Stepping Into the Attacker’s Shoes: The Strategic Power of Red Teaming (Insights from the Field)
Red Teaming security assessments aim to demonstrate to clients how attackers in the real world might link together various exploits and attack methods to reach their objectives.
It is not wise to wait for actual attacks to happen. Red Teaming exercises give you the chance to bring in a team of reliable experts who can show you what your organization’s cybersecurity really looks like. After all, even the most advanced threat defense tools cannot always assure complete protection against an attacker’s maneuvers.
Red Teaming tests help businesses create a multi-layered defense and enhance their information security and IT services. During Red Teaming tests, experts highlight the different tactics attackers use. Armed with this knowledge, customers can better equip their teams, refine their processes and upgrade their technology to reach a higher security standard.
Recently, there has been growing client interest in employing non-standard attack scenarios. Examples include physical penetration and planting QR codes that employees can scan or the use of social engineering methods such as voice cloning of managers to issue commands on their behalf.
Red Teaming vs. Penetration Testing
Red Teaming is primarily designed to evaluate the effectiveness of the SOC and enhance incident response mechanisms and vulnerability management. At first glance, this service may seem very similar to pentesting services; however, what is the difference?
Red Teaming goes beyond simple security checks. It primarily evaluates the SOC’s effectiveness using practical metrics such as response speed, the quality of identifying the causes of an alert, and the accuracy of attack traces. Rather than relying on theoretical standards, it uses simulations of real hacker attacks that do not threaten the company’s business continuity. Red Teaming cyber exercises also allow companies to evaluate the potential impact of various business risks unique to their operations.
Team members often transition to Red Teaming from roles in penetration testing. After that, they gain experience on the SOC side, learning about hacker methods and security bypass techniques. Direct training courses specifically for Red Teaming are rare.
Red Teaming Prep: Gearing Up for Operation
Red Teaming is not a set of pre-prepared procedures. It is creative research that draws on the current cybercrime landscape and extensive experience from inside SOCs to understand how quickly attackers can be identified and how the damage they can cause can be prevented.
Red Teaming service providers are spending years preparing their infrastructure to conduct Red Teaming exercises. It is not feasible to quickly build a customized infrastructure for a specific customer; this requires prior development.
Tailoring the service to a particular client can take anywhere from one to four months.
During this period, preliminary exploration takes place. Red Teams use this time to identify and construct a combination of infrastructure elements that will not raise alarms among SOC defenders. For example, if a network administrator typically uses TeamViewer, they will not be targeted via RAdmin to avoid suspicion.
The attacking team must use well-established domains that do not stand out in terms of their creation time or content. All elements should be equipped with certificates; otherwise, a newly created domain intended for an attack could easily expose the attackers. When carrying out attacks through social networks, it is necessary to consistently maintain legitimate accounts, which helps to conceal any involvement in the attack.
The Red Team uses a common infrastructure but deploys many additional elements tailored to each customer. For instance, implementing non-standard scenarios such as voice cloning requires extra time, such as for training a neural network.
It is important to note that customers always appoint a White Team or an authorized coordinator to oversee these activities, ensuring that there is no risk to their infrastructure.
Red Teaming Stages
Red Teaming projects are typically exploratory and often begin with uncertainty about how they will unfold in practice. Monitoring points for assessing the success of these projects are established based on the chosen methodology. The initial phase involves reconnaissance and analyzing the attack surface. A subsequent milestone is marked when researchers successfully breach a specific resource or gain control.
Some customers prefer to divide projects into “sprints,” which are stages of a specific duration (one or two months.) At the end of each sprint, Red Team members present their findings and report results to the customer. They also outline the plan for the next sprint. This approach allows the customer to monitor the project’s progress and guide the direction of future tests.
It should be noted that in planning, the Red Team does not inform the customer in advance about the exact date or type of attack. The objective is to test the customer’s genuine readiness to respond to an attack. Red Teaming is a continuous process, not a single event.
Typically, the White Team is led by the head of the SOC. The outcomes of each stage are discussed with this leader. Researchers also inform the customer whether there was an appropriate response from the SOC to all attacks.
Evaluating the Success of Red Teaming
Both the customer and the researchers evaluate the quality of Red Teaming projects.
The customer does not require a detailed list of specific vulnerabilities to be investigated but rather a broad analysis of potential attack vectors and an assessment of the current security level against identified threats.
