Red Teams
Red team summary
Red Teams simulate real-world cyberattacks to assess and strengthen an organization’s cybersecurity defenses. By thinking and acting like malicious attackers, they uncover vulnerabilities, test response capabilities, and provide insights for improving resilience.
Red teaming key insights:
- Origins & Purpose: Red Teaming began in the military and evolved into cybersecurity to realistically simulate adversarial threats and improve defense strategies.
- Four-Phase Approach: Operations follow a structured process: In (initial access), Through (lateral movement), Out (impact simulation), and Assess (reporting and recommendations).
- Frameworks like MITRE ATT&CK: Provide structure and clarity for Red Team operations, helping map tactics, techniques, and procedures (TTPs) for easier communication and analysis.
- Use Cases: Useful for compliance, security posture evaluation, and incident recovery practice—especially in critical industries like finance.
- Benefits vs. Challenges: While Red Teams can deeply enhance security, finding the right talent or team—especially with consultancies—can be resource-intensive and sometimes ineffective for specific environments.
A Red Team is a group of individuals who simulate cyber attacks using the same tools and techniques as malicious threat actors. The goal is to mimic an attacker’s behavior to the greatest degree possible. They adopt the mindset of an attacker and use all the tools and skills they have to penetrate security defenses successfully.
What is a red team in cybersecurity?
A Red Team is a group of individuals who simulate cyber attacks using the same tools and techniques as malicious threat actors. The goal is to mimic an attacker’s behavior to the greatest degree possible. They adopt the mindset of an attacker and use all the tools and skills they have to penetrate security defenses successfully.
The origins of red teaming
Red Teams originated within the military as a training exercise and then moved to the public and private sectors for cybersecurity training. The German military developed the earliest well-known concept of Red Teaming to help officers better understand their enemy’s next moves in realistic war game scenarios. The war games invented by the Prussians were well received and so successful that they were adopted by other military organizations worldwide. Today, military organizations use Red Teams to challenge assumptions, probe for weaknesses, and help improve organizational resilience. This concept has translated well to the private sector and cybersecurity world to help defenders better anticipate threats and respond promptly and effectively.
Red, blue, and purple teams: Key differences
Red Teams, Blue Teams, and Purple Teams are integral components in the realm of cybersecurity, each serving distinct roles to enhance an organization’s security posture.
Red Teams operate as adversaries, simulating cyber attacks and penetration attempts to identify vulnerabilities and weaknesses within an organization’s defenses. Their objective is to think and act like attackers to test the effectiveness of existing security measures.
In contrast, Blue Teams are the defenders, primarily responsible for maintaining the security of information systems by monitoring, detecting, and responding to threats. They focus on fortifying defenses and developing strategies to prevent, mitigate, and respond to attacks.
Purple Teams represent a collaborative blend of Red and Blue Teams. They aim to optimize security practices by facilitating communication and feedback between the Red and Blue Teams, ensuring that insights gained from simulated attacks are used to improve defenses. Essentially, Purple Teams bridge the gap, fostering a more cohesive and adaptive security environment by encouraging a culture of continuous learning and improvement.
Red teaming use cases
Red team operations can be valuable in a variety of situations, from adhering to compliance mandates and securing new product launches to post-incident recovery. We’ll cover why red teaming can be helpful in each of these scenarios.
Understanding your security posture
Red team operations provide a thorough exploration and understanding of your security. Red teams have an open scope, so they will try many more attack vectors than professionals using other security testing methods. After a red team test, a company can access much more information about the vulnerabilities in its attack surface and the gaps in its defenses. With this knowledge, the company can fill the gaps and improve its overall security posture.
Maximizing compliance
For companies and products that handle critical data, there are often mandatory security requirements. For example, companies handling payment data have strict security testing requirements as part of PCI-DSS compliance. The finance industry is governed by multiple frameworks such as CBEST, iCAST, CORIE, TIBER, and DORA. Red team assessments go above and beyond the usual pen testing that companies pursue as part of their compliance efforts. Not only do red team assessments provide security coverage and reveal gaps, but they also go deeper and test less-common attack vectors and determine the associated risk and root causes related to attack paths. As a result, companies can build stronger defenses while maintaining compliance. Within critical industries, red team frameworks exist to ease the path to security.
