Have you ever wondered how Red Teaming works? Quite simply, it is a team of professional hackers using a multi-layered array of tactics, techniques, and procedures (TTP) to infiltrate your organisation and compromise critical systems or sensitive data. In doing so, they put all of your defences to the test and allow you to assess their effectiveness in the face of a real attack. This exercises the Blue Team’s ability to detect and respond to a breach in the appropriate manner.
Unlike Penetration Testing, Red Team operations cover a broader scope, and exploits vulnerabilities not only in your technology stack but also in your people and processes whilst negotiating the security controls in your environment.
There are two primary flavours of a red team operation:
1. Double Blind
A Red Team actively attacks your organisation, trying to circumvent your defences with finesse and sophistication, in order to steal your ‘Crown Jewels’. A Blue Team attempts to thwart the unforeseen attack by detecting the malicious activity, containing the breach, and removing the Red Team from the environment. In a double-blind Red Team operation, the Blue Team is not notified of the exercise at least until they successfully detect the Red Team’s presence.
2. Purple Teaming
Purple Teaming refers to a collaborative exercise that joins members of both the Red Team and the Blue Team. The Red Team provides the Blue Team full visibility of the offensive activities, helping the Blue Team identify indicators of compromise. This helps the Blue Team understand the impacts of the Red Team’s manoeuvres within the context of an attack chain and allows them to devise a response to contain and eradicate the threat effectively.
When you’re planning a full-scale red team exercise it’s best to keep it on a need-to-know basis to test the individuals involved genuinely. If the Blue Team is aware an exercise is underway they may respond to alerts that would normally be overlooked as noise, and not therefore represent a realistic scenario. Similarly, if individuals targeted in social engineering attacks are aware of the exercises, they may act with more vigilance than they normally would.
Although the idea of a Red Team exercise is to simulate a real threat actor by not holding back, you can rest assured that operators won’t destroy your environment. During the planning phase of the operation, the Red Team works closely with authorised personnel's to define boundaries, formalise the rules of engagement, and establish communications channels between the teams.
The Red Team will undertake an initial reconnaissance and intelligence gathering about your operational environment. They’ll search the web for your digital assets, domains, email addresses; and gather the names of your employees, visiting their social network accounts to find out more.
The goal of this stage is to discover vulnerable assets or processes that can be exploited to ‘crack the perimeter’ of your organisation or to identify situational opportunities that can be abused in social engineering attacks, which may involve spear-phishing or voice-phishing over the phone or even physical intrusion into your office or facilities.
Once the Red Team has achieved initial access into your environment, they’ll carefully study your environment to obtain situational awareness, and make educated decisions as they adapt their tradecraft to blend-in with normal activity and establish persistence. Ultimately, they will seek a path to take control of your ‘Crown Jewels’ that they’ve been tasked to compromise.
Once the exercise is complete, the Red Team will deliver detailed documentation on the attack chain, the techniques and artefacts used, any vulnerabilities or gaps that they identified and abused, and an assessment of your Blue Team’s response. In the end, the Red Team will provide a debrief, in which they will acknowledge your Blue Team’s successes and highlight the most critical gaps that must be addressed. Most importantly, the Red Team will provide recommendations to help improve your detection and response capabilities going forward.
They say it’s better that a trusted adversary discovers your weaknesses than a real Advanced Persistent Threat (APT)!
Our dedicated team of operators work with organisations across industries to tailor Red Team operations that will maximise the value and optimise the outcome for the clients. We’ll use a wide range of adversary tactics to simulate a real attack, demonstrate how real threat actors could breach your business, and how your organisation would respond. And, by applying the insights and recommendations produced from the exercise, you’ll be able to improve your readiness to withstand a real-life attack.
We are a CREST approved organisation, which means that our team uphold strict standards of ethical and professional conduct.
At The Missing Link, we recognise that Penetration Testing and Red Teaming require different sets of skills and expertise. Our Red Team operators are well-versed in the art and science of adversary tactics, are specially trained to run Red Team operations, and conduct cutting-edge security research and development used by red teams throughout the industry, both in Australia and globally.
We’d love a chat. If you’d like to talk through red teaming and how it can add value to your organisation’s existing security, give us a call.
If you liked this article, you may also like: