Whether it’s a security assessment, a vulnerability scan, a red team or a pen test – What’s common? To identify issues and mitigate them from an organizational risk perspective.
This article is aimed at weeding out various confusions from the readers’ mind. Information around the difference between blue team and red team or combined approaches please see the purple teaming blog post. The following video contains a condensed version of the article.
What is Red Teaming?
Red teaming in cyber security is an intelligence-led attack simulation campaign attempted to exploit weaknesses in the defensive controls deployed by an organisation. Red team penetration testing exercise takes into account all the three factors:
- People: Often used as a foot in the door tactic by utilising spear-phishing or social engineering techniques.
- Process: Exploiting known weaknesses in the processes using information gained during the extensive OSINT (Open Source Intelligence) phase
- Technology: Bypassing technical controls (such as anti-virus) or taking advantage of the lack of technical controls (such as no data exfiltration checks)
This is a full-scale targeted attack conducted in stealth aimed at an organisation to assess its defensive controls (checks on detection and response capabilities throughout the organisation). Our red team prepares the plan based on surveillance and research and the latest tactics, techniques, and procedures (TTP) used by malicious threat actors. This exercise is carried out by security consultants known as red teamers (also pen testers with relevant skill-set).
Red team assessments run from 5-6 weeks to a few months depending upon the scope. As this is a scenario-driven exercise, no credentials are provided to the red team experts. Unlike penetration testing conducted on the staging/development environments (mostly in the case of web applications), the red team is always targeted at the production environment. This engagement leverages post-breach scenarios to pivot into new systems and networks and launch further attacks or exfiltrate data.
The engagement costs are charged as one time fixed project fee. At Cyphere, we have tiered pricing based on the extent of access achieved in the client infrastructure. It’s only fair to charge clients based on the actual effort and not the entire project fee. More customisation is possible in certain projects where clients have specific objectives such as exfiltrating data from specific databases, tiered test cases to raise noise levels to alert blue teams or fully stealth projects.
Discuss your concerns today
Business Benefits of Red Teaming
Engaging the red team pentesting and working with the blue team leads to increases in cyber defences and capabilities, reducing the overall risk and increasing the alertness levels. Here are the main benefits of a red team testing activity:
- Identify misconfigurations and gaps in the existing security products and processes
- Assess the maturity of detection and response capabilities, whether it’s your MSSP or internal security team
- Utilise red team pen testing as a chance to build the core security capabilities, increasing the overall cyber security maturity
- Experience an organisational attack in a real-time scenario – nothing’s more insightful than to observe your teams, products and processes responding to these events
- You’ll be able to prepare a business case that management buys into
By thinking like an attacker, or one of your competitors, red team testing is driven to gain access and is not restricted by assumptions or preconceptions.
Discuss your concerns today
Red Team Penetration Testing Methodology
Red team testing methodology covers tactics and techniques aimed to attempt real-time attacks on an organisation. Red team penetration testing activities follow the famous ATT&CK Framework, a popular knowledge base of adversary tactics, techniques, and procedures (TTP) based on real red and blue teams’ real experiences. A red team attack sequence is largely based on a cyber kill chain, originally developed by Lockheed Martin CKC to break down the red team attack into identifiable stages. This methodology covers the following stages:
- Payload & Delivery
- Command & Control
- Actions on Objectives
Common Terms & Acronyms
TTP – Tactics, techniques and procedures (TTP) is a concept in terrorism and cyber security that discusses a threat actor’s behaviour. By analysing TTP, one can understand the behaviour of attackers and how specific attacks are orchestrated.
Implant – An implant will act like a trojan virus, with the main difference that it’s under the full control of an attacker. An implant could be software or hardware deployed to be stealthy and obtain information in a short time.
EDR Solution – Endpoint detection and response solution is a centrally managed solution, with endpoints deployed across the organisation against effective malware protection.
C2 Servers – Command and control servers, also called C2, C&C, are set up by attackers and/or threat actors to maintain communication with compromised assets within the target network.