Incident recovery
Apart from helping companies patch up vulnerabilities, red team operations also help companies practice their post-incident recovery protocols. If a security team didn’t spot any of the Red Team’s attacks, this means the company in question needs to boost its detection practices. If the security team detected attacks but couldn’t remove some of the red teamers from internal networks, then the team knows they’ll need to work on their incident response. If the security team couldn’t prevent a red team simulated ransomware attack, they will now better grasp the deficiencies in their backup and user alerting processes. The security team will essentially go through trials of incidents and recoveries, preparing them for real situations.
Red teams at work
At their core, red teams try to simulate threat actors attacking a system. Doing this well requires creativity and expertise, but the high-level process is similar for most red teams.
High-level process
Red team operations can be broken down into four phases: in, through, out, and assess. We’ll cover each in the following.
In phase
The in phase focuses on gaining initial access to a system or organization. During this phase, threat intelligence analysts provide threat intelligence about the target organization. In engagements with no threat intelligence, the red team performs the reconnaissance. This can include any of the following information:
- Organization—Building locations, team structures, business units, phone numbers, emails, core products
- Employees—Emails, phone numbers, LinkedIn accounts
- Technology stack—Technology providers, email configurations, public IP addresses, open ports
- Open source intelligence (OSINT)—Any publicly accessible information (e.g., previous compromises, leaked credentials)
Once they have collected and validated their threat intelligence, red teams devise attack scenarios. These are usually an initial access attack vector, threat profile, and set of objectives that a threat actor would target to try to gain initial access. An attack vector can be a combination of multiple vulnerabilities, misconfigurations, people, or legitimate tools and processes. The Red Team will then commence the attacks and execute on their attack vectors. As the operation proceeds, they will often modify the vectors or add new ones.
Once they gain initial access to a system, the next phase begins.
Through phase
In the through phase, red team operators move laterally and escalate their access and privilege within the system, network, or organization. The goal of this phase is to find and execute any attack vectors that give privileged access to target data or systems. This can look like targeting employees within a company through phishing attacks or exploiting misconfigurations in cloud setups. Red team operators will chain attack vectors to gain the access they need; each vector will provide a small escalation, but the sum could get the Red Team right to their target.
Out phase
With privileged access within an organization’s systems, red team operators shift to simulating impact. A real threat actor may run a ransomware attack or leak critical user data. Red team operations won’t harm a company, but they need to show potential impact. Experienced red team operators will weigh the potential impact simulations (e.g., deploying ransomware that encrypts only certain files or accessing the CEO’s emails) by harm and adherence to objective.
Once a red team has chosen and executed an impact simulation, the active portion of the Red Team test has come to an end. The red team will then perform a clean up and attempt to remove indicators of compromise.
Assess phase
After a simulated attack ends, the Red Team writes an extensive report detailing all the attacks they tried (also called an attack narrative), the vulnerabilities or root cause issues they found, and the defenses they worked around. Some reports may even contain the full attack chains, which diagram the sequences of attack vectors in a graph format. By including as much detail as possible, the Red Team helps the security team understand exactly how the former were able to perform their attacks. The report also includes suggested recommendations for remediations for uncovered vulnerabilities or root causes. This report can be shared with the right stakeholders, with the goal of running root-cause analyses and fixing systems. Done well, the report can serve as a security roadmap for the entire organization.
Common frameworks
Frameworks provide a steady base for red team operations. They raise the floor by making it easier to communicate the results of an operation. Specific frameworks also exist for different domains (e.g., CBEST for finance), helping finance firms focus red team operations on regulation. Here are some of those frameworks:
MITRE ATT&CK
MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a repository of information on threat actor tactics and techniques. It splits threat actor behaviors based on 14 different tactics and lists specific techniques for each one. For example, within the tactic of lateral movement, the ATT&CK framework mentions techniques like internal spearphishing and remote service session hijacking. ATT&CK is often used after a red team operation to categorize attacks used in an exercise. Red team operators don’t use ATT&CK during an operation since they need to be creative. Nevertheless, the ATT&CK framework maps many attacks (even creative ones) to a common set of understandable vectors, making it easier to communicate attacks in the debrief.
CBEST
CBEST is a framework for security testing, specifically for financial firms in the UK. It’s designed to help financial firms secure their services in full compliance with regulations. CBEST splits the testing process into four phases: initiation, threat intelligence, penetration testing, and closure. The framework lists steps that must be taken in each phase along with rules on who can conduct testing. CBEST was the first framework of its kind, leading to the creation of others like iCAST, CORIE, and TIBER. In this way, CBEST paved the way for intelligence-led red team assessments and standardized them in critical industries.
