Stepping Into the Attacker’s Shoes: The Strategic Power of Red Teaming
It is not wise to wait for actual attacks to happen.
Red Teaming security assessments can demonstrate how real-world attackers might link various exploits and attack methods to reach their objectives. The exercises bring in reliable experts who can show what an organization’s cybersecurity really looks like. After all, even the most advanced threat defense tools cannot always assure complete protection against an attacker’s maneuvers.
During Red Teaming tests, cybersecurity experts highlight the tactics attackers use. This knowledge helps organizations better equip their teams, refine their processes and upgrade their technology to reach a higher security standard. The practice helps businesses create a multi-layered defense and enhance information security and IT services.
Clients recently have become interested in employing non-standard attack scenarios. Examples include physical penetration, planting scannable QR codes for employees and social engineering methods (such as voice cloning of managers to issue commands on their behalf).
Red Teaming vs. Penetration Testing
Red Teaming is designed primarily to evaluate the effectiveness of the security operations center (SOC) and to enhance incident response mechanisms and vulnerability management. At first glance, this service may seem similar to penetration testing services. What is the difference?
Red Teaming goes beyond simple security checks. It evaluates the SOC’s effectiveness using practical metrics such as response speed, the quality of identifying alert causes and the accuracy of attack traces. Rather than relying on theoretical standards, it uses simulations of real hacker attacks that do not threaten the company’s business continuity. Red Teaming cyber exercises also allow companies to evaluate the potential impact of business risks unique to their operations.
Team members often transition to Red Teaming from roles in penetration testing. After that, they gain experience on the SOC side, learning about hacker methods and security bypass techniques. Direct training courses specifically for Red Teaming are rare.
Red Teaming Stages
Red Teaming projects are typically exploratory. They often begin with uncertainty about how the project will unfold in practice. Monitoring points for assessing the success of these projects are established based on the chosen methodology. The initial phase involves reconnaissance and analyzing the attack surface. A subsequent milestone is marked when researchers successfully breach a specific resource or gain control.
Customers always appoint a White Team or an authorized coordinator to oversee these activities, ensuring there is no risk to their infrastructure. Typically, the White Team is led by the head of the SOC. The outcomes of each stage are discussed with this leader. Researchers also inform the customer whether there was an appropriate response from the SOC to all attacks.
During planning, the Red Team does not inform the customer in advance about the exact date or type of attack. The objective is to test the customer’s genuine readiness to respond to an attack. Red Teaming is a continuous process, not a single event.
Some customers prefer to divide projects into “sprints,” which are stages of a specific duration, often one or two months. At the end of each sprint, Red Team members present their findings and report results to the customer. The team also outlines the plan for the next sprint. This approach allows a customer to monitor the project’s progress and guide the direction of future tests.
Red Teaming Prep: Gearing Up for Operation
Red Teaming is not a set of pre-prepared procedures. It is creative research that draws on the current cybercrime landscape and extensive experience from inside SOCs to understand how quickly attackers can be identified and how the damage they can cause can be prevented.
Red Teaming service providers spend years preparing their infrastructure to conduct Red Teaming exercises. It is not feasible to quickly build a customized infrastructure for a specific customer; this requires prior development. Tailoring the service to a particular client can take from one to four months.
Preliminary exploration takes place during this period. Red Teams use this time to identify and construct a combination of infrastructure elements that will not raise alarms among SOC defenders. For example, if a network administrator typically uses TeamViewer, they are not targeted via RAdmin to avoid suspicion.
The attacking team must use well-established domains that do not stand out in terms of their creation time or content. All elements should be equipped with certificates; otherwise, a newly created domain intended for an attack could easily expose the attackers. When carrying out attacks through social networks, it is necessary to consistently maintain legitimate accounts, which helps to conceal any involvement in the attack.
The Red Team uses a common infrastructure but deploys many elements tailored to each customer. For instance, implementing non-standard scenarios such as voice cloning requires extra time, such as training a neural network.
Evaluating Red Teaming Success
Both the customer and the researchers evaluate the quality of Red Teaming projects. The customer does not require a detailed list of specific vulnerabilities to be investigated but rather a broad analysis of potential attack vectors and an assessment of the current security level against identified threats.
