Business and security leaders nowadays have a lot of questions about red teaming: what it is, how it contributes to a well-developed security program, and how they can make the most of it in their enterprise. Incorporating red teaming into your security program is a critical element of preparing to face the evolving threat landscape. Now is the right time to demystify it, and start making plans for how to incorporate holistic adversarial simulation into your security plan.
What Is Red Teaming?
Red teaming is the process of simulating a real-world adversary in order to test your defenses against a realistic attack under controlled conditions. This can include attacks at all levels of the kill chain and a full range of TTPs, including both technical exploits as well as human weaknesses.
A red teaming engagement is useful for several reasons. It helps your business determine its risk, by simulating both insider and outsider threats and showing how prepared your business is to detect and respond. Red teaming helps you assess processes, technical controls, and employee training against threats to both people and technology. Red teaming also helps your business measure the effectiveness of detection and response, in order to inform strategic decision making.
Why Is Enterprise Red Teaming Important?
Often an organization will spend a large amount of time, effort, and money on security controls, assuming the controls are working and protecting the business as intended, only realizing after a breach that the controls were not as effective as they initially assumed, which is too late to save the financial and reputational consequences of responding to and recovering from that attack.
Red teaming is a critical part of any effective security program because it validates the effectiveness of controls. An engagement provides validation that all of your defenses — including people, processes, and technical controls — are effective against realistic threats. It gives you the ability to identify and fix any controls that do not work as well as expected before an actual attack.
What is the difference between penetration testing versus red teaming?
Even if your business is doing penetration testing already, red teaming fills a different critical need.
Penetration testing looks at specific systems in order to discover all of the exploitable vulnerabilities and misconfigurations associated with that particular system. Securing individual systems is an important first step toward resisting attack. However, penetration testing does not test people, processes, and technology in a holistic way. Attackers do: when they have a goal, they are not going to restrict themselves to individual technical pieces in order to achieve that goal. Attackers will take a broader view in order to find their way in.
Red teaming, like a real attacker, takes a more objective-focused approach. A red team assessment evaluates the defenses as a whole. It uses methods including social engineering attacks, evasion of detection and prevention controls, and even testing incident response processes. Many of these tactics would be out of scope for a typical penetration test, but are integral to red teaming.
In short, penetration testing and red teaming are complementary, and both necessary for security in the long run. Penetration testing gives you the building blocks for security of individual systems, or small groups of systems. Red teaming shows how different weaknesses, both technical or non-technical, combine together to make your business vulnerable.
When Should You Engage a Red Team?
Red teaming is critical when your business has built a baseline of security maturity, but is usually not the first building block of a security program starting from scratch. Penetration testing, basic security controls for attack prevention and detection, as well as basic incident response processes should come first. After all, if your security program is starting from scratch and has a large amount of critical vulnerabilities or deficiencies, all a red teaming engagement will end up practically doing is pointing out the lack of maturity that you already know you have.
However, once the basics are in place and you have reached a moderate level of security program maturity, it is the right time to add red teaming to the security program. At this level of maturity, red teaming can make a strong impact, evaluating the effectiveness of the security program as a whole, identifying the highest impact improvements, and helping guide further security initiatives.
How often should you engage a red team?
Since a red team’s purpose is to emulate those real-world attackers, the frequency of red teaming varies by the sophistication and types of threats a business faces. How often your business will need red teaming can be based on many factors. These include size, industry, the value of intellectual property you create and possess, whether your business is involved in critical infrastructure, and whether your line of business has national security implications.
If your business’s primary threats are generic cybercriminals such as general-purpose ransomware, your threat landscape is likely to evolve more slowly. In that case, an annual assessment designed to emulate the tactics of common ransomware and malware gangs may be enough. This is often the case for smaller businesses that do not have specific intellectual property that interests attackers, or that do not have critical infrastructure or national security roles.
Larger businesses, or businesses that do have intellectual property, critical infrastructure, or national security connections, will likely face more adaptive threats. For businesses likely to be targeted by advanced persistent threats (APTs), nation-states, or state-sponsored attackers, more extensive red teaming is recommended. In fact, a continuous approach may be necessary to fully emulate the kinds of attacks that these sophisticated threats are likely to execute.
What to Expect During a Red Team Engagement
If your business has not conducted a red team exercise before, some people within both the security team and the business at large may be hesitant to simulate an attack on the business. Some apprehension is natural, since a red team attack really does feel like you are giving someone else free rein to attack your environment. And, during the engagement, it can lead to some fear because, to the blue team, it does look like a real attack against your company.
Clear communication with your red teaming provider can help ease these questions. Before performing an engagement, you will have the chance to discuss terms in detail with the team who will be performing the attack simulation. You will be able to discuss your security concerns, and what your threat landscape looks like. And, with the attack simulation planned, you will be able to inform certain executives or leaders who are not involved in active defense that this red team engagement is happening, in order to minimize the chance that their fear will lead to actual business anxiety or consequences.
