Red Teaming is the practice of testing the security of your systems by trying to hack them. A Red Team can be an externally contracted group of pen testers or a team within your own organization, but in all cases, their role is the same: to emulate a genuinely malicious actor and try to break into your systems.
The value of Red Teams can be understood most easily by imagining a fictional scenario. An organization might have an extremely well-developed pentesting process and therefore be confident that its systems can’t be breached by external actors. A Red Team might realize this, and take a more direct approach: forging an employee access card, walking into your building, and telling your staff they are “from IT”. In some cases, helpful employees will let them access, copy, and walk out with sensitive data. Sounds like fiction? Trust me, it happens.
Get the Free Pen Testing Active Directory Environments EBook
Red Teams exists alongside many other teams in the cybersecurity landscape. Blue Teams can work alongside Red Teams but are focused on improving system security from the inside. Purple Teams use a combination of adversarial and defensive approaches. Red Teaming, though, is one of the least understood practices in cybersecurity management, and many organizations are still reluctant to use the practice.
In this guide, we’ll explain exactly what Red Teaming is, and how bringing Red Team practices into your organization can help improve your security. Our goal is to show you how Red Teaming can dramatically improve the security of your IT systems.
Red Teaming: An Overview
Despite now being better known as a cybersecurity tactic, Red Teaming originated with the military. This was, in fact, where I got my start in Red Teaming. Working as a cybersecurity defense analyst in the 1980s was, in many ways, quite different from today: access to encrypted computer systems was far more limited than now, and non-technical staff typically worked closely with security analysts when they wanted to access them.
In other ways, my early experience of wargaming was quite similar to the process of red teaming today. Just like now, there was a huge focus on using social engineering techniques in order to convince employees to give “the enemy” unwarranted access to military systems. For this reason, although the technical techniques of red teaming have advanced significantly since the 1980s, it’s also important to recognize that many of the core tools of the adversarial approach — and most notably social engineering — are largely platform-independent.
Equally, the primary value of red teaming has remained largely the same since the 1980s. By simulating an attack on your systems, you can more easily see where your vulnerabilities are, and how they could be exploited. And though the earliest uses of Red Teaming were in ethical hacking and pen testing, Red Teaming has now found much wider applications across cybersecurity and business.
Red Teaming is based on a key insight: that you can’t really know how secure your systems are until they are attacked. And, instead of running the risks that come with a genuinely malicious attack, it is safer to simulate one via a “red team”.
Red Teaming: Scenario Examples
A great way to understand the basics of Red Teaming is to look at a couple of basic examples. Here are two such examples:
- Scenario 1: Imagine that a pentest is done against a customer service site, which passes the test. This would seem to indicate that everything is fine. However, then a red team test finds out that while the customer service application itself is fine, the 3rd party chat functionality doesn’t positively identify people and so you can trick customer service reps into changing the email on an account (and granting access to the new person).
- Scenario 2: A pentest is done and finds that the VPN and remote access controls are all top-notch and the systems are secure. However, then a red team person walks in behind a badged person at the front desk and walks out with a laptop.
In both the above the Red Team is looking at the totality of the system for gaps, and where things can go wrong, instead of just the fidelity of each system on its own.
Who Needs Red Teaming?
Put simply, almost every company can benefit from some type of Red Teaming. As our 2019 Global Data Risk Report shows, a worryingly high number of organizations do not have the control they think they do over their data. We found, for instance, that on average 22% of a company’s folders are accessible to every employee, and that 87% of companies have over 1000 sensitive, stale files in their systems.
If your company doesn’t work in tech, it might seem that Red Teaming would be of limited utility to you. But that’s not the case. Cybersecurity is not just about protecting sensitive information.
Malicious actors are also trying to take over the technologies that are used by everyone. For example, they might be looking to access your network to better hide their activities while taking over another system or network somewhere else in the world. In this type of attack, your data doesn’t matter: it’s your computers they want to infect with malicious software so that they can add your system to a botnet group.
This said, for smaller firms, it can be difficult to deploy the resources necessary for Red Teaming. In this case, it can be worthwhile to contract out the Red Teaming process.
Red Teaming Considerations
Though almost every company can benefit from Red Teaming, the best time to undertake this practice, and how frequently to do it, will vary according to the sector you are in and the maturity of your cybersecurity defenses.
Specifically, you must already be carrying out automated activities such as asset investigation and vulnerability analysis. Your organization should also be combining automated technology with human intelligence by implementing robust, regular penetration testing.
Once you’ve completed several business cycles of vulnerability and pen testing, you can start Red Teaming. At this point, the real value of Red Teaming can be realized. However, attempting to bring in red teaming before getting a good handle on the basics will produce very little value.
The ethical hacking team will likely be able to compromise the environment so swiftly and easily that there will be little to learn. To be truly effective, the insights produced by the red team need to be given context by previous penetration testing and vulnerability assessment activity.
What is Penetration Testing?
Red Teaming is often confused with penetration testing, but the two techniques are slightly different. Or, more specifically, pen testing is just one of the techniques that can be used by Red Teams.
