Are you ready for red teaming?
Every company’s network infrastructure is home to its own unique set of security vulnerabilities that cannot be readily detected by this level of scanning and testing. Uncovering these weak points requires the ability to think and act like a real threat actor – and that’s where red teaming comes in.
One of the most important elements of successful security is getting the basics right. A good patching cadence and regular vulnerability scans will go a long way in defeating most of the common cyber threats you might face, along with penetration tests to go deeper.
However, every company’s network infrastructure is home to its own unique set of security vulnerabilities that cannot be readily detected by this level of scanning and testing. Uncovering these weak points requires the ability to think and act like a real threat actor – and that’s where red teaming comes in.
Setting the scope
A red team will act like faux threat actors, looking to break into your network however they can. This is a highly focused activity - if they find a gap, they’ll focus on exploiting it. If they succeed, they won’t be going back to explore other avenues.
This means red teaming will not give the same broader view as penetration testing or other security assessments and cannot be used as a substitute for them. As such, you should only look to red teaming if you already have a mature programme of regular testing and assessments in place.
Ideally you want this to be a no-holds-barred engagement where the team can attempt to exploit any possible weakness, just like a real criminal attacker would.
The red team will spend a fair bit of time mapping out the physical and technical access points of your organisation before they start making a move. This covers both virtual and physical aspects, including
monitoring buildings, observing employee behaviour, and identifying security measures, such as guards and ID passes. We find the physical side of security is often overlooked and it’s often quite easy to enter and freely roam what should be restricted space – accessing endpoints and servers along the way.
If this sounds alarming, rest assured that the red team will conduct an in-depth consultation with you first to agree the scope and boundaries of the campaign before they start trying to sneak in. This includes covering anything that might cause actual disruption to your organisation so that the exercise doesn’t inadvertently cause as much damage as a real attack.
Your employees will play a central role
When agreeing to the scope of the exercise, bear in mind that your employees will be in the spotlight. Ideally you want as few people as possible aware that red teaming is taking place in order to keep it realistic.
Employees are seen as the weakest link by threat actors and most attacks start by attempting to exploit them with social engineering. Unsurprisingly then, the red team will seek to do the same thing. This will usually begin by harvesting any readily available data from locations like LinkedIn and other publicly available profiles – it can be quite eye opening to realise quite how much information most of us freely share with the world.
Once they’ve staked the place out, the red team will try a variety of tactics targeting your personnel, from sending personalised phishing emails to slipping past the guards with a toolbox and a fake ID.
This scope includes senior executives as they are often the ultimate target of a real attack. Whaling – targeting the big fish in a company through a highly targeting phishing attack – is a common practice for hackers, as these top positions generally have access to everything.
Achieving the best ROI
Along with setting the scope and boundaries for the red team, it’s also important to have a strong idea of your objectives for the exercise. You should work with the team to agree a series of goals you’d like them to aim for. On the purely virtual side, this could be accessing and exfiltrating a particular set of high-value data, or gaining control of a specific user account. On the physical side the team could be tasked with accessing the server room and installing a device that grants network access.
There is no one-size-fits all for red teaming, so you’ll need to agree a set of objectives that fit your specific risk profile and security priorities. Simply setting a red team loose without specific objectives will provide much less value as you’ll only really learn that yes, you can be breached in this one specific way, without much in the way of context.
On that note, you’ll want to ensure you partner with a red team specialist that provides a detailed rundown of the actions they took and how your defences fared. Finding out which of your security precautions gave them a hard time and which were easily defeated or sidestepped will give you valuable insight into how you should be investing your budget in the future.
With a well-defined scope and set of objectives, a red teaming exercise can be a powerful tool for elevating your security posture and revealing potential threats that automated vulnerability scans and penetration testing are unlikely to ever pick up. This knowledge will help you harden your defences against some of the most skilled and persistent threat actors out there.