Whether it’s a security assessment, a vulnerability scan, a red team or a pen test – What’s common? To identify issues and mitigate them from an organizational risk perspective. This article is aimed at weeding out various confusions from the readers mind. Stock up your caffeine, we are going to cover these areas under this topic:
- What is Red Teaming?
- Business benefits of Red Teaming
- Red Teaming methodology
- Common Terms & Acronyms
- What is Penetration Testing?
- Business benefits of Penetration Testing
- Penetration Testing methodology
- Which one should I pick for my business?
- Vendor selection tips
What is Red Teaming?This is an intelligence led attack simulation campaign attempted to exploit weaknesses in the defensive controls deployed by an organisation. Red teaming exercise takes into account all the three factors:
- People : Often used as foot in the door tactic by utilising spear-phishing or social engineering techniques.
- Process : Exploiting known weaknesses in the processes using information gained during the extensive OSINT (Open Source Intelligence) phase
- Technology : Bypassing technical controls (such as anti-virus) or taking advantage of the lack of technical controls (such as no data exfiltration checks)
Discuss your concerns today
Business Benefits of Red TeamingBy engaging red team and working with blue team, it leads to increases cyber defences and capabilities reducing the overall risk and increasing the alertness levels. Here are the main benefits of a red teaming activity:
- Identify misconfigurations and gaps in the existing security products and processes
- Assess the maturity of detection and response capabilities whether it’s your MSSP or internal security team
- Utilise red teaming as a chance to build the core security capabilities, increasing the overall cyber security maturity
- Experience an organisational attack in a real-time scenario – nothing’s more insightful than to observe your teams, products and processes responding to these events
- You’ll be able to prepare a business case that management buys into
Discuss your concerns today
Red Team MethodologyRed team assessment activities follow the famous ATT&CK Framework , that is a popular knowledge base of adversary tactics, techniques and procedures (TTPs) based on real experiences of red and blue teams. A red team attack sequence is largely based on cyber kill chain, originally developed by Lockheed Martin, used to break down the red team attack into identifiable stages. This is
- Payload & Delivery
- Command & Control
- Actions on Objectives
Common Terms & Acronyms
- TTPs – Tactics, techniques and procedures (TTP) is a concept in terrorism and cyber security, that discusses the behaviour of a threat actor. By analysing TTPs, one can understand the behaviour of attackers and how specific attacks are orchestrated.
- Implant – An implant will act similar to a trojan virus, with main difference that it’s under full control of an attacker. An implant could be a software or hardware deployed to be stealthy and obtain information in short time.
- EDR Solution – Endpoint detection and response solution is a centrally managed solution, with endpoints deployed across the organisation against effective malware protection.
- C2 Servers – Command and control servers, also called C2, C&C, are set up by attackers and/or threat actors to maintain communication with compromised assets within the target network.
- Indicators of Compromise (IoC) – An artefact that is observed on a network or a computer system indicating a breach or an intrusion. IoCs provide valuable information on what happened, and what can be done to prevent such attacks.
- APT (Advanced Persistent Threats) – A stealth threat actor ( belonging to nation state or organised crime group) that gains unauthorised access to a network and remains undetected for extended periods.
What is Penetration Testing?A penetration test is a technical exercise aimed at finding weaknesses in a company’s networks, applications or systems. This cybersecurity assurance is provided against an organisation’s assets targeted to find as many vulnerabilities as possible. It involves vulnerability assessment followed by manual focus on exploitation of identified flaws. This exercise carried out by pen testers is limited to simulation of threat actor activity affecting a particular asset or group of assets. For example, an online retailer can commission a penetration test against web and mobile applications, underlying APIs and the supporting infrastructure. This in-depth exercise uncovers flaws from an unauthenticated and authenticated threat actor perspective (known as grey box methodology). The output relates to configuration issues, sensitive information storage practices, encryption configuration, secure hardening practices , logging and monitoring and authentication/authorisation security mechanisms. Average duration of penetration testing engagement is one to four weeks. For bigger programmes such as a transformation programme undergoing large scale technical risk assessment could extend to months. Once an assessment is finished, a deliverable in the form of a report and risk matrix in line with customer’s risk register format is provided to help with remediation plan. A dedicated remediation service can be initiated to help remediate the identified findings and improve the security posture. We have covered an in-depth article specifically dedicated to penetration testing, different types, process, methodology, costs and more here. Given the digital advancements and our reliance on internet since pandemic hit the entire planet, the need to do safe and secure business online is ever growing due to large security postures. In order to perform penetration testing, it is important to understand the context of assets in scope for the engagement. These projects are categorised into three areas on the basis of the level of knowledge and access granted to the security consultants. These are:
- Black Box Penetration Testing: A black box pen test starts with no prior knowledge and access to the target. For example, an internal infrastructure security assessment with zero prior knowledge.
