RED

TEAMING
How to identify gaps in
your security strategy
by thinking like the enemy
CONTENTS
01 Introduction
02 What is red teaming?
03 Red teaming vs. penetration testing
04 How red teaming works
05 How to get more from a red team exercise
06 Business benefits
07 Case study
08 Conclusion
01 INTRODUCTION
Red teaming forces you to think about your
business the way a hacker would
A red team exercise is a simulated, targeted Limitations in existing assurance methods,
cyber-attack that mirrors the way a hacker increasingly sophisticated attacks and the
WHY YOU NEED RED TEAMING: works. It reveals how effective your introduction of regulations like the Bank of
organization’s defenses are against an attack England’s CBEST scheme — a framework to
Improved readiness of your and pinpoints the bad practice that leaves you test the cyber resilience of UK financial
open to a cyber-threat. services firms — have increased awareness
organization
among companies from every sector.
Better training for defensive
practitioners This guide explains what red teaming is,
how to get the most from it and the business
An opportunity to inspect benefits it brings.
security performance levels
Assess the organization at all
levels, including systems,
people and processes
WHAT IS RED
A red team attack plan is informed by your The red team can emulate this attack by
organization’s operations, based on surveillance performing reconnaissance to determine the
and research, as well as knowledge of the tactics, target’s exposed web presence, and by creating

TEAMING? techniques and procedures used by real hackers.

It provides a holistic and real-world view of what
can happen if someone ties the individual risks
a fake website themed around financial services
industry topics known to be of interest to key
staff; these sites can then be used to deliver
together into a single coherent cyber-attack. a red team’s simulated malware to targeted
visitors to the site.
Red teaming targets people, For example, a security consultancy’s threat

processes and technology intelligence team may have seen real-

world attackers targeting financial services
The threat intelligence-led approach has been
mandated by regulators, such as the Bank of
organizations by abusing configuration flaws in England’s CBEST scheme, as it requires the
web servers, and through malicious downloads security testing to be performed in a rigorous
from sector-specific lure websites. way that mirrors the behaviors seen in a real,
targeted attack.

02
An organization that can endure a
comprehensive, threat intelligence-led, red
teaming exercise can have greater confidence
in its ability to deal with advanced attacks.
 Penetration testing

A penetration test requires clients to provide

the relevant information such as IP addresses to
scan or the credentials to access an application.
Once a vulnerability is found, a pen tester will
usually try to exploit it further and attempt to

RED TEAMING VS.

escalate privileges in order to understand the
risk associated with an issue.

PENETRATION TESTING
The important thing to note is that this is usually
done in isolation, avoiding other out-of-scope
systems, and therefore doesn’t necessarily
provide a holistic view on what could be a
much larger risk to the organization.
Red team exercises mimic a real-life attack
against a company to evaluate the effectiveness Red teaming
of its security defenses, including people and A red team exercise tests an organization’s entire
processes. Penetration testing focuses on security defense. It provides a more in-depth
view of border protection, employee awareness
identifying as many technical vulnerabilities as and how well processes and procedures cope
when faced with a real-life attack scenario. It
possible in a pre-defined IT system that could assesses an organization’s capability to detect
and respond to these threats.
leave your organization open to an attack.
A red team often starts from a ‘no-knowledge’

03
perspective, the same as many real attackers.
While red team exercises include penetration
testing skills (and tools) the objectives and
outcomes can differ. Red teams and penetration
tests complement each other, playing a vital
role in safeguarding your organization and
keeping you compliant.
04 HOW RED
TEAMING WORKS
Red team exercises begin with an analysis of the
real-world threats faced by the target organization.
These are used to define a number of scenarios to
be covered in the test.
A common scenario is a targeted attack against The information gathered is used to plan and
an organization from the internet. Here the test deliver a multi-stage attack, identifying assets
would start with a reconnaissance phase using of interest such as key systems and critical data.
public data such as social media and information
available on the internet. A detailed report provides mitigation advice
where vulnerabilities have been identified.
This enables you to understand the security
risks and to consider what steps can be taken
to mitigate these risks.
 04 HOW RED TEAMING WORKS

