RED TEAMING OPERATIONS
How do your people, processes and technological controls withstand a real-world cyber attack? Our Red Team Operations (RTO) helps organisations test against the latest tactics, techniques, and procedures (TTP) used by malicious threat actors.
Get In Touch
What is Red Teaming?
Red team assessment is an intelligence-led cyber attack simulation exercise conducted to check on the attack preparedness of an organisation.
It is designed to mimic an adversarys’ attack to test the protections against people, processes and technological controls of an organsiation.
These engagements differ from penetration testing in depth and scope. Red teaming is aimed at the entire organisation including people, processes and technology. It involves bypassing the current defensive controls and tests the detection and response capabilities of an organisation against simulated attacks. Penetration testing is targeted at technical controls mainly with pre-defined scope. Sometimes, it involves the white-listing of certain defences in order to carry in-depth assessments.
By thinking like an attacker, or one of your competitors, the red teaming in cyber security is driven to gain access and is not restricted by assumptions or preconceptions.
Why is Red Teaming important?
Conducting a red team operation and working with the blue team leads to increases in cyber defences and capabilities, reducing the overall risk and increasing the alertness levels.
A Red team operation simulation campaign is attempted to exploit weaknesses at all levels such as people, process and technology.
- People: Often used as a foot in the door tactic by utilising spear-phishing or social engineering techniques.
- Process: Exploiting known weaknesses in the processes using information gained during the extensive OSINT (Open Source Intelligence) phase
- Technology: Bypassing technical controls (such as anti-virus) or taking advantage of the lack of technical controls (such as no data exfiltration checks)
Benefits of Red Team Operations
Point in time evaluation
Experience an organisational attack in a real-time scenario – nothing’s more insightful than to observe your teams, products and processes responding to these events.
Assess your eyes and ears
Assess the maturity of detection and response capabilities, whether it’s your MSSP or internal security team.
Know the unknowns
Identify misconfigurations and gaps exploited by attackers in the existing security products and processes.
Business case
Utilise red teaming as a chance to build the core security capabilities, increasing the overall cyber security maturity. You’ll be able to prepare a business case that management buys into.
Upskill blue team operations
Red team operation aimed at bypassing defensive controls is a great value addon to the blue team with more learning and education during and after the assessment.
Investment strategy input
Red team operation helps you understand your security performance and shape future investments.
Among experienced UK Red teaming companies
Key features of our red teaming operation offering
Service Quality
Intelligence-led campaigns
Preparation is key to these engagements. To reflect the objectives of this job, Cyphere Red Team Operations utilise evasion, deception and concealment techniques simulating real-world cyber attacks.
Multi-channel methods
Red team involves no restrictions and includes exploitation of people, processes and technical vulnerabilities. Social engineering, USB drops, physical security restrictions bypass and command and control servers with domain fronting are some of the examples.
Offensive mindset and capabilities
Red teaming involves applying offensive expertise at multiple layers. Our red team experts utilise various real-world techniques at various stages in line with the cyber skill chain. It includes homework performed during the OSINT data gathering and analysis phase, technology/software dependent tips and tricks and evasion tactics.
Actionable outcomes
Reports are of no use if you cannot upskill your blue team and not act upon mitigation efforts. All our deliverables include remediation plan help along with strategic and tactical recommendations. A debrief meeting is conducted with management and technical teams to ensure the right messages for the right audience.
Flexible pricing structure
Security is an ongoing process. Our red team pricing model ensures that customer pays in line with the achievements and no one-fee projects to deliver value over lump sum charge.
Common Red Team Tools & Terms
TTP
Tactics, techniques and procedures (TTP) is a concept in terrorism and cyber security that discusses a threat actor’s behaviour. By analysing TTP, one can understand the behaviour of attackers and how specific attacks are orchestrated.
Implant
An implant will act like a trojan virus, with the main difference that it’s under the full control of an attacker. An implant could be software or hardware deployed to be stealthy and obtain information in a short time.
