Red Teaming How To Identify Gaps in Your Security Strategy by Thinking Like The Enemy
Red Teaming How To Identify Gaps in Your Security Strategy by Thinking Like The Enemy
TEAMING
How to identify gaps in
your security strategy
by thinking like the enemy
CONTENTS
01 Introduction
02 What is red teaming?
03 Red teaming vs. penetration testing
04 How red teaming works
05 How to get more from a red team exercise
06 Business benefits
07 Case study
08 Conclusion
01 INTRODUCTION
Red teaming forces you to think about your
business the way a hacker would
A red team exercise is a simulated, targeted Limitations in existing assurance methods,
cyber-attack that mirrors the way a hacker increasingly sophisticated attacks and the
WHY YOU NEED RED TEAMING: works. It reveals how effective your introduction of regulations like the Bank of
organization’s defenses are against an attack England’s CBEST scheme — a framework to
Improved readiness of your and pinpoints the bad practice that leaves you test the cyber resilience of UK financial
open to a cyber-threat. services firms — have increased awareness
organization
among companies from every sector.
Better training for defensive
practitioners This guide explains what red teaming is,
how to get the most from it and the business
An opportunity to inspect benefits it brings.
security performance levels
Assess the organization at all
levels, including systems,
people and processes
WHAT IS RED
A red team attack plan is informed by your The red team can emulate this attack by
organization’s operations, based on surveillance performing reconnaissance to determine the
and research, as well as knowledge of the tactics, target’s exposed web presence, and by creating
02
An organization that can endure a
comprehensive, threat intelligence-led, red
teaming exercise can have greater confidence
in its ability to deal with advanced attacks.
Penetration testing
PENETRATION TESTING
The important thing to note is that this is usually
done in isolation, avoiding other out-of-scope
systems, and therefore doesn’t necessarily
provide a holistic view on what could be a
much larger risk to the organization.
Red team exercises mimic a real-life attack
against a company to evaluate the effectiveness Red teaming
of its security defenses, including people and A red team exercise tests an organization’s entire
processes. Penetration testing focuses on security defense. It provides a more in-depth
view of border protection, employee awareness
identifying as many technical vulnerabilities as and how well processes and procedures cope
when faced with a real-life attack scenario. It
possible in a pre-defined IT system that could assesses an organization’s capability to detect
and respond to these threats.
leave your organization open to an attack.
A red team often starts from a ‘no-knowledge’
03
perspective, the same as many real attackers.
While red team exercises include penetration
testing skills (and tools) the objectives and
outcomes can differ. Red teams and penetration
tests complement each other, playing a vital
role in safeguarding your organization and
keeping you compliant.
04 HOW RED
TEAMING WORKS
Red team exercises begin with an analysis of the
real-world threats faced by the target organization.
These are used to define a number of scenarios to
be covered in the test.
A common scenario is a targeted attack against The information gathered is used to plan and
an organization from the internet. Here the test deliver a multi-stage attack, identifying assets
would start with a reconnaissance phase using of interest such as key systems and critical data.
public data such as social media and information
available on the internet. A detailed report provides mitigation advice
where vulnerabilities have been identified.
This enables you to understand the security
risks and to consider what steps can be taken
to mitigate these risks.
04 HOW RED TEAMING WORKS
MORE FROM
to identify whether a detection and response
against them in the future.
capability is strong or weak.
White teaming
A RED TEAM
Mature organizations can combine a red teaming
exercise with a test of their defense team. White teaming can be useful when trying to
It works like this: if the hackers are the ‘red model attacks against complex internal systems
EXERCISE
team’, then your internal security team are the or assets that are too critical to test safely in
defensive ‘blue team’, who will attempt to detect a real world attack simulation. White teaming
and respond to the red team’s activities. uses a combination of architecture review and
interviews with key system owners to identify
You can support the blue team during the likely attack paths and test key points in each
Red teaming highlights an exercise by temporarily embedding into it experts attack path where the strength of defenses in
in offensive security testing; these experts will the system is unknown.
organization’s exposure to help the defensive team, and assist them in
threats. It is not an instant detecting and stopping the red team. This is
known as a ‘purple team’ exercise.