There are alternative approaches as well. For example, before initiating a Red Teaming project, the attacking team may compile a list of scenarios to test and agree on a matrix of business risks for the customer, noting the complexity of their implementation. KPIs are evaluated through these metrics.
If the goals are not met, a retrospective analysis is conducted with the customer. The reason for failure could be the effective operation of the SOC or other factors.
Frequency of Red Teaming Exercises
We all understand that security is not a static state but a dynamic process that involves continual changes to a company’s network perimeter and internal networks.
The IT department frequently adds and modifies services, often testing functionality without informing the information security department. Additionally, top management may push for simpler remote connections to corporate systems, which can compromise security and result in new network entities. Furthermore, market mergers, acquisitions and the integration of partners into corporate services are processes that transform the infrastructure, making it quite different from what it was just three to six months earlier.
In many cases, inventory is conducted extremely rarely and not thoroughly enough; participants usually perceive the process as a routine aimed purely at documenting networks and services.
To effectively control the security of a real system, regular evaluations are necessary. Annual assessments are good, but more frequent evaluations are better. While two penetration tests a year are beneficial, three might be excessive. Red Team activities provide a way to monitor changes in the potential attack surface without the need for a full rescan. For large and/or rapidly developing companies, conducting inspections every three months is not excessive.
Red Team Attack Strategies
The most frequently launched attacks can be categorized as follows:
• Active actions on the infrastructure’s perimeter, where attackers aim to identify services and exploit web application vulnerabilities.
• Phishing emails and social engineering tactics.
• Deployment of specific tools and payloads on endpoints.
Hard-to-Detect Attack Techniques
The most elusive attack techniques that challenge traditional security measures and may evade detection by SOCs include:
• Attackers gaining physical access to the infrastructure.
• Targeted social engineering attacks using credible names. These attacks often use instant messengers, which are rarely monitored by information security, as opposed to corporate email.
• Attacks on web services. Typically, these attacks target the company’s operational web services, which are often custom programs lacking strong security features.
• The attacker operates within the framework of an already established process. For example, this could involve the operation of a service interface on the external perimeter, which is formally intended only for employees.
• Wireless channel attacks. These attacks occur when attackers use unsecured wireless channels to impersonate legitimate access points, such as those in a café near the office, to harvest user credentials and brute force employee passwords.
• Exploiting business process gaps. For example, posing as a job interview candidate to gain network access via an Ethernet connection in a room where the candidate is left unattended.
Exploits and Hacking Tools in Red Teaming
Formally, the deployment of exploits represents a realistic operational scenario. The goal of Red Teaming is to assess the effectiveness of defenses against actions taken by actual attackers. The use of exploits already available to the public is discussed with the customer on an individual basis. However, Red Teaming service providers do not purchase zero-day exploits that have been recently uploaded to the darknet.
For tasks that involve simulating or emulating the actions of malicious software, the use of hacker tools is OK. However, the Red Team members must fully understand how these tools function. Without this knowledge, there is a risk that the hacker tool could unintentionally send data to an unknown location.
Customers typically do not want their infrastructure to be exposed to risks during research projects. Normally, open-source hacker tools are used, each being rewritten by about 75% to customize them for specific needs.
Red Teaming Trends
Companies faced with numerous cyber-attacks seek immediate solutions to secure their systems. This urgency may result in a surge in demand for penetration tests and fewer initial inquiries for Red Teaming. However, demand from organizations that have previously conducted Red Teaming and penetration tests is steadily increasing.
The focus has shifted towards building a more layered defense, driven by Covid restrictions, remote work and the transition to the cloud. As companies enhance their defensive measures, there is a growing need to conduct Red Teaming projects to evaluate the effectiveness of these new systems and solutions.
The risk of increased malicious insider activity has made the hybrid model increasingly relevant for many Red Teaming providers. This approach is neither a complete White Box, where detailed infrastructure information is provided upfront, nor traditional Red Teaming. In the hybrid model, researchers gain insider access, allowing them to gather information about the internal structure of the system being tested.
In the future, more complex Red Teaming scenarios based on generative business intelligence are expected to be deployed. Projects will involve not only SOCs but also their contractors and information security services, including “insiders.” Customers will gain a clearer understanding of the goals and complexity of Red Teaming projects. As a result, the maturity of the service will increase.
For companies not yet ready for Red Teaming, interest will primarily be directed towards penetration testing and Purple Team services. Interest in Red Teaming will develop later, once the SOC has learned to detect a wide variety of cyberattacks.