Red Teaming - Targeted Attack Imitation

When it comes to cyber security, as a rule, no organization is completely secure. Even in large global companies with large investments in that field and advanced security technologies, there may be problem points in such key elements as people, business processes, technologies, and associated intersection points. Red Teaming has become an effective way to identify weaknesses.

Want to have an in-depth understanding of all modern aspects of Red Teaming vs Penetration Testing?
Read carefully this article and bookmark it to get back later, we regularly update this page.

But, due to the permanent changing of cyber dangers, the appearance of new tools and criminal groups, new types of risks arise that are difficult to identify using traditional methods of security analysis. In addition, the information security industry is asymmetric, since the attacker is always in a more convenient position than the defender. The attacked site needs to be effective always, 24/7, but the attacker is enough to be effective only once.

In addition, the attacker has the opportunity to carefully examine his victim before the active phase of the attack, while the other side begins to study the intruder already during this attack. Against this background, the most realistic and advanced approach to security testing is cyber exercises in the Red Teaming form, when there is a continuous assessment of the information systems security, the preparedness of specialists in incident response and the infrastructure's resistance to new types of attacks, including Advanced Persistent Threat, which is a complex constantly targeted cyberattack.

It was in order to increase the capabilities of cyber defenders that the information security industry divided the processes into two poles: defensive and offensive and painted them in different colors - red for the attacking side, blue for the defender. The concepts of Red Team and Blue Team came from traditional military craft, and the essence of these terms has not changed at all. Blue Team in the context of cyber security means a team of experts whose task is to protect the infrastructure.

What Is Red Teaming?

Red Teaming is a comprehensive and most realistic way to test the organization’s ability to repel complex cyberattacks using advanced methods and tools from the arsenal of hacker groups. The main idea of this exercise is not only to identify potential weaknesses that were not detected using standard testing methodologies, but also to assess the organization’s ability to prevent, detect and respond to cyberattacks. As a result, Red Teaming helps the company understand how security measures protect important assets, whether the warning and monitoring system is configured correctly, and what opportunities are available to an attacker in the internal infrastructure if their user's resources are compromised.

Therefore, everything should be truly and maximally realistic: the сustomer’s security service, which plays the role of the Blue Team, is not informed about the start of testing, so that the Red Team can simulate the actions of real attackers based on a special threat analysis and evaluate the possibility of “breaking” the infrastructure. Cyber security testing in the Red Teaming format are most effective for companies with a mature level of information security. They are not limited in time by exposure and are focused on achieving goals, whether it is gaining access to network nodes or sensitive information by any available means.

The main scenarios of Red Teaming, which are unique for each customer, depend on the goals set. Commonly used scenarios include:

• capture Active Directory;
• gain access to top management devices;
• imitation of theft of sensitive customer data or intellectual property.

Differences between Red Teaming and Penetration Testing

Despite that Red Teaming and penetration testing use alike cyberattack instruments, the targets and outcomes of both studies are much varied. The Red Teaming process simulates real and targeted attacks on an entire organization. The advantage of this approach is the continuous research of information systems to achieve goals. Such a deep check provides a comprehensive understanding of how secure the infrastructure is, employees are aware and the internal processes of the company are effective when it is exposed to a real attack.

ImmuniWeb’s web penetration testing services effectively compliment Red Teaming procedures and can be used in conjunction with it or separately.

In the course of Penetration Testing, specialists make attempts to exploit the discovered vulnerabilities and increase their privileges in order to assess the possible risk from these impacts. This test does not test readiness for detection and response to information security incidents.

As the years of experience of our security experts show, Red Teaming and Penetration Testing complement each other perfectly. Each study is important and useful for the organization in its own way, because in the course of such a combined test it is possible to evaluate both the passive security of the systems and the active security of the company as a whole.

Red Teaming complements various forms of testing, such as vulnerability scanning, code analysis, application penetration testing, and other methods. Research in the Red Teaming format is divided into several consecutive stages. To increase efficiency, some actions within the main stages may begin earlier or be performed in parallel with others, taking into account the limited time. Therefore, in practice, the Red Teaming process is not just a linear sequence of steps.

Stages of Red Teaming Process

1. The preparatory stage.
   This stage, during which the current needs of the company are assessed and the amount of work usually lasts up to 6 weeks. At this stage, the key points for conducting Red Teaming are specified and the official launch of the project is announced. Initially, a working group is created from representatives of the Customer and the Contractor, the duration and scope of work are determined, prohibited actions are determined, protocols and interaction formats are agreed upon, and a Red team is formed to meet the needs of the current project.
2. Stage of the Red Teaming conducting.
   This is the stage when the Red Team conducts analysis in the Threat Intelligence format, develops scenarios based on the critical functions of the systems and the threat model, and also creates a plan and attempts to attack agreed targets, which are usually assets, systems and services that contain one or several critical features. The red team conducts cyber intelligence, whose main task is to study the profile, structure and direction of the company, as well as determine the most suitable threats, key nodes and goals from the point of view of the attacker.

   At the same time, the customer can contact a third-party supplier of Threat Intelligence for targeted threat analysis for the investigated object in order to receive a TTI Report that will complement further testing scenarios and provide useful information about the client’s company. Based on the work performed, a testing plan and a list of practical scenarios of potential attacks for further verification are compiled. The developed scenarios take into account not only the previously applied approaches, but also new methods of the relevant threat subjects.

   Further, on the basis of the plan and scenarios developed, the Red Team conducts testing, performing hidden attacks on identified critical functions or assets of target systems. If obstacles arise, alternative methods of achieving goals are developed using the tactics of advanced attackers. All data and actions of the team are recorded to prepare a report of the testing.

3. The final stage.
   On this stage the process of Red Teaming is completed and goes to this stage after all the steps have been successfully completed, or the time allotted for work has expired. At the final stage, the Red team prepares a report describing the work, conclusions and observations on the detection and response of threats and passes it to the Blue team. which prepares its own report describing the actions taken based on the chronology of the Red Team report. The participants in the process share the results, analyze them and plan further steps to increase the cyber resistance of the company.

To force attacks on a set aim, the experts of the company conducting the Red Teaming testing of the client’s organization use a proven methodology that adapts to the specific Customer in order to take into account the features of the organization’s activities and not disrupt the continuity of critical business processes. The life cycle of testing in the Red Teaming format goes through such steps as reconnaissance, armament, delivery, operation, installation, obtaining control and taking actions in relation to the target.

Testing in the Red Teaming format gives the organization an idea of the strengths and weaknesses of cybersecurity, and also allows you to define an improvement plan in this area for business continuity and the protection of valuable data to withstand any of Top 10 cyber threats. By adding Red Teaming as part of its security strategy, a company can measure security improvements over time. Such measurable results can be used for the economic feasibility of additional information security projects and the introduction of the necessary technical means of protection.

Additional Resources

• Learn more about AI-enabled Attack Surface Management with ImmuniWeb® Discovery
• Learn more about AI-enabled Application Penetration Testing with ImmuniWeb
• Learn more about ImmuniWeb Partner Program opportunities
• Follow ImmuniWeb on Twitter and LinkedIn