Beyond frameworks
There’s a whole universe of frameworks out there, both general (e.g., Lockheed Martin’s Cyber Kill Chain) and domain-specific (e.g., ICS-Cert for industrial control systems). Red team operators often use these frameworks while learning the trade (often via pen testing) before developing custom tactics and techniques for the specific attack surfaces they will encounter in various organizations.
Red teaming vs. penetration testing
Penetration testing is very similar to Red Teaming, but some organizations like to draw distinctions between the two. Penetration testing generally is designed to discover vulnerabilities in certain areas. It is often part of regular compliance work that the information technology or security operations center teams must do. Penetration testing provides a comprehensive view of the effectiveness of security controls as configured and the overall quality of defenses. Penetration testing is also generally undertaken with the cooperation of internal teams such as the Blue Team. Once again, the goal of penetration testing is to test the vulnerability of specific targets. Ethical hackers often support penetration testing.
Red team objectives
Red Team testers attempt to the most significant degree possible, a realistic attack against an organization. Red Teams find vulnerabilities and exploit them so that they can assess the overall resilience of an organization. Red Teams will also target and test using social engineering and compromise security personnel. Nothing is off limits for Red Team in demonstrating how to identify and compromise weaknesses in the organization’s cyber defenses. However, the successful Red Team must identify and exploit vulnerabilities and materially illustrate the risk to essential business assets.
Evolving attack scenarios and the MITRE ATT&CK Framework
Like the actual attackers, Red Team tests are constantly evolving. Tests are built upon previous experience and community learnings. Tests are generally wrapped around specific attack scenarios which break-out various Red Team objectives. Tests can be framed and described nicely by using tools such as MITRE ATT&CK, which help explain the attacker’s goals (tactics), the way the Red Team will reach those goals (techniques), and the detailed steps they will take in the execution of these techniques (procedures).
Red Teams often start with reconnaissance and seek to gather as much information as possible before setting their strategy for the attack. Many public tools are available to use. These include Facebook, Twitter, LinkedIn, Google, etc., where you can learn quite a bit about the targeted entities’ information technology, networks, and personnel. Information about the IT infrastructure is critical. Red Teams want to understand the target entities’ facility’s security, security controls, and more.
Once surveillance is complete, Red Teams will want to plan the steps of their attack based upon all the information gathered from the earlier stages, such as reconnaissance. Red Teams often craft their primary attack vectors, perhaps build custom malware to facilitate their efforts, develop scenarios to support targeted social engineering, and more. Plans will usually outline the most opportunistic tactics, techniques, and procedures to address the vulnerabilities. They will often have backup or contingency plans if the situation changes. In this way, the Red Team attack is fluid and evolves as required to leverage new opportunities or to avoid organization. Tactics might include using social engineering to get an employee to connect a USB drive to a networked device or simply getting close enough to use office Wi-Fi with weak credentials and broad permissions.
Red team network, software, and physical targeting
Red Teams may initially target your network. They may attempt to access unprotected ports, compromised endpoints, or poorly secured use accounts. Next, they may target your software by searching for vulnerabilities. Once identified, vulnerabilities could support a variety of well-known attacks such as cross-site scripting, SQL injection, and more. Red Teams may also find vulnerabilities in your physical security. Physical security vulnerabilities can include forged security badges, compromising security cameras, and perhaps further compromising physical security in your data center or network operations center. Red Teams may also go directly after your personnel using social engineering and phishing combined with malware and malicious URLs.
Now the Red Team is ready for exploitation. First, they will work to gain their first footholds using the initially discovered vulnerabilities and probing and moving laterally. Once exploitation is done, the Red Team works to establish persistence so that they can repeatedly access the targeted organization’s internal assets and networks.
After exploitation, the Red Team will continue moving laterally to demonstrate and document evidence of the targeted compromise. For example, the specific goals of the Red Team might have been to steal targeted data or show proof of compromising sensitive applications, such as those for wire transfer.
Reporting is an integral part of the Red Team exercise. The Red Team needs to pull the data of the attack together in detail so that the defenders can analyze the results and then take steps to adjust their defensive posture to prevent the same attack from being successful again. Reports will outline the Red Team’s success and note areas where the cyber defenses were resilient in slowing down or halting their earlier efforts.
