The term Red Teaming has been heard by everyone who is involved in information security directly or indirectly. But not everyone fully understands what it is: why do we need an assessment of the effectiveness of the incident response team? What is this form of training for the defender team? Often, Red Teaming is given out for comprehensive penetration testing: they provide classic, albeit advanced penetration testing at a price several times higher. Some large companies are looking for their own specialists in Red Teaming and, most likely, also do not fully understand what tasks they will solve with their help. What is Red Teaming as a service and what is not Red Teaming? About it below.
Like many other things in our daily lives (duct tape, microwave, canned goods, etc.), the term Red Teaming came from the military-industrial complex. During the Vietnam War, American military pilots practiced air combat skills and studied their own mistakes, thereby increasing their skill level without real loss of pilots and aircraft. But the name “red team”, most likely, appeared during the confrontation with the Soviet Union. Historically, the “red” attack, and the “blue” defend.
The guards in Budapest also liked this term;)
What is Red Teaming?
Myth # 1. Red Teaming is a comprehensive penetration or audit test.
There are three main types of work to check the level of security of a company.
1. Vulnerability assessment (Vulnerability Assessment) – analysis of information systems to identify weaknesses and vulnerabilities, checks can be manual and using vulnerability scanners. In this case, a vulnerability search is performed, most often without exploiting these vulnerabilities or a simple spot check. It is part of the vulnerability management process.
2. Penetration Testing (Penetrating Test) – search and exploitation of vulnerabilities to achieve a goal (gain access) and demonstrate the impact on business processes. It can be performed in semi-automatic and manual mode. Penetration testing can also be considered as a search for possible attack paths in order to reduce attack surfaces. Most often during work there is no opposition from the information security service, the service is provided within pre-agreed boundaries (subnets, hosts) and methods (for example, the customer may prohibit the use of social engineering).
3. Red teaming – a service whose main purpose is to train and evaluate the effectiveness of people, processes and protection technologies. In the classic version, work on Red Teaming is performed in secrecy – without warning information security specialists. The service is implemented completely manually (utilities are used, but not put at the forefront). Also, the attacking team must control the IOC of the utilities used (the name of the utilities, the name of the functions, cached data, etc.) so as not to give out ahead of time. Vulnerabilities can be sought and exploited, but only to achieve the goal.
Red Teaming is the process of using Tactics, Techniques and Procedures (TTP) to simulate the actions of a real opponent in order to train and evaluate the effectiveness of people, processes and technologies that are used to protect the infrastructure and environment of the organization.
Simulating the actions of attackers by a team of attackers trains the automatism of incident response and gives defenders situational awareness of the tools and tactics of attackers.
Red Teaming focuses on integrated security operations that include people, processes, and technologies. Red Teaming directly focuses on training the defensive team and assessing how the security service can counteract the real actions of the adversary. Technical flaws and vulnerabilities in this case are secondary – the key question is: how with their help the intruder can influence the activities of the organization.
At the heart of Red Teaming is the scenario of the enemy. Scenarios distinguish Red Teaming from penetration testing, and they also determine the progress of the project. Scenarios allow you to simulate the actions of a specific adversary (a specific APT group) or simulate the actions of a suspected attacker.
Red Teaming uses methods and techniques of offensive security, but by its nature it is part of defensive security and part of SOC, therefore cannot exist without the Blue Team.
An attacking team is an independent group of professionals that looks at the security of an organization from the position of an adversary. The team finds alternative ways to achieve its goals and challenges the organization’s defenders to test their readiness for real threats. Independence helps attackers accurately and unbiasedly assess security levels while avoiding many biases.
Myth number 2. An organization may have its own internal Red Teaming
To maintain independence, the attacking team must be external. And the lack of any knowledge about the attacked system and its protection (except for the information that was obtained at an early stage of the project) will allow for better preparation and development of the correct project implementation strategy. Internal Red Teaming can only be in a limited form, and it is better to call it the term “Purple Teaming” (a mixture of red and blue colors) or Threat Hunt. This is a group of specialists within the company that can carry out various attacks on the infrastructure and at the same time set up controls to detect such attacks. But the external group should evaluate the effectiveness.