There are alternative approaches. For example, before initiating a Red Teaming project, the attacking team may compile a list of scenarios to test and agree on a matrix of business risks for the customer, noting the complexity of their implementation. KPIs are evaluated through these metrics.
If the goals are not met, a retrospective analysis is conducted with the customer. The reason for failure could be the SOC’s effective operation or other factors.
Frequency of Red Teaming Exercises
We all understand that security is not a static state but a dynamic process that involves continual changes to a company’s network perimeter and internal networks.
The IT department frequently adds and modifies services, often testing functionality without informing the information security department. Additionally, top management may push for simpler remote connections to corporate systems, which can compromise security and result in new network entities. Furthermore, market mergers, acquisitions, and the integration of partners into corporate services transform the infrastructure, making it quite different from what it was just three to six months earlier.
In many cases, inventory is conducted extremely rarely and not thoroughly enough; participants usually perceive the process as a routine aimed purely at documenting networks and services.
Regular evaluations are necessary to effectively control the security of a real system. Annual assessments are good, but more frequent evaluations are better. While two penetration tests a year are beneficial, three might be excessive. Red Team activities provide a way to monitor changes in the potential attack surface without the need for a full rescan. For large and/or rapidly developing companies, conducting inspections every three months is not excessive.
Red Team Attack Strategies
The most frequently launched attacks can be categorized as follows:
- Active actions on the infrastructure’s perimeter, where attackers aim to identify services and exploit web application vulnerabilities.
- Phishing emails and social engineering tactics.
- Deployment of specific tools and payloads on endpoints.
The most elusive attack techniques that challenge traditional security measures and may evade detection by SOCs include:
- Attackers gaining physical access to the infrastructure.
- Targeted social engineering attacks using credible names. These attacks often use instant messengers, which are rarely monitored by information security, as opposed to corporate email.
- Attacks on web services. These attacks typically target the company’s operational web services, often custom programs lacking strong security features.
- The attacker operates within the framework of an already established process. For example, this could involve operating a service interface on the external perimeter, formally intended only for employees.
- Wireless channel attacks. These attacks occur when attackers use unsecured wireless channels to impersonate legitimate access points, such as those in a café near the office, to harvest user credentials and brute-force employee passwords.
- Exploiting business process gaps. For example, posing as a job interview candidate to gain network access via an Ethernet connection in a room where the candidate is left unattended.
Exploits and Hacking Tools in Red Teaming
Formally, the deployment of exploits represents a realistic operational scenario. The goal of Red Teaming is to assess the effectiveness of defenses against actions taken by actual attackers. The use of exploits already available to the public is discussed with the customer on an individual basis. However, Red Teaming service providers do not purchase zero-day exploits recently uploaded to the darknet.
For tasks that involve simulating or emulating the actions of malicious software, it’s okay to use hacker tools. However, the Red Team members must fully understand how these tools function. Without this knowledge, there is a risk that the hacker tool could unintentionally send data to an unknown location.
Customers typically do not want their infrastructure exposed to risks during research projects. Normally, open-source hacker tools are used, each being rewritten by about 75% to customize them for specific needs.
Red Teaming Trends
Companies faced with numerous cyberattacks seek immediate solutions to secure their systems. This urgency may result in a surge in demand for penetration tests and fewer initial inquiries for Red Teaming. However, demand from organizations that have previously conducted Red Teaming and penetration tests is steadily increasing.
The focus has shifted towards building a more layered defense, driven by Covid restrictions, remote work and the transition to the cloud. As companies enhance their defensive measures, there is a growing need to conduct Red Teaming projects to evaluate the effectiveness of these new systems and solutions.
The risk of increased malicious insider activity has made the hybrid model increasingly relevant for many Red Teaming providers. This approach is neither a complete White Box, where detailed infrastructure information is provided upfront, nor traditional Red Teaming. In the hybrid model, researchers gain insider access, allowing them to gather information about the internal structure of the system being tested.
In the future, more complex Red Teaming scenarios based on generative business intelligence are expected to be deployed. Projects will involve SOCs and their contractors and information security services, including “insiders.” Customers will clearly understand the goals and complexity of Red Teaming projects. As a result, the maturity of the service will increase.
For companies not yet ready for Red Teaming, interest will primarily be directed towards penetration testing and Purple Team services. Interest in Red Teaming will develop later, once the SOC has learned to detect a wide variety of cyberattacks.