As we’ve explained in our previous articles on pen testing, the role of the pen tester is quite tightly delineated. The work of pen testers is organized into four broad phases: planning, information discovery, attack, and reporting. As you can see, pen testers do more than just looking for software vulnerabilities. They’re thinking like hackers: after they get into your system, their real work begins.
They’ll continue to do more discovery and then base new attacks on what they learn as they navigate through folder hierarchies. And that’s what makes pen testers different from someone hired just to find vulnerabilities by using, say, port scanning or virus sniffing software. An experienced penetration tester can identify:
- Where a hacker might target you
- How they would attack
- How your defenses would fare
- The possible magnitude of the breach
Penetration testing seeks to identify application layer flaws, network and system-level flaws, and opportunities to compromise physical security barriers too. While automated testing can identify some cybersecurity issues, true penetration testing manually considers the business’s vulnerability to attack, as well.
Red Teaming vs. Penetration Testing
Though pen testing is important, it is only one part of what a Red Team does. Red team operations have much more broad objectives than pen testers, whose goal is often just to get access to a network. Red Team exercises are designed to emulate a more real-world APT style scenario, including defensive strategies and detailed risk analysis.
Penetration testing is a small part of Red Teaming. Red teaming includes evasion and persistence, privilege escalation, and exfiltration. Penetration testing is just the first part of the cyber kill chain. Red teaming exercises would include the entire cyber kill chain.
Red Teaming Benefits
There are many advantages to Red Teaming, but at the broadest level, the value of the technique is that Red Teaming provides a comprehensive picture of the level of cybersecurity within your organization. A typical red team process will include Penetration Testing (network, application, mobile, device), Social Engineering (onsite, telephone, email/text, chat), and Physical Intrusion (lock picking, camera evasion, alarm bypass). If there is a vulnerability in any of these aspects of your systems, they will be exposed.
Once vulnerabilities are exposed, they can be fixed. Effective red teaming operations don’t finish with the discovery phase. Instead, after security flaws are isolated you will want to work toward remediation and re-testing. In fact, the real work typically begins after a red team intrusion, when you will perform forensic analysis of the attack and seek to mitigate vulnerabilities.
In addition to these two broad advantages, Red Teaming also offers several benefits when used in conjunction with other threat analysis techniques. Red Teaming can:
- Identify the risk and susceptibility of attack against key business information assets;
- Simulate the techniques, tactics, and procedures (TTP) of genuine threat actors in a risk-managed and controlled manner;
- Assess your organization’s ability to detect, respond and prevent sophisticated and targeted threats;
- Encourage close engagement with internal incident response and blue teams to provide meaningful mitigation and comprehensive post-assessment debrief workshops.
How Does Red Teaming Work?
The best way to understand the details of how Red Teaming works is to look at the way that a typical red team exercise unfolds. In typical red team process, there are several stages:
- An organization will agree with their Red Team (whether in-house or externally contracted) on the goal for the exercise. For instance, this goal might be the extraction of sensitive information from a particular server.
- The Red Team will then perform reconnaissance on the target. This will result in a map of the target systems, including network services, web apps, and employee portals.
- Vulnerabilities will then be found in a target system, and these will typically be leveraged by using phishing techniques or XSS.
- Once valid access tokens are secured, the Red Team will use their access to probe for further vulnerabilities.
- If further vulnerabilities are found, the Red Team will seek to escalate their level of access to the required level to access the target.
- Once this is achieved, the target data or asset is reached.
In reality, an experienced Red Team employee will use a huge variety of techniques to go through each of these steps. The key takeaway from the sample attack plan above, though, is that small vulnerabilities in single systems can build into catastrophic failures when chained together.
What’s Involved in a Red Team Engagement?
In order to get the most out of a Red Team exercise, you will need to prepare carefully. The systems and processes used by each organization are different, and a high-quality Red Team exercise will be specifically tailored toward finding vulnerabilities in your systems. For that reason, it’s important to understand a number of factors:
Know What You Are Looking For
First of all, it’s important to understand which systems and processes you want to test. It’s possible that you know that you want web application testing, but you don’t have a very deep sense of what that actually means for you, and which of your other systems are integrated with your web apps. It’s important, therefore, that you understand your own systems fairly well, and patch any obvious vulnerabilities before you start a Red Team exercise.
Know Your Network
This is related to the tip above but focuses more on the technical specifications of your network. The better able you are to quantify your testing environment, the more accurate and specific your Red Team can be.
Know Your Budget
Red Teaming can be done at various levels, but a full-spectrum simulated attack on your network, including social engineering and physical intrusion, can get expensive. For this reason, it’s important to understand how much you can spend on your Red Tem exercise and to set it’s scope accordingly.
Know Your Risk Level
Some organizations are able to tolerate a fairly high level of risk as part of their standard business procedures. Others, and particularly those working in industries where there are detailed and complex compliance requirements, will need to limit their risk level to a much greater degree. When conducting a Red Team exercise, it’s therefore important to focus on the risks that actually present consequences for your business.
Red Teaming Tools & Common Tactics
When done correctly, Red Teaming will be a full-spectrum attack on your networks, utilizing all of the tools and techniques available to hackers. These will include:
- Application penetration testing — aiming to identify application layer flaws such as Cross-Site Request Forgery, Injection Flaws, Weak Session Management, and many more.