EDR Solution
Endpoint detection and response (EDR) solution is a centrally managed solution, with endpoints deployed across the organisation against effective malware protection.
Command & Control
Command and control servers, also called C2, C&C, are set up by attackers and/or threat actors to maintain communication with compromised assets within the target network.
Indicators of Compromise
An artefact observed on a network or a computer system indicating a breach or an intrusion. IoCs provide valuable information on what happened and what can be done to prevent such attacks.
APT (Advanced Persistent Threats)
A stealth threat actor ( belonging to a nation-state or organised crime group) that gains unauthorised access to a network and remains undetected for extended periods.
See what people are saying about us
Frequently Asked Questions
What is red team engagement?
Red team engagements are an effective way of assessing the preparedness of an organisation against real-world cyber attacks.
what is the purpose of a red team?
To measure how well the people, process and technical controls of an organisation withstand an attack from an adversary. It includes attempts at bypassing the security controls, exploiting weaknesses through human elements such as physical controls, phishing and social engineering techniques to bypassing technical controls.
What is red teaming methodology?
Red team assessment activities follow the famous ATT&CK Framework, a popular knowledge base of adversary tactics, techniques, and procedures (TTP) based on real red and blue teams’ real experiences. A red team attack chain is largely around the cyber kill chain concept broken down into the following stages:
- Reconnaissance
- Payload & Delivery
- Exploitation
- Installation
- Command & Control
- Actions on Objectives
Does it involves zero day exploits?
Yes: It is possible where reliable exploits are available before the vendor has released the patch.
No: It is not always Hollywood style hacking because a lot of weaknesses relate to lack of security restrictions in one form or another (patching, permissions, security education, etc).
A few common misconceptions about red teaming are:
- Red team operation is for big companies only.
- It always includes advanced stuff such as zero-days or highly tactical TTP.
- It is just advanced penetration testing.
Which one is better - Red teaming or Penetration testing?
Both elements are important in the security strategy of an organisation. Red teaming is sometimes mistaken for penetration testing. It is not suitable for every organisation as a level of cyber security maturity is expected to be in place, and it’s not a justified expense for all businesses – it requires some level of cybersecurity maturity. Based on the cyber security maturity of a business, it may well be the case you can utilise your budget on various other security initiatives that are guaranteed to maximise returns. Get in touch with us to find out your best options before any investments.
What are the timescales of a red team engagement?
End to end red team operations varies between 4-8 weeks based on the agreed scope and objectives. There are also shorter projects for 2-3 weeks where tailored scope includes an insider threat scenario or compromise assessment.
Does a red team operation project cause any disruptions?
The objective of a red team testing activity is to simulate real-world cyber attacks without disruptive actions. All jobs are carried out in line with industry-standard practices by vetted red teamers with strong communication and technical skill-sets and high ethics.
What does blue team mean?
A blue team consists of an internal security team responsible for the defensive controls of an organisation. Blue teams identify threats against various assets and establish security measures as part of the defensive plan.
How do red team and blue team work together?
The key here is ‘communication’. It is important that the red team and blue team share their experiences including techniques to ensure an open and positive environment aimed at improving the overall defensive posture.
What does purple team mean?
A purple team brings red and blue teams together to share insights at all levels i.e. resources, reports and TTP. This is to contribute on an ongoing basis to the overall security strategy of an organisation.
What happens after the red team operation?
A custom written report is prepared based on the findings. This report serves both technical and non-technical audiences with specific sections dedicated to strategic and tactical recommendations, raw/supplemental data, proof of concepts and risk details such as impact, likelihood and risk scorings. It is followed by mitigation advice along with related references to help customer teams with remediation and improve the security posture of their organisation.
Red Team Testing Methodology
Customer Business Insight
When the customer decides to engage with Cyphere, our very first step is to gain insight into their motivation, so that we can advise on their real concerns. The comprehensive process we go through to understand this determines the vision for the project. At the technical level, this includes assets to be included, their fragility and importance to the environment.