Scenario-based exercise
For smaller companies that don’t have the
gratification exercise: A purple team approach may not be appropriate resources for a full-scale red teaming exercise,
it is possible to do shorter scenario-based red
it is typically a fairly major for every test: when your organization is attacked
your defensive staff will need to detect the team exercises.
05
exercise, or feedback to improve detection team exercise, a consultancy can then carry out a
and response activities. The embedded specific scenario-based test to see whether they
experts in your defense team can also model have addressed the issue properly.
the specialist technical services an incident
response consultancy would provide in a real
security incident.
05 HOW TO GET MORE FROM A RED TEAM EXERCISE
RED TEAM
What do the colours mean?
External or in-house teams who test the effectiveness of a
Here’s a definition of each one. security strategy by simulating a cyber-attack.
BLUE TEAM
WHITE TEAM
OF RED TEAMING
organization’s cyber defense
Provide a practical training
opportunity for SOCs
exploited within your organization by the red team. Action the recommendations
from the red team
These findings can be used to get buy-in from Measure the results against KPIs
senior staff and to make security improvements Once implemented, repeat the
process and improve it
across the organization. Then measure KPIs across all red
teams to identify performance trends
Refine your SOC capability until it
can deal with an array of attack
types and actors
Remain vigilant!
RED TEAMING: CASE STUDY
Context broke into an organization’s network and gained access to
its entire HR database — the process worked like this:
01 04 ATTACKER
PHISHING
EMAILS
TARGET’S USER
ENVIRONMENT TARGET DOMAINS
The red team trawl social media and work User Administrator credentials to access
community sites for company employees’ servers in domains. Context analyze the
information, i.e. names, email addresses, underlying functionality of this software
job titles and locations. using ‘reverse engineering’ and uncover
04
hardcoded usernames and passwords,
02 giving the red team access to more servers.
UK01 & UK02
From this, they get their hands on top-level SERVERS IN
This knowledge is used to develop a UK01 & UK02
domain administrator credentials for the
convincing cover story for a targeted DOMAINS
UK01 and UK02 domains. 01 02 03
phishing email. The email invites the
individuals to speak at an alumni event 05 05
relevant to their job role, details of which
Obtains Domain Administrator credentials
can be found in a brochure linked from
to access servers in domains. Using their
the email. When accessed, the brochure
top level access to the UK01 and UK02
installs a malicious ‘implant’ onto the
domains, the red team are able to retrieve SECRET DOMAIN
user’s computer. This is controlled by
administrator credentials for the previously
Context’s servers, and communicates 06
discovered secret domain. TARGET
using requests and responses that mimic
USERS
innocent Gmail traffic.
06
03 Obtains passwords for Unix accounts via
configuration files on Jump Box. Using the UNIX
Obtain Administrator credentials from secret domain administrator account, the 07 SERVERS
world-readable network shares. The red team access a ‘jump box’ which is used
JUMP BOX
team are now inside the organization’s to access the organization’s segregated
network and explore for files of interest. UNIX environment.
They find a custom server-monitoring app
07
which they securely extract back to our 07 The diagram illustrates just one way a
offices for analysis (with approval). The red
team also dump credentials on the target
Authenticate to Unix systems using the
SSH tools available of Jump Box. The red
red team can attack a major company.
user’s computer gaining low privilege team gain access to the UNIX environment
access to secret domain systems. including an Oracle database which contains
HR information. Using the credentials and
a configuration flaw, the red team are able
to dump the contents of this database and
exfiltrate the data out of the network.
CONCLUSION More advice on how to defend against a cyber-threat:
Make red teaming part of your whitelisting with SSL MiTM, and email content filtering
02 Patch everything, especially workstation software
organization’s security strategy 03 Improve user awareness, particularly around reporting suspicious emails
by assembling an in-house 04 Develop capability to respond to alerts e.g. anti-virus or traffic monitoring
team, or you can hire an outside 05 Restrict and minimize use of domain admin and privileged accounts
06 Audit password quality e.g. ensuring default passwords are not used
company (like Context) to lead and lifetime of passwords
08
B Hoffman
Talk to us now about our
red teaming exercises
and penetration testing.
[email protected]
www.contextis.com