After the attack is over, it is a red team’s job to leave the environment as they found it. In other words, a red team does not leave tools, configuration changes, or new vulnerabilities behind. The report after the red team engagement will provide recommendations for how to improve the environment, but as a result of the red team engagement itself, the team makes no lasting changes to the network.
Choosing a Red Team Provider: Why Security Compass Advisory?
Security Compass Advisory has over fifteen years of experience in information security, and we have built a proven methodology for red team success. Our red teaming consultants have experience red teaming in many industries including healthcare, financial services, energy & utilities, retail and hospitality, and tech. Each of these industries has a different set of threats, and needs a different set of red team strategies to ensure maximize the relevance of the simulation. This on-staff experience means no matter what industry you are in, we can design the right plan of attack.
Unparalleled research and data
One great thing about our team is we have contant real-time exposure to the threat landscape, so our red teaming attacks can be as informative and realistic as possible. Our research team stays in step with the latest tactics, techniques, and procedures that real attackers use. As a Kroll business, we have direct access to their cyber intelligence and incident response data — meaning a clear view of attacks happening in the wild. With all of this at our fingertips, our red teams can ensure that we are emulating what real attackers are doing today, instead of solely rehashing older methods that lose relevance by the time they become widespread public knowledge.
We believe setting proper expectations is key when planning a red teaming engagement with a client. Before beginning, we have conversations with our clients’ stakeholders to discuss the threats that are likely to target their industry. That allows us and our clients to make sure we are on the same page about what kinds of attackers our consultants will be emulating: for example, whether it will be an “assume breach” situation (as in, the attacker already has some limited access), a complete perimeter breach, or a more specialized attack scenario. This planning gets our team on a trusted foot with clients, and also makes sure the engagement itself is as relevant as possible.
Our red team is composed of some of our most experienced consultants. Before joining the red team, they are required to have an extensive penetration testing background, giving them years of hands-on experience exploiting web application, network, and cloud deployment vulnerabilities. Many of the consultants coming from the penetration testing side have industry certifications like the OSCP. Some members of our red team also have extensive experience in security operations and incident response. This helps them refine our red teaming tactics further by targeting common shortcomings in security processes, and providing clearer perspective for how to improve your defenses after the engagement ends.
No matter their previous background, our red team continues to train. Our red team actively studies topics such as open-source intelligence, malware engineering, anti-virus evasion, Active Directory attacks, social engineering, and other real-world tactics, techniques, and procedures. The team is always ready to emulate real attackers during engagements, and give you practical advice for how to improve your security posture after it.
Our consultants have also published several resources about red teaming, in both technical and non-technical contexts. Senior Security Consultant Steven Patterson wrote an eBook about building custom red teaming tools in C++, a useful resource for anyone involved on the technical side. We also recently published an article that goes in depth into the business reasons to establish a red teaming program. Our complete set of resources is published on the Security Compass Advisory blog.
Our clear and actionable reporting also sets our red team engagements apart. After a red teaming engagement, we give our clients a complete rundown of all of the attacks that were performed, and the tactics used at each level of the cyber kill chain. This includes information about the success of each one, and what we learned about their ability to detect or stop those techniques. We then map the findings to the industry standard MITRE ATT&CK framework, to help clients understand and improve.
We work with our clients to build custom deliverables with specific audiences in mind, including technical and executive readers. After all, a security manager will ask different questions than a CFO. Custom reports ensure that these findings are in proper context for anyone who needs to read them.
Security Compass Advisory’s collaborative approach is at the backbone of all of our work, including our red teaming engagements. In addition to our adversarial simulation experience, we have years of experience working as an extension of our clients’ security teams. During red teaming engagements, that means we excel at communication. We set expectations clearly, and help you make sure that everyone who needs to know about the attack simulation does.
We can also work with you to design and perform purple team engagements, where a red team exercise is paired with real-time visibility. Though this is not as adversarial as a pure red team engagement, since defenders are aware that it is a test, it still serves an important purpose. In a purple team engagement, we work directly with your blue team throughout the attack in order to improve detection and response capabilities.
Moving Forward with Red Teaming
In short, red teaming allows you to see your business’s security posture from the perspective of the attackers who are most likely to be targeting it. It allows you to see how likely you are to detect an attack, know how quickly you would be able to respond to an attack, and make strategic decisions about how to strengthen your defenses. Once you have your security basics in place, red teaming is a necessary step toward deepening security maturity and protecting your most sensitive assets.
Learn more about Security Compass Advisory’s red teaming services, or send us a message if you’re ready to talk more about improving your security posture.