Publish date August 10, 2018
Red Team exercises take a comprehensive approach to the full spectrum of organization policies, processes, and defenses to improve organizational readiness, improve training for defensive practitioners, and inspect current performance levels. Independent Red Teams can provide valuable and objective insights about the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even of those planned for future implementation.
It’s a cybersecurity assurance test. It builds on Penetration Testing by having a much wider scope and remit both regarding attack surfaces looked at, and in the level on controls that are tested.
As pointed earlier, a Red Team Assessment is focused on vulnerabilities associated with their goals. A Red Team Assessment needs maturity for security programs at the organizational level which can be achieved by performing regular penetration tests and patching vulnerabilities.
Red teams are outside entities brought in to test the effectiveness of a security program. Red teams are employed to emulate the behaviors and techniques of likely attackers to make it as realistic as possible.
Penetration testing starts with the identification and assessment of vulnerabilities in the enterprise. Next, tests are designed and executed to demonstrate precisely how an adversary can either subvert the organization’s security goals (e.g., the protection of specific Intellectual Property) or achieve specific adversarial objectives (e.g., the establishment of a covert Command and Control infrastructure). The results provide deeper insight, through demonstration, into the business risks of various vulnerabilities.
External Penetration Testing initiates an attack on a security system or a network from an external or public source. This attack mimics the tools and techniques of a hacker or outside attacker. It is the methodology to find out the real targets of the attacker. As current systems are connected to the internet, testing is required on controls that protect Internet-facing corporate IT assets. However, care must be taken during external testing not to harm the mission-critical corporate IT and operational systems.
Internal Penetration Testing is more targeted and involves attacking the security of a computer system or network of devices from the inside of the network imitating the tools and techniques that a real internal attacker would use. The objective is to determine which systems a malicious insider would be able to access within the internal structure of the network. Is the target include only the generic corporate user access areas or the access control for sensitive data and industrial control systems?
Penetration Testing and Red Team Assessments both have strengths and weaknesses and are more suited for specific circumstances. Your goals can determine what you need to choose or what is best suitable for your needs. You may need a blend of both.
Getting Confidence through Checks
Most of the industries and organizations typically outsource their system and physical security to a third party. The cybersecurity monitoring may also be outsourced to another entity which may use a chain of contractors and outside firms for securing the IT systems. It creates a layer of security check levels. An attacker may find the weakest link in these levels for a security breach. Therefore, it is essential to test all the surfaces of a security program to determine where the breaking points exist. A Red Team Exercise mimics a motivated attacker and executes a plan, explores the organization’s infrastructure for physical installations and then tests the physical, cyber, and social defenses through a stepwise exercise.
Do I need Red Teaming?
Need to know: How mature is your information security posture?
Almost all organizations conduct penetration testing on a regular basis.
The team will initially involve off-site reconnaissance using public sources about the organization (as a cyber-criminal would do) before actively polling organizational targets. These targets could include physical work sites or offices, external internet exposed systems, the organization’s employees with the aim of gaining a foothold within the corporate network. Once this has been achieved, the campaign persists and attempts to gain the objectives of the Red Team campaign.
Red Teaming is one of the most comprehensive and in-depth engagements helping organizations determine if and how their most sensitive assets could be compromised.
Red Team exercises act as extended penetration tests and are distinctive if performed correctly.
The major variances between Red Team Exercises and other tests are:
However, the Red team focuses not only on the electronic defenses but also on the “human” part of the attack. For example, user password access due to humane error, access to restricted areas without authentication, or employees’ negligence. These attacks arise from physical or social domains, and it is the Red Team’s duty to think and act like an attacker to find out their techniques and strategies.
Which one is better?
Traditional penetration testing is crucial to security but can be limited due to time and scope constraints. In comparison, Red Team campaigns seek to remove this limitation by providing a service that recreates actual attack scenarios and expose attack surfaces.
Red team engagements are as close to a real-world hack as you can get. Normal penetration testers don’t have to account for adversaries, so there is no one to hide from. While a penetration test’s goal is to find vulnerabilities, each red ream campaign has a specific objective… to be achieved through any means necessary.
The true answer is one is not necessarily better than the other. Often Penetration Testers and Red Teams are the same people in am organizations wearing different functional caps and using different methods and techniques for different assessments. Determining the organizational goal is essential to start with as the methods and approaches differ with the goals. You may consider having the Red Team to evaluate your incident responses, or you may choose Penetration Tests to discover vulnerabilities. The takeaway is to avoid being listed as a victim organization affected by a sophisticated attack, being prepared with your goals and teams is essential.
Manga Sridhar Akella-Program Manager Information Security @YASH Technologies