Red Team exercises can be thought of as extended penetration tests designed to thoroughly assess an organisation’s security posture across multiple domains. Some security firms employ the term liberally, packaging it up and conflating it with conventional assessments; just maybe with a bit of social engineering thrown in. But ‘old wine, new bottle’ it is not. Red Team exercises, when conducted properly, are distinctive. The four main ways in which they deviate from other tests are the focus of this blog post.
There’s no I in Red Team
OK, let’s start with this one: Red Teams are comprised of multiple members, each with their own speciality and unique skill set. This is not to say pentesters ordinarily work in isolation, or that they don’t specialise; far from it. But a Red Team engagement places a higher demand on diversity and teamwork as the group will be competing against wider, more variegated security controls. This quickly brings me to my next point…
The Attack Surface
Conventional penetration tests are typically limited in scope. The sanctioned target[s] will be a web application or network segment comprised of several servers, databases and workstations. The methods by which they are tested, however, largely fall into the electronic domain. Do the exposed distributed services have the latest patches installed; are weak cipher suites supported; will carefully crafted user input force the backend database to serve up confidential information? All of these tests, and the many hundred more that are performed during a routine penetration test, can greatly aid an organisation that is looking to improve its security.
A solid electronic defence, however, does not always equate to great security. For example, could a staff member be convinced to divulge their password to a caller posing as an external auditor? Do workers hold the door open to restricted areas out of politeness when they see someone wearing what looks like an authentic ID badge? Are the complex passwords that your IT team enforce actually scattered around the office on post-it notes under employees’ desks? Attacks which harness these weaknesses occur in other domains, namely the physical and social. Red Team assessments incorporate these; attacking them with a wide range of tools, techniques and strategies.
So Red Team assessments span the electronic, social and physical domains, as well as all spaces in which they converge. This means that blended attacks are the norm in such exercises. Rather than being restricted to input validation attacks, password cracking or launching exploit code, the Red Teamer is free to phish, pick locks, scheme and manipulate in order to get the job done. Essentially, they are perfectly positioned to replicate what a highly capable and determined real-world attacker would do, but in a manner that is both controlled and sanctioned.
The final distinction that I’ll note here is the difference in what is being actively targeted. In a pentest, the target is very often linked to an end system or application. Red Team assaults focus more on assets. Can intellectual property be stolen; are customer contact lists, PII and payment details adequately secured; or can an air-gapped internal network hosting other sensitive content be breached? These are the types of objectives Red Teams are assigned. Indeed, it is these that are likely to generate headlines were they to be compromised in a real-world scenario, not the particular vulnerability itself.
Chances are that if you attend a security conference this year, you’ll hear the term ‘Red Teaming’ crop up more than a few times. Sometimes it will be applied appropriately, other times it may not. What is fairly concrete though is that in order to avoid being the next entry in the well-publicised and ever expanding list of companies who have fallen victim to sophisticated attackers, more will seek the services of a true Red Team. Hopefully this post has provided some clarity on what that is and how it differs from other security assessments.