AI and LLM-powered red teaming
AI and LLM-powered red teaming involves the use of artificial intelligence, specifically large language models (LLMs), to enhance the security testing methodologies known as red teaming. This approach leverages the advanced capabilities of AI to simulate realistic adversarial scenarios and identify potential vulnerabilities in systems, applications, or networks. By mimicking sophisticated threat actors, AI-powered red teaming tools can introduce novel attack vectors that might not be discovered through traditional testing methods. The integration of AI enables continuous learning and adaptation, staying abreast of the evolving cyber threat landscape. As organizations increasingly rely on digital infrastructures, AI and LLM-powered red teaming becomes a crucial component in proactive cybersecurity strategies, helping to fortify defenses and reduce the risk of security breaches.
Enhanced Simulation:
- AI and LLMs enable high-fidelity simulations of cyber threats, emulating real-world adversaries with precision.
- These technologies can mimic human-like decision-making processes to craft more sophisticated attack tactics.
Continuous Learning:
- AI systems can continuously learn from new data, adapting to emerging threats and evolving tactics over time.
- This adaptability ensures that red teaming exercises remain relevant and effective against the latest threat vectors.
Scalability and Efficiency:
- Automated processes powered by AI can scale to test large and complex environments more efficiently than traditional methods.
- The use of LLMs can streamline the analysis and reporting processes, making it faster to identify and address vulnerabilities.
Novel Attack Detection:
- AI-powered models can introduce unexpected and novel attack scenarios, broadening the scope of vulnerability discovery.
- This capability helps organizations uncover weaknesses that might be overlooked by conventional red teaming methods.
Cost-Effectiveness:
- Reducing the need for large teams of human testers, AI can perform many repetitive and complex tasks autonomously, lowering operational costs.
- Organizations can achieve more comprehensive security assessments with fewer resources.
Enhanced Reporting and Insights:
- AI tools can provide detailed insights and actionable recommendations, facilitating quicker remediation of identified issues.
- Advanced analytics generated by AI can help prioritize vulnerabilities based on their potential impact.
Using MITRE ATT&CK to Structure Red Team Activities
As mentioned earlier, the MITRE ATT&CK framework is a handy tool for Red Teams to plan each attack step. MITRE ATT&CK® is a readily accessible knowledge base of adversary tactics and techniques based on real-world observations and data. In addition, the MITRE ATT&CK knowledge base can be used to document specific threat models and methodologies used by threat actors. MITRE ATT&CK is an excellent Red Team resource – it supports the private sector, government, and the cybersecurity product and services community.
MITRE ATT&CK Tactics represent the “why” of an ATT&CK technique or sub-technique. The Red Team’s tactical goal and the primary reason for any action. For example, a Red Team may want to achieve credential access. MITRE ATT&CK Techniques represent ‘how’ a Red Team can achieve a tactical goal by acting. For example, an adversary may dump credentials to gain credential access. And finally, MITRE ATT&CK procedures provide the detailed execution details for each technique. All of this brings structure to the Red Team’s activities and reporting.
Red team engagements: Pros and cons
Red team assessments can provide a root-cause analysis of the risks in an organization. They probe deeper and more consistently than other security exercises, enabling continual testing instead of basic point-in-time measures. But setting up an adaptable red team is a challenge, even for well-resourced companies.
Benefits
By using a great red team, a company can simulate attacks from threat actors, patch up organization-wide root-cause issues, and stay one step ahead in the cybersecurity cat-and-mouse game. Red team assessments turn theory into reality by actually testing an organization’s defenses to see where it is strong, weak, or exposed. The results of these assessments can inform a team’s roadmap and help prioritize root-cause issues and risks. With effective iterative improvements or collaboration practices, red and blue (or purple) teams can level each other up, creating more advanced defenses and craftier attacks. Over time, this constant improvement in security posture reduces the risk of actual incidents.
Challenges
Companies struggle to find the right red team for their security posture. A common solution is to work with red team consultancies. The main problem with red team consulting is that it often relies on static red teams; they may not have the right skills for your specific attack surface. Traditional consultancies often lack the depth and breadth of skills needed for each company. Boutique firms can go deep in one area but can be expensive and slow. The consulting business model also means red team operators often work on projects back to back for years on end, leading to exhaustion or burnout. Lastly, external consulting teams can’t always help companies fix their security holes after they’ve been discovered.
Learn more and join the Bugcrowd community
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.