Indicators of Compromise (IoC) – An artefact observed on a network or a computer system indicating a breach or an intrusion. IoCs provide valuable information on what happened and what can be done to prevent such attacks.
APT (Advanced Persistent Threats) – A stealth threat actor ( belonging to a nation-state or organised crime group) that gains unauthorised access to a network and remains undetected for extended periods.
What is Penetration Testing?
A penetration test is a technical exercise aimed at finding weaknesses in a company’s networks, applications or systems. This cybersecurity assurance is provided against an organisation’s assets targeted to find as many vulnerabilities as possible. It involves vulnerability assessment followed by a manual focus on the exploitation of identified flaws.
This exercise carried out by pen testers is limited to simulation of threat actor activity affecting a particular asset or group of assets. For example, an online retailer can commission a penetration test against web and mobile applications, underlying APIs and the supporting infrastructure. This in-depth exercise uncovers flaws from an unauthenticated and authenticated threat actor perspective (known as grey box methodology). The output relates to configuration issues, sensitive information storage practices, encryption configuration, secure hardening practices, logging and monitoring and authentication/authorisation security mechanisms.
The average duration of penetration testing engagement is one to four weeks. Bigger programmes such as a transformation programme undergoing large scale technical risk assessment could extend to months. Once an assessment is finished, a deliverable in the form of a report and risk matrix in line with the customer’s risk register format is provided to help with the remediation plan. A dedicated remediation service can be initiated to help remediate the identified findings and improve the security posture. We have covered an in-depth article specifically dedicated to penetration testing, different types, process, methodology, costs, and more.
Given the digital advancements and our reliance on the internet since the pandemic hit the entire planet, the need to do safe and secure business online is growing due to large security postures.
It is important to understand the context of assets in scope for the engagement to perform penetration testing. These projects are categorised into three areas based on the level of knowledge and access granted to the pen testers. These are:
- Black Box Penetration Testing: A black box pen test starts with no prior knowledge and access to the target. For example, an internal infrastructure security assessment with zero prior knowledge.
- Grey Box Penetration Testing: A grey box pen test involves some level of knowledge and access to the target. An internal infrastructure security assessment targeted at certain servers where IP address/ranges and other information is provided.
- White Box Penetration Testing: A white box pen test is granted with the highest information and access level. For example, a secure hardening review on a specific build where administrator-level access is provided to assess current controls gaps.
Business Benefits of Penetration Testing
- Identify and mitigate network & web application vulnerabilities before hackers.
- Independent third party opinion including out of box thinking based business logic flaws
- Cyber attack simulation in a controlled manner (without disrupting operations)
- Meet compliance and regulation requirements
- Demonstrate cyber security commitment
- Initial Scoping & Objectives
Remediation is an optional phase offered as a consultancy service to the customers where a risk mitigation plan is defined and executed on behalf of the customer.
Red teaming vs Pentesting – Are you ready?
The difference between red teaming and penetration testing question is often asked due to multiple factors based around misunderstandings, budgets, timings, scopes and outcomes. Here are the breakdowns providing further insight into the red teaming vs pentesting debate.
When should you consider a red team assessment?
- To identify the core risks that affect the organisation (for example, lack of content filtering allowing data exfiltration)
- To assess your cyber-attack preparedness in real-time.
- To gain insights into how attackers can target your organisation.
- To understand how to address your attack surface.
- To review your cyber security investments (or to build a business case where necessary)
When you are asking for a ‘red team’ and don’t need one.
Red team, originally used by the military, is often confused with penetration testing. Unfortunately, security companies have carried out this scenario where sales teams have convinced potential customers for red teaming without talking about business context, their history of security processes, and/or cyber security maturity. This is equally a buyer’s decision without probing into their objectives and mapping actions that would help them review their controls. A red team conducted without an organisation understanding the security basics is similar to spending on house decoration where structural issues have not been sorted yet.