Recon & Intelligence Gathering
The first step of reconnaissance activity includes passively identifying the hosts and services visible on the Internet. This includes a limited Open Source Intelligence phase. During red teaming or related offensive security projects, this exercise involves extensive information gathering about a customer’s people, processes and technology in use. Research based threat intelligence is an integral part of any offensive exercise.
Overall, the aim of this phase aims to harvest as much information as possible about your organisation that would be used for later phases.
Red Team setup
This phase involves attack infrastructure setup, and in detail requires many inputs from the OSINT phase performed previously. These include email and related infrastructure software base in use, cloud providers, content delivery networks (CDN), and related pieces of information.
At a high level, based on voice, email and other scoping items, infrastructure setup and test cases are prepared for execution.
Attack Execution Steps
- After the initial recon and attack setup, the first step is to gain a foothold on the client infrastructure via any of the weaponization elements delivered via email phishing, voice phishing or malicious USB drops.
- After the delivery stage and initial foothold, it is critical to find and exploit privilege escalation opportunities to take full control of a system or systems. This process is carried out via Command and Control servers part of the attackers’ setup. Once found, the next aim is to ensure persistence to avoid losing access and ensuring red teaming operations remain stealth from the logging and monitoring controls.
- Internal reconnaissance is carried out using lateral movement techniques to enumerate information about people, processes, and technologies in internal segments.
- Achieve and maintain persistent access across different paths.
- Agreed objectives such as data exfiltration are assessed, supported evidence is taken out and verified with the client.
Analysis & Reporting
The red team assessment execution phase is followed by the analysis & reporting. Cyphere performs analysis on the testing output, evaluates the risk impact and likelihood of exploitation in realistic scenarios before providing action plans to remediate the identified risks. All our reports address business as well as the technical audience with supporting raw data, including mitigation measures at strategic and tactical levels.
Debrief
We take customer communication as seriously as reporting or assessment execution. By engaging with customers during all stages, we ensure that project contacts are up to date in the language they understand. Post engagement, a free debrief is conducted to help the customers understand the weaknesses and prepare a mitigation plan.
Your trusted partner in red team pen testing
Recent Blog Entries
Analysing security vulnerability trends throughout the pandemic
Read Cyphere report containing analysis around various vulnerabilities and threat trends thorough the pandemic affecting major products. Read full report.
What is Corporate Espionage? Types, Examples and Myths
Using espionage methods for commercial or financial gain is known as corporate espionage, sometimes called industrial espionage, economic espionage or corporate spying. When we think …
Malware Analysis Guide: Types & Tools
Learn about malware analysis, types of malware, working and different malware analysis tools.
Digital footprint: All about electronic footprint and how to leave minimal digital trace
Here is a detailed guide on Active Directory Password Policy, its importance, password complexity requirements and default domain password policy.
Difference between Network Monitoring and Network Security Monitoring
Network monitoring is an IT process that monitors endpoints and servers within a network infrastructure while Network security monitoring allows having insights and statistical data about the communications. Read our article and learn about more differences.
How to write a GDPR Data Protection Policy? Free Template
Learn what you need to implement the GDPR data protection policy that helps you to achieve the desired objectives.
What is a Brute Force Attack? Tools, Examples & Prevention steps
A detailed guide on what brute force attacks are, including different tools, examples and ways to prevent these attacks.
Mobile Device Security Guide: Securing your iOS and Android devices
Mobile Device Security is the study of security measures that are designed in order to protect mobile phones. We have explained how you can protect your devices in this article.
What is Lateral Movement in cyber security? Different ways to prevent it
Lateral movement consists of techniques and strategies that allow attackers to move around in the network. Learn how to block lateral movement techniques and strategies.
What is Endpoint Security? Learn about various services and solutions
We have explained endpoint security in detail which is the process of ensuring that all the endpoints or end-user devices like workstations, laptops and mobile devices are protected from advanced cyber threats.