The evolution of security within the corporate environment has included investment in firewalls, intrusion detection systems, data leak protection, security control audits, and web and network penetration testing. Yet, ransomware and breaches still have major impact on many industries. This has led to a high demand for Red Team services to get a better understanding of corporations’ strengths, weaknesses, opportunities, and threats.
You may turn to Red Team services for several reasons:
To address the impact a security breach could have on your business,
To test your incident response capabilities to ensure you can react accordingly to attacks,
And/or to understand the reasons adversaries may want to attack your organization, i.e., nation-state, access to finance, competitive business intelligence, or potentially just chaos.
The purpose of these exercises is to challenge current assumptions, propose new or alternative strategies to protect the environment both externally and internally, and review adversaries not previously discussed that could impact not only the organization, but its employees as well. Engaging with a Red Team results in improved decision making and more effective security outcomes.
In the scenarios above, you may have an idea about what a Red Team does, but how and where do you focus your attention? You may not immediately need to have a Red Team assess your entire environment, and in fact, that may not be the best path forward, due to high cost and the time required to do a full engagement. Before bringing in a Red Team, you should be sure you are performing some basic security practices like having security controls in place, performing scans against your own systems, and addressing any issues identified in regular penetration tests. Once this has been completed, you need to define your goals for the Red Team, so that their activities and strategy aligns with your objectives. Here are a few approaches that may help define Red Team goals.
You may want to begin with a Red Team exercise where the assessment team has a foothold and can simulate scenarios in which the attacker has already breached the target system. This will often focus on current defense capabilities, understanding how far an attacker can pivot within the organization and whether they can identify or extract sensitive data. Reviewing this simulated breach can help you shore up your practices and processes. However, this testing will take additional time compared to standard penetration tests and will likely incur a higher cost but will provide much more depth.
If you want to test your Incident Response capabilities, you have a couple of options to consider. If you have security controls in place, do you need them validated? In a Purple Team exercise, a Red Team will work cooperatively with your Blue Team to test and improve your defensive systems, capabilities, and controls. The goal is to evaluate the Blue Team’s ability to detect and respond to (simulated) attacks. During this simulation, the Red and Blue Teams can communicate and collaborate to improve detection or, the Red Team can operate with stealth and give the Blue Team a report after the fact.
The second option is to consider a Tabletop exercise. A Tabletop is a facilitated event designed to help you explore and anticipate issues, challenges, and responses. During this exercise, the assessment team presents participants with scenarios and then you determine how different teams in your organization should respond, this may or may not be done in coordination with the organization’s management. Throughout the exercise, the assessment team will review and assess communication, documented processes, and secondary support will be reviewed and assessed with the organization. Depending on the test, Tabletops can be limited in time or they can be extended out for multiple scenarios and events from the assessment team.
The duration of a Tabletop depends upon the scope of the engagement, how many scenarios you will review, how many events could be considered, whether the organization will look at this from a tactical level and include only IT staff, or the strategic level where management will be included in the review. A basic Tabletop will be limited primarily to technical staff and will address two to three simple scenarios the client has identified as especially concerning. A more advanced Tabletop would include a single scenario with 10–12 injects and a scenario planning framework to explore during the event. The event could last a full day, where the morning would feature the scenario and after-action review and the afternoon would feature the scenario planning exercise. The report completed at the end of the event would build on the style of report delivered in the operational tabletop and include a scenario analysis based on the afternoon session.
By profiling an attacker's operational preferences and behaviors in addition to their technical capabilities, a Red Team can show you what an adversary would prefer to do in each scenario, not just what an attacker could do. Again, you may not need a live attack to review this information. Discussion between the organization and the assessment team can provide insight into potential scenarios as they explore known adversary capabilities and past targets as part of an adversary simulation.
There is a common misconception that a Red Team always acts as an adversary, but that is not always the case. The reality is that we do not always know where your attackers will be coming from and unless you look at the broader picture, you may miss some key areas of risk. However, there is a much broader picture. Nation-state activities may target small and medium-sized businesses (SMB) based on information in general, supply-chains, bot-net activities, etc. They have money, time, and expertise to spend. There are other attackers and groups interested only in money, but from different perspectives. An attacker may just want to access money and ruin the reputation of an organization or organized crime gangs could be attempting to access cryptocurrency or perform ransomware attacks. In addition, there are always instances where the disclosure of sensitive information could disrupt business.
You can focus on separate Red Team instances for specific use cases or combine these different paths in phases based on your maturity, budget, goals, and risk profile. At the end of the day, a Red Team engagement should not just identify active vulnerabilities, but also:
Uncover potential business risks based on real-world adversary capabilities.
Help you test and improve your defenses and security controls, or
Help you strategize your business to identify new or alternative strategies to protect the environment.
When you engage a Red Team is up to your organization but remember that a Red Team can be a proactive activity and should not ONLY be considered as a reaction to a breach.
Evaluating firms for your next engagement? Learn about Bishop Fox's Red Team services.