Red team investment may not be justified yet if an organisation isn’t equipped with the following:
- Technical security baselines on major assets such as servers, user endpoints.
- Basic logging and monitoring processes
- Incident response teams and processes
The above signs are also indicators of an organisation lacking cyber security maturity. The same red team budget can be split into multiple areas where risk identification and mitigation can be initiated as smaller projects, contributing to an overall security posture.
When you are asking for a ‘pen test’ and don’t need one.
In the past, customers have requested penetration testing of enterprise products in use inside their environment. Although this is not a wrong decision to perform a test on the product, this should be the least of your worries as it’s often looked at during the product evaluation process. It’s your vendor’s responsibility to first-hand adopt secure development lifecycle processes and deliver you a safe and secure product. Product vendors often put their products through various rounds of security testing during development stages, and finding weaknesses in their product would drain your security budget. Vendors these days often provide cyber assurance collaterals that include details of product security assessments. However, a customer may get a better return on investment if a secure configuration review or a breakout assessment is aimed at the product implementation in the customer’s infrastructure context.
Discuss your concerns today
Red Teaming vs Pentesting – Which one should I pick for my business?
If you are interested in doing quick checks on your system to find vulnerabilities in specific areas, penetration testing is a great way to do so quickly. If you want to know just how hard it is for attackers to compromise your business, red team security testing is the course of action you want to take. However, base these decisions on what you have, what are your functional objectives and whether these activities fit in at the right times.
Roughly, the project scope under the red team is the entire organisation. The supply chain scope could even stretch this further where subsidiaries are also included. Let us provide you with this diagram that illustrates the differences in an easy to understand manner (adapted from @coffeetocode).
Red Team vs Penetration Testing – Selection tips
A quick search shall show you what certifications, pen test vendors you need to select for the right partner for the right type of assessment. We understand it’s important to equip readers with key mistakes about this process. Budgets, as well as outcomes, are important factors from such exercises. It would be best to keep in mind the following pointers that often stump businesses looking to perform security control validations.
- SMB businesses often end up relying on IT service providers. This is either due to lack of awareness or to avoid one more vendor onboard. However, there is more downside to the upside in this issue as IT service providers often lack the depth that cyber security specialists have and lack the clarity of where they stand compared to peers in their industry.
- Utilising the same vendor for MDR (Managed Detection Response)/ outsourced SOC (Security Operations Center) and Pen testing is a clear No! No! There is a clear conflict of interest here, no matter how much convincing their sales team has.
- If a penetration test vendor isn’t prepared to help you with your third-party developers, not able to translate or help with the remediation plan, you are paying for a report and run a consultancy.
- Vendors who provide CV’s of experienced resources to win opportunities later swap them with lesser experienced consultants citing availability or other reasons. This is clearly aimed at tricking the customer and increased profitability without considering customer relationship.
- Jump into high budget red teams without considering and agreeing with the deliverable outcomes.
- Although this is not the norm amongst big security vendors, pricing must be agreed to with the possible outcomes. In the case of red teams, it’s not always proven that the entire organisation can be compromised or all objectives can be achieved. Therefore the vendor shouldn’t charge the entire fee for the project. It’s clear that when they haven’t utilised resources for the entire project’s entire duration, it does not justify the high billing. Many other factors about this should make part of your project discussions.
Ensuring your company’s security measures stand up to the latest cyber-attacks is vital to keeping your business safe from online criminals. With these kinds of security assessments, you can ensure that any weaknesses in organisations are addressed and that your team understands how to stop potential cyber-attacks.
If you are looking for help with red team penetration testing services, do not hesitate to work with cybersecurity firms. They will have the necessary skill-set, industry expertise and tools and techniques to rigorously test your security implementations, helping you understand what is vulnerable to attack and what you can do to reinforce your security measures.
Cyphere offers various cybersecurity services to help businesses strengthen their cybersecurity. If you are looking for red team security and penetration testing services, get in touch.