Get best of the week

5 Myths about Red Teaming



The term Red Teaming has been heard by everyone who is involved in information security directly or indirectly. But not everyone fully understands what it is: why do we need an assessment of the effectiveness of the incident response team? What is this form of training for the defender team? Often, Red Teaming is given out for comprehensive penetration testing: they provide classic, albeit advanced penetration testing at a price several times higher. Some large companies are looking for their own specialists in Red Teaming and, most likely, also do not fully understand what tasks they will solve with their help. What is Red Teaming as a service and what is not Red Teaming? About it below.

History reference


Like many other things in our daily lives (duct tape, microwave, canned goods, etc.), the term Red Teaming came from the military-industrial complex. During the Vietnam War, American military pilots practiced air combat skills and studied their own mistakes, thereby increasing their skill level without real loss of pilots and aircraft. But the name "red team", most likely, appeared during the confrontation with the Soviet Union. Historically, the "red" attack, and the "blue" defend.


The guards in Budapest also liked this term;)

What is Red Teaming?


Myth # 1. Red Teaming is a comprehensive penetration or audit test.


There are three main types of work to check the level of security of a company.

  1. (Vulnerability Assessment) – , . , . .
  2. (Penetrating Test) – ( ) -. . . , (, ) (, ).
  3. Red Teaming – , , . Red Teaming – . ( , ). IOC ( , , .), . , .

Red Teaming – , (TTP) , , .
Simulating the actions of attackers by a team of attackers trains the automatism of incident response and gives defenders situational awareness of the tools and tactics of attackers.

Red Teaming focuses on integrated security operations that include people, processes, and technologies. Red Teaming directly focuses on training the defensive team and assessing how the security service can counteract the real actions of the adversary. Technical flaws and vulnerabilities in this case are secondary - the key question is: how with their help the intruder can influence the activities of the organization.

At the heart of Red Teaming is the scenario of the enemy. Scenarios distinguish Red Teaming from penetration testing, and they also determine the progress of the project. Scenarios allow you to simulate the actions of a specific adversary (a specific APT group) or simulate the actions of a suspected attacker.

Red Teaming uses methods and techniques of offensive security, but by its nature it is part of defensive security and part of SOC, therefore it cannot exist without the Blue Team.

An attacking team is an independent group of professionals that looks at the security of an organization from the position of an adversary. The team finds alternative ways to achieve its goals and challenges the organization’s defenders to test their readiness for real threats. Independence helps attackers accurately and unbiasedly assess security levels while avoiding many biases.

Myth number 2. An organization may have its own internal Red Teaming


To maintain independence, the attacking team must be external. And the lack of any knowledge about the attacked system and its protection (except for the information that was obtained at an early stage of the project) will allow for better preparation and development of the correct project implementation strategy. Internal Red Teaming can only be in a limited form, and it is better to call it the term "Purple Teaming" (a mixture of red and blue colors) or Threat Hunt. This is a group of specialists within the company that can carry out various attacks on the infrastructure and at the same time set up controls to detect such attacks. But the external group should evaluate the effectiveness.

Goals


Like any activity, Red Teaming has a purpose. The objectives of the attackers can be different (the main thing is that they do not violate the law and trade secrets), for example:

  • ;
  • ;
  • ;
  • ;
  • (DLP);
  • ;
  • .

№ 3. Red Teaming – ,


There are no winners or losers at Red Teaming. Attackers do not have the goal of quietly and quietly capturing the server or network of the organization. At the initial stage, the attacking team will act silently, but as soon as it approaches the target “arm's length”, it will begin to “make noise” in order to attract the attention of the defenders. If they detect and block attackers at an early stage, they will not be able to find out how the enemy can proceed further. But if there are no winners and losers, how to determine success?

Success


The success of Red Teaming is not determined by how well the attacking team captures the network. The Red Teaming project is successful when the attacking team fulfills its goals and the defense team is able to learn and improve the organization’s security level.

Success can also be determined by answering the following questions:

  • How long does the defense team detect attackers?
  • Do the available tools detect attackers?
  • Does the defense team follow their TTP when the actions of the attacking team raise an alarm?
  • Can the defense team detect communication channels with the attacking command center (C2)?
  • Can defenders compile an attacker profile based on compromise indicators (IOCs) on the network and hosts?

Gotcha!


