Over the past 30 years, Red Teaming has gone from being an esoteric military practice to a mainstream commercial service. Today, nearly every security company offers some form of Red Team practice, and organizations are continuously asking for more Red Team engagements.
We believe Red Teams can deliver even more value to customers by integrating not just Red Teaming services, but also risk analysis and threat modeling into a coherent program. The three are natural complements, and bringing them together can help organizations more clearly understand and manage their operational security risks across the extended enterprise.
Red Team practices should continue to evolve in order to keep up with the ever-changing modern environments within organizations and the sophisticated attempts being utilized by attackers across the globe.
While various types of Red Team services exist, security professionals have generally settled on a form that involves applying adversary tactics, techniques, and procedures (TTPs) to simulate attacks on deployed systems. Phrases commonly associated with this form of service include “adversary simulation,” “live fire,” and “full scope.”
In general, this type of program translates into an experienced offensive security team going up against an unsuspecting target to discover and exploit consequential vulnerabilities. However, one could argue that this type of Red Team has reached its natural end-state, and all that remains is to update tools and TTPs as systems and attackers evolve. This begs the question, what could Red Teams be missing if they focus simply on TTPs?
Most job descriptions for Red Team positions focus solely on the skills needed to break into a client environment. Typically, they require penetration testing experience, relevant tool and TTP knowledge, experience with security frameworks, and—of course—offensive security certifications. You may see requirements for open-source intelligence (OSINT) gathering techniques, threat analysis, and social engineering skills. While these are relevant skills for operations on a Red Team, it suggests that organizations are only up against a technology problem.
If this were the case, penetration tests and other offensive security services would be enough to protect an organization. You would never need a Red Team. Therefore, modern Red Teams must focus not only on technology, but the human attackers, their methods, and their preferences.
Real-world attackers have become more sophisticated. Red Team personnel need to have experience across a variety of components: risk assessment, systems analysis, intelligence analysis, and threat modeling. Risk is not just about the technology. If the focus is exclusively on technology, Red Teams will miss alternative conditions of threat against your organization. You need to consider the complexity of daily operations and risks to the extended enterprise.
To keep up with agile attack surfaces, sophisticated attackers, and emerging threats, you need a tailored Red Team engagement to meet these primary goals:
Adversary Simulations focus on finding the most stealthy, efficient path(s) to a simulated attacker’s goal(s). This can help you identify holes in your defenses as well as help you test your detection and response capabilities. An adversary simulation can involve full, partial, or zero knowledge on the part of the red team and can start from a position of external breach or assumed breach. A Bishop Fox Red Team precedes adversary simulation fieldwork by fully researching the target system, modeling the threat landscape, and developing a comprehensive attack plan.
Purple Teams are designed to collaboratively test and improve your defenses and security controls. Organizations that are in the process of implementing, increasing, or evaluating their security controls around detection should consider this approach. This engagement is a great opportunity to learn from the Bishop Fox team as they are performing the adversarial review of your defensive controls.
Tabletops are designed to help you anticipate, assess, and respond to operational and strategic security risks in a facilitated group setting. During a tabletop event, our team engages with your staff to explore a tailored set of scenarios and questions. These can be conducted as a standalone assessment without tactical interaction; they can also be utilized as a way to review attack paths you are concerned about, but don’t want to operationalize; and they can be used as part of a review based on knowledge you have from an assessment. This is a very versatile approach to conducting Red Team exercises.
Ultimately, you will want to engage a professional, experienced Red Team that realistically emulates advanced, goal-driven attackers to plan and execute selected attacks against your systems, from initial compromise to post-exploitation and lateral movement. Half the battle is knowing when the timing is best to initiate a Red Team engagement. Read our guidance on that here.
While the name Red Team is often overused or misused, the goal of a Red Team engagement should be to help you understand how specific attackers are most likely to target your organization and everything within it. A narrow, standard scope, focused simply on TTPs and penetration testing, does not provide you with the full insight and business context you need to guard your business against attacks. With a broader scope, focused on understanding your adversaries’ preferences and demonstrating potential attack scenarios, you can be better prepared to play a strong offense.