Like any activity, Red Teaming has a purpose. The objectives of the attackers can be different (the main thing is that they do not violate the law and trade secrets), for example:
• capture and consolidation in the network;
• the ability to move freely in the network;
• access to the application or data;
• gaining access to a server or workstation;
• the ability to extract critical data and bypass leakage protection (DLP);
• the ability to go unnoticed for a certain period of time;
• the ability to perform operational impact.
Myth No. 3. Red Teaming is essentially a competition in which winners and losers are identified
There are no winners or losers at Red Teaming. Attackers do not have the goal of quietly and quietly capturing the server or network of the organization. At the initial stage, the attacking team will act silently, but as soon as it approaches the target “arm’s length”, it will begin to “make noise” in order to attract the attention of the defenders. If they detect and block attackers at an early stage, they will not be able to find out how the enemy can proceed further. But if there are no winners and losers, how to determine success?
The success of Red Teaming is not determined by how well the attacking team captures the network. The Red Teaming project is successful when the attacking team fulfills its goals and the defense team is able to learn and improve the organization’s security level.
Success can also be determined by answering the following questions:
• How long does the defense team detect attackers?
• Do available tools detect attackers?
• Does the defense team follow its TTP when the actions of the attacking team raise an alarm?
• Can the defense team detect communication channels with the attacking command center (C2)?
• Can defenders compile a profile of attackers based on indicators of compromise (IOC) on the network and on the hosts?
How to determine that the Red Teaming project is at the completion stage (and it’s time to write a report)? This item is discussed and approved at the start. In general, there are several options:
• The project has come to an end. Any project has a time limit. Of course, Red Teaming lasts longer than penetration testing, but not indefinitely. In this case, the attacking team will begin to prepare a report on the work performed, regardless of whether the goals were achieved or not.
• The attacking team completed the goal set before it. If the attacking team was “noisy” in the network environment of the organization quite loudly, but no one responded to this “noise”, it will complete the project by fulfilling the set goal.
• The defender team discovered the actions of the attacking team. There is a pitfall here. If the defender team at an early stage detected an attack, for example, a phishing attack or the installation of a communication channel with the command center (C2), and shouted “yeah, we got into it!”, It reacted correctly – the goal was achieved. In this case, it is worthwhile to discuss in advance the possibility for the defenders to observe the further actions of the attackers. Here you can already monitor up to a certain point and thereby check which security controls are triggered and which are not and require additional settings. Defenders at any time will be able to disconnect the communication channels and say “caught!”, But before that they will have time to get acquainted with new techniques.
What is the key benefit of Red Teaming? The ability to change the viewing angle of information security in the company:
• see the real state of security and weak points in it (before someone especially “gifted” does it from the outside);
• identify gaps in processes, procedures and techniques (and eliminate, of course);
• find out whether the IS service is doing its job well, without the consequences of a real incident;
• better understand the tactics, methods, procedures of the adversary and spend the budget on information security more efficiently;
• Raise awareness among IS personnel, managers, and staff.
If the Red Teaming project does not improve the level of security, then there is no point in conducting it.
Myth # 4. Only mature security organizations may need Red Teaming.
Red Teaming can be used by organizations with any level of information security maturity. A prerequisite is a team of defenders and processes for responding to incidents and threats.
Red and Teaming will help organizations with entry-level and mid-maturity assess their ability to confront an experienced adversary: understand which way to grow, which security controls to implement. And also develop automatism for the correct response to incidents.
For an organization with a mature level of security, this will be the training and development of their skills. But besides this, they will be able to see new techniques and tactics that they have not yet encountered.
The following teams participate in the project:
• Red team (Red Team) – attacking. Specialists who simulate attacks on an organization.
• Blue team (Blue Team) – defenders. Specialists who protect the infrastructure and must detect the actions of the red team.