- Network penetration testing — aiming to identify the network and system-level flaws including misconfigurations, wireless network vulnerabilities, rogue services, and more.
- Physical penetration testing — understanding the strength and effectiveness of physical security controls through real-life exploitation.
- Social engineering — aiming to exploit weaknesses in people and human nature, testing human susceptibility to deceitful persuasion and manipulation through email phishing, phone and text message, and physical and onsite pretexting.
- All of the above — Red teaming is a full-scope, multi-layered attack simulation designed to measure how well your people, networks, applications, and physical security controls can withstand an attack from a real-life adversary.
The Constant Evolution of Red Team Techniques
The nature of red teaming, in which Red Teams are constantly trying to find new security flaws, and Blue Teams are constantly trying to close them, means that the techniques used for red teaming are constantly evolving. For the same reason, it’s difficult to give a list of contemporary Red Team techniques that don’t go out of date very quickly.
Most red teamers will, therefore, spend at least some of their time researching emerging techniques and new exploits by making use of the many resources provided by the red teaming community. Here are the most popular of these:
- The Pentester Academy is a subscription service that offers online video courses primarily about penetration testing, but also in the mix are courses about operating system forensics, social engineering tasks, and assembly language for information security.
- Vincent Yiu is an “offensive cybersecurity operator” who regularly blogs about red team techniques, and is a good source for novel approaches.
- Twitter is also a good source. If you’re looking for trending red team information, you can find it on Twitter with the #redteam and #redteaming hashtags.
- Daniel Miessler is another experienced red team operator who produces a newsletter and podcast, maintains a website, and has written extensively on contemporary red teaming. Recent articles include “Purple Team Pentests Mean You’re Failing at Red and Blue” and “When to Use Vulnerability Assessments, Pentesting, Red Teams, and Bug Bounties.”
- The Daily Swig is a newsletter on web security, sponsored by PortSwigger Web Security. It’s a good place to learn about red team-related developments—hacks, data breaches, exploits, web application vulnerabilities, and new security technologies.
- Florian Hansemann is an ethical hacker and penetration tester, and he regularly covers new red team tactics on his blog.
- MWR labs is a good — if extremely technical — source of red team news as well. They publish tools useful to red teams, and their Twitter feed offers advice for addressing problems faced by security testers.
- Emad Shanab is a lawyer and ethical hacker. His Twitter feed includes techniques useful to red teams, such as writing SQL injections and forging OAuth tokens.
- Mitre’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a curated knowledgebase about adversary behavior. It follows the phases of the lifecycle of threat actors and the platforms they’re known to target.
- The Hacker Playbook is a handbook for hackers that, although quite old now, covers many of the fundamental techniques that still underpin red teaming. Author Peter Kim also has a Twitter feed where he offers hacking tips and mentions those of others.
- The SANS Institute is another major provider of cybersecurity training. Its DFIR—digital forensics and incident response— Twitter feed contains the latest news about SANS courses and tips from expert practitioners.
- Some of the most exciting new writing on red teaming is published by the Red Team Journal. It has technology-oriented articles, such as red teaming versus pen testing, but it also has think pieces, such as “The Red Teamer’s Manifesto.”
- Finally, Awesome Red Teaming is a community on GitHub that offers a very detailed list of red team resources. It breaks down almost every technical aspect of red teaming, from initial access, execution, and persistence to lateral movement, collection, and exfiltration.
What is Blue Teaming?
With so many different teams, each assigned a color, it can get confusing to work out which type of team your organization needs.
One alternative to Red Team, or rather another type of team that can be used in conjunction with a Red Team, is a Blue Team. However, a blue team has a different objective. Blue teams are the defense to the Red Teams offense, and will use counter-techniques to disable the Red Team attacks.
Red Teaming vs. Blue Teaming
A common question for many organizations is whether they are better off using a Red Team or a Blue Team. This question is also often underpinned by a friendly animosity between the people who work in the different types of teams. In reality, however, neither team makes sense without the other. The real answer to this question is both.
You need the Red Team to figure out how to break in, and you need the Blue Team to counter those attacks and build in better defenses. And then you need the Red Team to test the new defenses, and round and round we go.
What is Purple Teaming?
One idea that has emerged from attempts to integrate red and blue teams in the creation of purple teams. Purple teaming is a concept, rather than a totally independent team. Instead, its’ best seen as a combination of both the red team and the blue team. It engages both teams to work together.
Varonis offers a Purple Team to consult with your organization on your cybersecurity strategy and Incident Response.
A Final Word
Red Teaming is a powerful technique for testing the security vulnerabilities of your organization, but it should be deployed carefully. Specifically, you will need to have fairly mature cybersecurity protections in place, such as those offered by Varonis, before you can get the true benefit of Red Teaming.
If done correctly, though, Red Teaming can expose the vulnerabilities of your system that you were not even aware of, and help you to address them. By adopting an adversarial approach, you can simulate what a hacker would really do if they wanted to steal your data or damage your assets.