Red Teams

A Red Team is a group of individuals who simulate cyber attacks using the same tools and techniques as malicious threat actors. The goal is to mimic an attacker’s behavior to the greatest degree possible. They adopt the mindset of an attacker and use all the tools and skills they have to penetrate security defenses successfully.

Red Teams originated within the military as a training exercise and then moved to the public and private sectors for cybersecurity training. The German military developed the earliest well-known concept of Red Teaming to help officers better understand their enemy’s next moves in realistic war game scenarios. The war games invented by the Prussians were well received and so successful that they were adopted by other military organizations worldwide. Today, military organizations use Red Teams to challenge assumptions, probe for weaknesses, and help improve organizational resilience. This concept has translated well to the private sector and cybersecurity world to help defenders better anticipate threats and respond promptly and effectively. 

Penetration testing is very similar to Red Teaming, but some organizations like to draw distinctions between the two. Penetration testing generally is designed to discover vulnerabilities in certain areas. It is often part of regular compliance work that the information technology or security operations center teams must do. Penetration testing provides a comprehensive view of the effectiveness of security controls as configured and the overall quality of defenses. Penetration testing is also generally undertaken with the cooperation of internal teams such as the Blue Team. Once again, the goal of penetration testing is to test the vulnerability of specific targets. Ethical hackers often support penetration testing.

Red Team testers attempt to the most significant degree possible, a realistic attack against an organization. Red Teams find vulnerabilities and exploit them so that they can assess the overall resilience of an organization. Red Teams will also target and test using social engineering and compromise security personnel. Nothing is off limits for Red Team in demonstrating how to identify and compromise weaknesses in the organization’s cyber defenses. However, the successful Red Team must identify and exploit vulnerabilities and materially illustrate the risk to essential business assets. 

Like the actual attackers, Red Team tests are constantly evolving. Tests are built upon previous experience and community learnings. Tests are generally wrapped around specific attack scenarios which break-out various Red Team objectives. Tests can be framed and described nicely by using tools such as MITRE ATT&CK, which help explain the attacker’s goals (tactics), the way the Red Team will reach those goals (techniques), and the detailed steps they will take in the execution of these techniques (procedures). 

Red Teams often start with reconnaissance and seek to gather as much information as possible before setting their strategy for the attack. Many public tools are available to use. These include Facebook, Twitter, LinkedIn, Google, etc., where you can learn quite a bit about the targeted entities’ information technology, networks, and personnel. Information about the IT infrastructure is critical. Red Teams want to understand the target entities’ facility’s security, security controls, and more.

Once surveillance is complete, Red Teams will want to plan the steps of their attack based upon all the information gathered from the earlier stages, such as reconnaissance. Red Teams often craft their primary attack vectors, perhaps build custom malware to facilitate their efforts, develop scenarios to support targeted social engineering, and more. Plans will usually outline the most opportunistic tactics, techniques, and procedures to address the vulnerabilities. They will often have backup or contingency plans if the situation changes. In this way, the Red Team attack is fluid and evolves as required to leverage new opportunities or to avoid organization. Tactics might include using social engineering to get an employee to connect a USB drive to a networked device or simply getting close enough to use office Wi-Fi with weak credentials and broad permissions.

Red Teams may initially target your network. They may attempt to access unprotected ports, compromised endpoints, or poorly secured use accounts. Next, they may target your software by searching for vulnerabilities. Once identified, vulnerabilities could support a variety of well-known attacks such as cross-site scripting, SQL injection, and more.  Red Teams may also find vulnerabilities in your physical security. Physical security vulnerabilities can include forged security badges, compromising security cameras, and perhaps further compromising physical security in your data center or network operations center. Red Teams may also go directly after your personnel using social engineering and phishing combined with malware and malicious URLs.

Now the Red Team is ready for exploitation. First, they will work to gain their first footholds using the initially discovered vulnerabilities and probing and moving laterally. Once exploitation is done, the Red Team works to establish persistence so that they can repeatedly access the targeted organization’s internal assets and networks. 

After exploitation, the Red Team will continue moving laterally to demonstrate and document evidence of the targeted compromise. For example, the specific goals of the Red Team might have been to steal targeted data or show proof of compromising sensitive applications, such as those for wire transfer.

Reporting is an integral part of the Red Team exercise. The Red Team needs to pull the data of the attack together in detail so that the defenders can analyze the results and then take steps to adjust their defensive posture to prevent the same attack from being successful again. Reports will outline the Red Team’s success and note areas where the cyber defenses were resilient in slowing down or halting their earlier efforts.

As mentioned earlier, the MITRE ATT&CK framework is a handy tool for Red Teams to plan each attack step. MITRE ATT&CK® is a readily accessible knowledge base of adversary tactics and techniques based on real-world observations and data. In addition, the MITRE ATT&CK knowledge base can be used to document specific threat models and methodologies used by threat actors. MITRE ATT&CK is an excellent Red Team resource – it supports the private sector, government, and the cybersecurity product and services community. 

MITRE ATT&CK Tactics represent the “why” of an ATT&CK technique or sub-technique. The Red Team’s tactical goal and the primary reason for any action. For example, a Red Team may want to achieve credential access. MITRE ATT&CK Techniques represent ‘how’ a Red Team can achieve a tactical goal by acting. For example, an adversary may dump credentials to gain credential access. And finally, MITRE ATT&CK procedures provide the detailed execution details for each technique. All of this brings structure to the Red Team’s activities and reporting. 

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.