HOW RED TEAMING WORKS: 01 02 03

THE APPROACH RECONNAISSANCE STAGING EXPLOITATION

OSINT (open source Domain registration Phishing campaign

The phases are generally

intelligence derived and set up
Attached payload
overtly from publicly
Browser profiling
available sources) Watering hole attack
aligned to the kill chain. Social networking
Payload creation/
customization
Code execution and
established presence
However, as organizations Email harvesting
Domain identification

have different threat profiles,

these are often dynamic and
will be altered as required.
04 05 06
CONTROL AND ACTIONS ON PERSISTENCE
MOVEMENT TARGET AND EGRESS

Enumerate workstation Performed as a risk Stage data on the

properties managed exercise workstation
Assess patch level Exfiltrate data
Bypass security Remain active
software
Elevate local privileges
Enumerate user domain
Enumerate network
shares
HOW TO GET
Mature organizations Purple teaming approaches are recommended:
the better your defensive team understand an
Red teaming can be combined with blue teaming
attacker’s actions, the better they can defend

MORE FROM
to identify whether a detection and response
against them in the future.
capability is strong or weak.

White teaming

A RED TEAM
Mature organizations can combine a red teaming
exercise with a test of their defense team. White teaming can be useful when trying to
It works like this: if the hackers are the ‘red model attacks against complex internal systems

EXERCISE
team’, then your internal security team are the or assets that are too critical to test safely in
defensive ‘blue team’, who will attempt to detect a real world attack simulation. White teaming
and respond to the red team’s activities. uses a combination of architecture review and
interviews with key system owners to identify
You can support the blue team during the likely attack paths and test key points in each
Red teaming highlights an exercise by temporarily embedding into it experts attack path where the strength of defenses in
in offensive security testing; these experts will the system is unknown.
organization’s exposure to help the defensive team, and assist them in

threats. It is not an instant detecting and stopping the red team. This is
known as a ‘purple team’ exercise.
Scenario-based exercise
For smaller companies that don’t have the
gratification exercise: A purple team approach may not be appropriate resources for a full-scale red teaming exercise,
it is possible to do shorter scenario-based red
it is typically a fairly major for every test: when your organization is attacked
your defensive staff will need to detect the team exercises.

undertaking and testing usually incident themselves before calling on specialist

advice. However, it helps assess the performance A scenario-based test is a good follow-up to red
lasts between 4 and 6 weeks. of your organization’s defenses, and provide teaming, as part of a regular program of testing.
For example, instead of repeating a whole red
training and direct engagement during the

05
exercise, or feedback to improve detection team exercise, a consultancy can then carry out a
and response activities. The embedded specific scenario-based test to see whether they
experts in your defense team can also model have addressed the issue properly.
the specialist technical services an incident
response consultancy would provide in a real
security incident.
 05 HOW TO GET MORE FROM A RED TEAM EXERCISE

RED TEAM
What do the colours mean?
External or in-house teams who test the effectiveness of a
Here’s a definition of each one. security strategy by simulating a cyber-attack.

BLUE TEAM

Internal security team or a blue team is the ‘defense’ team — 

usually staff from the company’s Security Operations Centre
(SOC) — who are responsible for detecting security breaches.
Organizations underestimate how
much damage can be done just by using
information that’s available internally PURPLE TEAM
on intranets, documents or network
drives. So, it’s a mistake only to protect Representing a collaborative mix of ‘red’ and ‘blue’ teams: your
the exterior of your systems. defensive team are strengthened, informed and trained by the
security consultancy’s offensive experts.