- Grey Box Penetration Testing: A grey box pen test involves some level of knowledge and access to the target. For example, an internal infrastructure security assessment targeted at certain servers where IP address/ranges and other information is provided.
- White Box Penetration Testing: A white box pen test is granted with the highest level of information and access. For example, a secure hardening review on a specific build where administrator level access is provided to assess the gaps in current controls.
Business Benefits of Penetration Testing
There are multiple benefits of penetration testing to organisations opting for in-depth checks against their assets. These are listed below:
- Identify and mitigate network & web application vulnerabilities before hackers
- Independent third party opinion including out of box thinking based business logic flaws
- Cyber attack simulation in controlled manner (without disrupting operations)
- Meet compliance and regulation requirements
- Demonstrate cyber security commitment
- Initial Scoping & Objectives
Are you ready?It’s often asked question because of multiple factors based around misunderstandings, budgets, timings, scopes and outcomes. Here are the breakdowns providing further insight.
When should you consider red team assessment?
- To identify the core risks that affect the organisation (for example, lack of content filtering allowing data exfiltration)
- To assess your cyber-attack preparedness in real time
- To gain insights into how attackers can target your organisation
- To understand how to address your attack surface
- To review your cyber security investments (or to build a business case where necessary)
When you are asking for a ‘red team’ and don’t need one.Red team, originally used by military, is often confused with penetration testing. Unfortunately, this scenario is carried out by security companies where sales teams have convinced potential customers for red teaming without talking about business context, their history of security processes and/or cyber security maturity. This is equally a buyer’s decision without probing into their objectives and mapping actions that would help them review their controls. A red team conducted without an organisation understanding the security basics is similar to spending on house decoration where structural issues have not been sorted yet. Red team investment may not be justified yet if an organisation isn’t equipped with the following:
- Technical security baselines on major assets such as servers, user endpoints.
- Basic logging and monitoring processes
- Incident response teams and processes
When you are asking for a ‘pen test’ and don’t need one.In the past, customers have requested penetration testing of enterprise products in use inside their environment. Although this is not at all a wrong decision to perform a test on the product, this should be least of your worries as it’s often looked at during the product evaluation process. It’s your vendor’s responsibility to first-hand adopt secure development lifecycle processes and deliver you a safe and secure product. Product vendors often put their products through various rounds of security testing during development stages, and finding weaknesses in their product would drain your security budget. Vendors these days often provide cyber assurance collaterals that include details of product security assessments. However, a customer may get better return on investment if a secure configuration review or a breakout assessment is aimed at the product implementation in customer’s infrastructure context.
Discuss your concerns today
Red Team vs Penetration Testing – Which one should I pick for my business?If you are interested in doing quick checks on your system to find vulnerabilities in specific areas, penetration testing is a great way to do so quickly. If you want to know just how hard it is for attackers to compromise your business, red teaming is the course of action you want to take. However, base these decisions on what you have, what are your functional objectives and whether these activities fit in at right times. Roughly, project scope under red team is the entire organisation. Supply chain scope could even stretch this further where subsidiaries are also included. Let us provide you this diagram that illustrates the differences in an easy to understand manner (adapted from @coffeetocode).
Red Team vs Penetration Testing – Selection tipsA quick search shall show you what certifications, companies you need to select for the right vendor for the right type of assessment. We understand it’s important to equip readers with key mistakes about this process. Budgets as well as outcomes are important factors from such exercises. You should keep in mind the following pointers that often stump businesses looking to perform security control validations.
- SMB businesses often end up relying on IT service providers. This is either due to lack of awareness or to avoid one more vendor onboard. However, there is more downside to upside in this issue as IT service providers often lack the depth that cyber security specialists have, and lack the clarity on where they stand in comparison to peers in their industry.
- Utilising the same vendor for MDR (Managed Detection Response)/ outsourced SOC (Security Operations Center) and Pen testing is a clear No! No! There is a clear conflict of interest here no matter how much convincing factor their sales team has.
- If a penetration test vendor isn’t prepared to help you with your third party developers, not able to translate or help with remediation plan, you are paying for a report and run consultancy.
- Vendors who provide CV’s of experienced resources to win opportunities, later swap them with lesser experienced consultants citing availability or other reasons. This is clearly aimed at tricking the customer and increased profitability without considering customer relationship.
- Jump into high budget red teams without considering and agreeing the deliverable outcomes.
- Although this is not the norm amongst big security vendors, pricing must be agreed in line with the possible outcomes. For example. In case of red teams, it’s not always proven that entire organisation can be compromised or all objectives can be achieved, therefore vendor shouldn’t charge the entire fee of the project. It’s clear that when they haven’t utilised resources for the entire duration of the project, it does not justify the high billing. Many other factors in relation to this should make part of your project discussions.