IP addresses to scan or the necessary credentials in order to access an application. A red team, however, will start from the same position as a real attacker would and that often means going in blind. The exercise is performed from what's known as a black box, or no-knowledge perspective, and this makes red teaming highly attack focussed. As a result, red team exercises are much more representative of how real world attackers work.
Putting your defences to the real world test
This concentration on identifying gaps in security practices and controls, and uncovering the damage that a determined attacker might also wreak, has led to a rise in red teaming. This is hardly surprising when you consider that red teaming isn't just about finding security holes, but also about determining exactly how your organisation is equipped to deal with them in the real world. Such in-depth penetration of an organisation, conducted over an extended time period and combining many layers of attack methodology, certainly puts defences to the reality test.
Yet, red teaming is still all too often given a dusting of fantasy by the military connotations where the terminology is rooted. Don't let that fool you though; this is real world stuff, with a real relevance to business. It can reveal not only how you detect a threat but also verify how well your incident monitoring and response processes work under extreme stress. If you don't come out the other side of such an exercise with a better understanding of strategic threat protection, a beefed up information assurance posture and remediation advice that actually means something, then you've engaged the wrong testers.
End-to-end engagement
So, who are the right red team testers? To answer that you need to understand how red teams and penetration testers differ, why they are not simply interchangeable terms for the same thing. Whereas a penetration test will usually focus on a particular application or network for an engagement, a red team will be much more in-depth and will test various levels of the business including people, processes and infrastructure. Think of a red team as being an end-to-end engagement, one that demands much more technical capability and time to perform.
The average red team exercise will combine multiple phases that likely will include such things as:
- Reconnaissance in order to obtain information about the company and its infrastructure such as IPs and email addresses for example.
- Attack delivery and exploitation involving the creation of custom exploits that target employees using spear-phishing techniques to gain access to the internal network.
- Internal compromise that uses access obtained to further probe the network and identify assets that are of interest to the attacker.
- Exfiltration, which often refers to extraction of simulated data from the environment and ‘cleaning’ of any traces of the red team intrusion. Organisations often also want to see whether they have a capability to spot data being exfiltrated from their environment.
- Reporting, which will be at a high level so as to detail all the activities undertaken, assess the susceptibility of the target organisation and provide mitigation advice where needed.
Why is red teaming on the rise?
Don't confuse a red team exercise with a full security audit; it's a totally different process. What you get and why red teaming is becoming such an essential part of the security posture of so many organisations these days, is an insight into strategic security thinking that cannot be over-emphasised. How else can you see how your defences would cope with a criminal attack, if not under controlled conditions employing highly skilled professionals who won't put your data or business integrity at risk?
So, why is red teaming on the rise? Because it's a form of testing your real world security based upon accurate simulations of the kind of targeted attacks organisations face every day from backroom hackers to cyber criminals or state sponsored attackers. Only by using such a methodology are you going to deliver the real business impact of a breach, and only by understanding that impact will your security posture improve.