How to determine that the Red Teaming project is at the completion stage (and it's time to write a report)? This item is discussed and approved at the start. In general, there are several options:

  • . . , Red Teaming , , . , .
  • . «» , «», .
  • The defender team discovered the actions of the attacking team. There is a pitfall here. If the defender team at an early stage detected an attack, for example, a phishing attack or the installation of a communication channel with the command center (C2), and shouted “yeah, you got it!”, She reacted correctly - the goal was reached. In this case, it is worthwhile to discuss in advance the possibility for the defenders to observe the further actions of the attackers. Here you can already monitor up to a certain point and thereby check which security controls are triggered and which are not and require additional settings. Defenders at any time will be able to disconnect the communication channels and say “caught!”, But before that they will have time to get acquainted with new techniques.

Benefit


What are the key benefits of Red Teaming? The ability to change the viewing angle of information security in the company:

  • see the real state of security and weak points in it (before someone especially “gifted” does it from the outside);
  • identify gaps in processes, procedures and techniques (and eliminate, of course);
  • find out if the IS service is doing its job well, without the consequences of a real incident;
  • better understand the tactics, methods, procedures of the enemy and spend the budget on information security more efficiently;
  • raise awareness among IS personnel, managers and staff.

If the Red Teaming project does not improve the level of security, then there is no point in conducting it.

Myth # 4. Only mature security organizations may need Red Teaming.


Red Teaming can be used by organizations with any level of information security maturity. A prerequisite is a team of defenders and processes for responding to incidents and threats.

Red and Teaming will help organizations with entry-level and mid-maturity assess their ability to confront an experienced adversary: ​​understand which way to grow, which security controls to implement. And also develop automatism for the correct response to incidents.

For an organization with a mature level of security, this will be the training and development of their skills. But besides this, they will be able to see new techniques and tactics that they have not yet encountered.

Organizational structure


The following teams participate in the project:

  • Red Team (Red Team) - attacking. Specialists who simulate attacks on an organization.
  • (Blue Team) – . , .
  • (White Team) – . , CISO. , : , , . . , , ( ) (IOC), . , «» . , Red Team, , Blue Team. .

Often the White Team is confused with the Purple Team.

Myth number 5. The very high cost of the Red Teaming project


Perhaps the most important issue that interests any customer is the price. The sky-high cost of Red Teaming is a marketing ploy. An incomprehensible name, a new trend in the information security industry - all this often leads to unreasonable inflation of the price of a service.

The cost of Red Teaming is calculated based on the duration of the project, which in turn depends on the chosen scenario. The more complex the script, the more work on it.
The duration of the Red Teaming project is due to the fact that the attacking team is required to act covertly so as not to reveal itself ahead of time. The average project duration is about 12 weeks. For comparison: comprehensive penetration testing, including external perimeter, internal infrastructure, social engineering and analysis of wireless networks, lasts 7 weeks on average (it can be completed faster if the contractor conducts the stages in parallel).

Even before the start of the main part, the attacking team conducts passive reconnaissance and data collection, preparing the infrastructure and finalizing or developing their own tools in accordance with the information received. And at the end of the project, an additional consultation of the customer’s employees is organized. All these labor costs are taken into account in the total cost.

It follows quite logically that the price for Red Teaming will be higher than comprehensive penetration testing. But at the same time, of course, it will not exceed its cost tenfold.

Completion of work


The report is a form of proof of work. However, its main value is that it can (and should) be analyzed and used to improve security in the company. Therefore, its quality is extremely important.

The Red Teaming report can be quite different from the penetration testing and security analysis reports. Since the work is largely focused on the script, the report is based on a history of actions.

The report will contain the following information:

  • High-level conclusion on the state of security and the willingness of defenders to confront real threats
  • ,
  • . , (IOC)
  • ,
  • ,
  • .

At the end of the project, several meetings are possible with representatives of both sides. One is to guide the organization, with a focus on the overall picture of the project. The results of Red Teaming may affect the future work of the organization: require funding to eliminate the shortcomings found or to change the staffing table. If the results of Red Teaming will be used to improve the security of the organization (otherwise, such work does not make sense), then the awareness and interest of the management is very important.

Another meeting is a technical one. This is a two-way exchange of information between attackers, defenders and the project coordinator on the customer side. Includes a detailed high-tech review of the actions of the attacking and defensive team taken during the project. Allows both parties to ask questions in the context of implemented attacks and respond to them, receive recommendations for improvement and ideas for new methodologies. This makes it possible to improve the ability of both defenders and attacking teams. Such meetings are part of the project, and their benefits can be invaluable.

Conclusion


The topic of Red Teaming is very extensive and cannot be fully considered in one article. Nevertheless, from the above, we can draw some basic short conclusions:

  • The main benefits of Red Teaming are training and knowledge sharing.
  • Red Teaming
  • Red Teaming – ( )
  • Red Teaming – , , , .

: , , «-»

More articles:


All Articles