• White team (White Team) – project manager. The role may be played by the head of information security, CISO. The manager who coordinates and controls the work: he knows everything that is happening at the moment on the project, what the attacking team does and how the defender team reacts to it. There are conditions for this role. The project manager can, for example, give hints to the attacking team (whether it is worth strengthening or weakening the attack) or toss indicators of compromise (IOC), but cannot give hints to the defender team. The option with tips is not common, as customers tend to “realism” of what is happening. However, here you need to understand that the Red Team team, unlike real hackers, has a time limit for studying the behavior of the Blue Team. For this reason, in some cases, clues are quite appropriate.
Often the White Team is confused with the Purple Team.
Myth number 5. The very high cost of the Red Teaming project
Perhaps the most important issue that interests any customer is the price. The sky-high cost of Red Teaming is a marketing ploy. An incomprehensible name, a new trend in the information security industry – all this often leads to unreasonable inflation of the price of a service.
The cost of Red Teaming is calculated based on the duration of the project, which in turn depends on the chosen scenario. The more complex the script, the more work on it.
The duration of the Red Teaming project is due to the fact that the attacking team is required to act covertly so as not to reveal itself ahead of time. The average project duration is about 12 weeks. For comparison: comprehensive penetration testing, including external perimeter, internal infrastructure, social engineering and analysis of wireless networks, lasts 7 weeks on average (it can be completed faster if the contractor conducts the stages in parallel).
Even before the start of the main part, the attacking team conducts passive reconnaissance and data collection, preparing the infrastructure and finalizing or developing their own tools in accordance with the information received. And at the end of the project, an additional consultation of the customer’s employees is organized. All these labor costs are taken into account in the total cost.
It follows quite logically that the price for Red Teaming will be higher than comprehensive penetration testing. But at the same time, of course, it will not exceed its cost tenfold.
Completion of work
The report is a form of proof of work. However, its main value is that it can (and should) be analyzed and used to improve security in the company. Therefore, its quality is extremely important.
The Red Teaming report can be quite different from the penetration testing and security analysis reports. Since the work is largely focused on the script, the report is based on a history of actions.
The report will contain the following information:
• High-level conclusion on the state of security and the willingness of defenders to confront real threats
• Risks identified as a result of analysis of project implementation and response of advocates
• Timeline of the attacking team from the beginning to the end of the project. The defender team will be able to compare them with their event logs to identify additional indicators of compromise (IOC)
• Technical details with step-by-step information that will allow you to repeat the steps and find the deficiencies found
• Technical recommendations for immediate use, to close detected critical vulnerabilities
• Strategic recommendations for the long-term outlook for improving security.
At the end of the project, several meetings are possible with representatives of both sides. One is to guide the organization, with a focus on the overall picture of the project. The results of Red Teaming may affect the future work of the organization: require funding to eliminate the shortcomings found or to change the staffing table. If the results of Red Teaming will be used to improve the security of the organization (otherwise, such work does not make sense), then the awareness and interest of the management is very important.
Another meeting is a technical one. This is a two-way exchange of information between attackers, defenders and the project coordinator on the customer side. Includes a detailed high-tech review of the actions of the attacking and defensive team taken during the project. Allows both parties to ask questions in the context of implemented attacks and respond to them, receive recommendations for improvement and ideas for new methodologies. This makes it possible to improve the ability of both defenders and attacking teams. Such meetings are part of the project, and their benefits can be invaluable.
The topic of Red Teaming is very extensive and cannot be fully considered in one article. Nevertheless, from the above, we can draw some basic short conclusions:
• The main benefits of Red Teaming are training and knowledge sharing
• Red Teaming helps assess the overall level of security and the organization’s willingness to confront a real adversary
• The main difference between Red Teaming and other types of work is the scripts (we will discuss them in the next article)
• You can’t call Red Teaming penetration testing and vice versa – these are two different tasks, two different approaches, two different goals that do not replace one another.
Posted by Dmitry Neverov, Security Analysis Expert, Rostelecom Solar