Red Team exercises can be used to hone detective and protective controls as well as a security staff’s response skills. The recently published “Cost of a Databreach report 2020” from IBM provides quantitative data that shows that businesses who conduct Red Team exercises have reduced costs when a data breach occurs. The report also lays out the most common root causes of data breaches—all of which can be tested for and improved as part of a Red Team engagement—and identifies core test cases covered in a Red Team assessment.
Focusing on maturing your prevention, detection, and response controls to protect against the most prevalent attack vectors is an obviously wise decision.
What is a Red Team?
Over the last few years, the term “Red Team” has become a buzzword in the information security community. The varied uses of the term within the industry can be confusing. Some organizations call their internal offensive security teams “Red Teams”, with responsibilities ranging from web application penetration testing to full-blown red-team operations. For the sake of this discussion, we will define a Red Team engagement using a common definition that appears outside of military contexts:
Red Teaming is a full-scope, goals-based adversarial simulation exercise that covers physical, electronic, and social attacks. This type of testing should not only test electronic attacks by targeting web applications and network infrastructure but should include social and physical attacks that test staff, their adherence to policies, and building security measures in place.
What should a Red Team provide?
A well executed Red Team engagement should provide data and metrics that are designed to inform executive decision making about future security spend. Along with a complete list of findings and remediation advice, a Red Team report should contain the following metrics:
A “heat map” of your organization’s detection and protection maturity, mapped to individual attacker tactics, techniques, and procedures (TTPs)
An analysis of which tools your organization uses, which TTPs each tool should catch, and any identified execution or coverage gaps
Mean Time to Detection
Mean Time to Remediation
The eradication success rate
These metrics can help you decide whether it’s best to buy new products, invest in fine-tuning the products that you already have to improve their performance or invest in hiring or training for your team. Modeling Red Team exercises after real-life threat actors can provide tangible data for speaking to executives about your abilities to detect and eradicate a particular threat actor that is of concern to your industry. You should know at which points in the attack chain your detective and preventive controls enable you to identify the threat, how long your team takes to eradicate the threat, and what blind spots need to be addressed going forward.
Am I ready for Red Team exercises?
In order to get the most value out of a Red Team exercise, your organization should meet a certain minimum level of maturity. You should have alerting, logging, and monitoring in place—whether they are done in-house or through an MSSP. You should have some idea of the TTPs that you should be able to detect in your environment. Vulnerability management and patching programs should also be in place. Full-scope Red Team engagements tend to be longer than traditional penetration testing engagements because of the different domains that are targeted, so budget may also be an important factor.
Let’s expand on this topic by using a boxing analogy. A Red Team exercise is intended to be a sort of sparring exercise between the Blue Team and the Red Team, whereas a live incident would be more like an actual fight. The purpose of sparring (Red Teams) is to practice and drill for the real event, to do so repeatedly and develop “muscle memory” so that dealing with a real threat becomes second nature. That said, when a novice walks into a gym and says they’d like to learn how to box, they don’t get thrown in the ring to spar with a champ on the first day. It’s important that they learn the basics first: conditioning and knowing how to punch, block, and move. A mastery of the basics is required to be successful in the ring, and Red Teaming is no different.
What can I do if I don’t think I’m ready yet, or if I don’t have the budget for a full-scope Red Team?
A Red Team exercise is simply one type of adversarial simulation exercise, and it certainly isn’t the only thing you can do to improve your organization’s security posture. Any phase of a Red Team exercise can be broken out and conducted on its own.
Collaborative adversarial simulation exercises (sometimes referred to as Purple Team exercises) can fill many of these gaps. These exercises can be as simple as agreeing on a set of TTPs to be tested and having a team execute attack scenarios around each TTP as a unit test. In these instances, Red Teams often work alongside Blue Teams and explain each attack, how it works, and what the implications are before execution. Notes about whether the Blue Team has detected or prevented the scenarios can be turned into a heat-map that outlines the organization’s detection and protection maturity, mapped to some standard framework such as MITRE ATT&CK, to give a quick visual representation of the current state of the program.
These tests are highly repeatable, can be executed quickly, and can provide immediate feedback to improve an organization’s detection and protection posture.
Similarly, if you have concerns about having a team attempt to break into your facilities, you can scope a physical assessment that instead consists of a walk-through and evaluation of the physical security controls and policies that are in place.
If your intention is to baseline your exposure to help focus future efforts, an external and/or internal network penetration test will give you an asset inventory and actionable steps that will immediately decrease your areas of highest risk.
The key is that you should never feel forced to choose a full-scope Red Team engagement just because it maps neatly to a specific offering from your vendor. Your vendors should always be able to adapt and work with you to provide value to your organization that fits with both your current security program’s maturity and your budget.
Contact us today to learn how our Red Team Services can help you improve your ability to defend against, and respond to, attacks that put your operations, data, and reputation at risk.
About the Author
Paul is a Technical Director at Security Compass who has a strong background in embedded development and security assessments. As a security consultant, Paul has conducted network penetration tests, application security assessments, embedded device security assessments, and physical security assessments. He also participates in adversarial simulation engagements and conducts training sessions for internal teams.