WHITE TEAM

A non-intrusive method of assessing the ability of an

organization to resist attack, working with the client using
a range of table-top, interview and penetration testing
techniques to identify the various paths that an attacker
might take to achieve a threat-targeted objective.
06
After a red teaming exercise, you will:

Understand the impact of a

security breach
Discover weaknesses in your
development and testing processes
Collect evidence to justify
security spending

THE BUSINESS BENEFITS

Identify vulnerabilities in
applications and systems
Measure the resilience of your

OF RED TEAMING
organization’s cyber defense
Provide a practical training
opportunity for SOCs

The outcome of a red team assessment is evidence

of flaws and security weaknesses that have been Post red teaming checklist:

exploited within your organization by the red team. Action the recommendations
from the red team
These findings can be used to get buy-in from Measure the results against KPIs

senior staff and to make security improvements Once implemented, repeat the
process and improve it
across the organization. Then measure KPIs across all red
teams to identify performance trends
Refine your SOC capability until it
can deal with an array of attack
types and actors
Remain vigilant!
 RED TEAMING: CASE STUDY
Context broke into an organization’s network and gained access to
its entire HR database — the process worked like this:

01 04 ATTACKER
PHISHING
EMAILS
TARGET’S USER
ENVIRONMENT TARGET DOMAINS
The red team trawl social media and work User Administrator credentials to access
community sites for company employees’ servers in domains. Context analyze the
information, i.e. names, email addresses, underlying functionality of this software
job titles and locations. using ‘reverse engineering’ and uncover
04
hardcoded usernames and passwords,
02 giving the red team access to more servers.
UK01 & UK02
From this, they get their hands on top-level SERVERS IN
This knowledge is used to develop a UK01 & UK02
domain administrator credentials for the
convincing cover story for a targeted DOMAINS
UK01 and UK02 domains. 01 02 03
phishing email. The email invites the
individuals to speak at an alumni event 05 05
relevant to their job role, details of which
Obtains Domain Administrator credentials
can be found in a brochure linked from
to access servers in domains. Using their
the email. When accessed, the brochure
top level access to the UK01 and UK02
installs a malicious ‘implant’ onto the
domains, the red team are able to retrieve SECRET DOMAIN
user’s computer. This is controlled by
administrator credentials for the previously
Context’s servers, and communicates 06
discovered secret domain. TARGET
using requests and responses that mimic
USERS
innocent Gmail traffic.
06
03 Obtains passwords for Unix accounts via
configuration files on Jump Box. Using the UNIX
Obtain Administrator credentials from secret domain administrator account, the 07 SERVERS
world-readable network shares. The red team access a ‘jump box’ which is used
JUMP BOX
team are now inside the organization’s to access the organization’s segregated
network and explore for files of interest. UNIX environment.
They find a custom server-monitoring app

07
which they securely extract back to our 07 The diagram illustrates just one way a
offices for analysis (with approval). The red
team also dump credentials on the target
Authenticate to Unix systems using the
SSH tools available of Jump Box. The red
red team can attack a major company.
user’s computer gaining low privilege team gain access to the UNIX environment
access to secret domain systems. including an Oracle database which contains
HR information. Using the credentials and
a configuration flaw, the red team are able
to dump the contents of this database and
exfiltrate the data out of the network.
CONCLUSION More advice on how to defend against a cyber-threat:

01 Deploy border controls such as URL reputation filtering /

Make red teaming part of your whitelisting with SSL MiTM, and email content filtering
02 Patch everything, especially workstation software
organization’s security strategy 03 Improve user awareness, particularly around reporting suspicious emails

by assembling an in-house 04 Develop capability to respond to alerts e.g. anti-virus or traffic monitoring

team, or you can hire an outside 05 Restrict and minimize use of domain admin and privileged accounts
06 Audit password quality e.g. ensuring default passwords are not used
company (like Context) to lead and lifetime of passwords

a red teaming exercise. 07 Segregate systems where possible

08 Restrict access to network shares, and monitor shares for sensitive information

“Red teaming is not a better

planning process; it is a process
that makes your plans better.”

08
B Hoffman
Talk to us now about our
red teaming exercises
and penetration testing.

[email protected]
www.contextis.com