Clever Geek Handbook

Red Teaming is a complex attack simulation. Methodology and tools



Source: Acunetix



Red Teaming is a complex simulation of real attacks to assess the cybersecurity of systems. The “red team” is a group of pentesters (specialists who perform a penetration test). They can be either hired from outside or employees of your organization, but in all cases their role is the same - to imitate the actions of intruders and try to penetrate your system.



Along with the "red teams" in cybersecurity, there are a number of others. For example, the Blue Team works together with the Red Team, but its activities are aimed at improving the security of the system infrastructure from the inside. The Purple Team is the liaison, helping the other two teams develop offensive strategies and defenses. However, redtiming is one of the least understood methods of cybersecurity management, and many organizations are still reluctant to use this practice.

In this article, we will explain in detail what lies behind the concept of Red Teaming, and how implementing comprehensive simulation of real-world attacks can help improve the security of your organization. The purpose of this article is to show how this method can significantly improve the security of your information systems.



Red Teaming: overview







Although nowadays "red" and "blue" teams are associated primarily with the field of information technology and cybersecurity, these concepts were invented by the military. In general, it was in the army that I first heard about these concepts. The work of a cybersecurity analyst in the 1980s was very different from today: access to encrypted computer systems was much more restricted than it is now.



Otherwise, my first experience with war games - modeling, simulating and organizing interactions - was very similar to today's complex attack simulation process, which has found widespread in cybersecurity. As is now, there has been tremendous emphasis on using social engineering to persuade employees to grant the “enemy” illegal access to military systems. Therefore, while technical methods for simulating attacks have advanced significantly since the 1980s, it is worth noting that many of the main tools of the adversarial approach, and especially social engineering techniques, are largely platform independent.



The core value of complex simulation of real-world attacks has also remained unchanged since the 1980s. By simulating an attack on your systems, it is easier for you to discover vulnerabilities and understand how they can be exploited. While it used to be used primarily by white-hat hackers and cybersecurity professionals looking for vulnerabilities through penetration testing, it now has broader uses in cybersecurity and business.



The key to re-teaming is understanding that in reality you cannot get an idea of ​​the security of your systems until they are attacked. And instead of exposing yourself to an attack from a real attacker, it is much safer to simulate such an attack using a "red command".



Red Teaming Use Cases



An easy way to understand the basics of redirecting is to look at some examples. Here are two of them:



  • Scenario 1: Imagine that a penetration test was carried out on a customer service site and the verification was successful. It would seem that this indicates that everything is in order. However, later, as a result of a complex attack simulation, the red team discovers that although the customer service application itself is in order, the third-party chat function cannot accurately identify people, and this makes it possible to trick customer service representatives into changing their email address in the account (as a result of which a new person, an attacker, can gain access).
  • Scenario 2. Pentesting found that all VPN and remote access controls were secure. However, then a representative of the "red team" freely walks past the check-in counter and takes out the laptop of one of the employees.


In both of the above cases, the "red team" checks not only the reliability of each individual system, but also the entire system as a whole for the presence of weaknesses.



Who needs complex attack simulation?







In a nutshell, almost any company can benefit from redirecting. As shown in our 2019 Global Data Risk Report , an alarmingly large number of organizations are under the false belief that they have complete control over their data. We found, for example, that, on average, 22% of company folders are available to every employee, and that 87% of companies have over 1,000 outdated confidential files on their systems.



If your company is not in the tech industry, it might seem like re-teaming won't do you much good. But this is not the case. Cybersecurity is not only about protecting confidential information.



Attackers are equally trying to take over technology regardless of the company's industry. For example, they may seek to gain access to your network in order to hide their actions to take over another system or network elsewhere in the world. In this type of attack, your data is not needed by the attackers. They want to infect your computers with malware in order to use them to turn your system into a group of botnets.



For small companies, it can be difficult to find the resources to do redirecting. In this case, it makes sense to outsource the process to an external contractor.



Red Teaming recommendations



The optimal timing and frequency of redirecting depends on which sector you work in and the sophistication of your cybersecurity tools.



In particular, you should have automated activities such as asset exploration and vulnerability analysis. Your organization must also combine automated technology with human control by regularly performing robust penetration testing.

After completing several business cycles of penetration testing and searching for vulnerabilities, you can start a comprehensive simulation of a real attack. At this point, redirecting will bring you tangible benefits. However, trying to do it before you put in place the foundations of cybersecurity will not pay off.



A team of white hackers will likely be able to compromise an unprepared system so quickly and easily that you have too little information to take further action. To achieve real impact, the information obtained by the "red team" must be compared with previous penetration tests and vulnerability assessments.



What is Penetration Testing?







Complex simulation of a real attack (Red Teaming) is often confused with penetration testing (penetration testing) , but the two methods are slightly different. More precisely, penetration testing is just one of the redtiming methods.



The role of the pentester is fairly well defined . Pentesters work is divided into four main phases: planning, information discovery, attack, and reporting. As you can see, pentesters do more than just look for software vulnerabilities. They try to put themselves in the shoes of hackers, and after they get into your system, their real work begins.



They discover vulnerabilities and then launch new attacks based on the information they receive, navigating through the folder hierarchy. This is how penetration testing professionals differ from those who are hired only to search for vulnerabilities using port scanning software or virus detection. An experienced pentester can determine:



  • where hackers can direct their attack;
  • the way hackers will attack;
  • how your defense will behave;
  • the possible scale of the violation.


Penetration testing seeks to identify flaws at the application and network level, as well as opportunities to overcome physical security barriers. While automated testing can reveal some cybersecurity issues, manual penetration testing also takes into account the vulnerability of the business to attacks.



Red Teaming vs. penetration testing



Penetration testing is certainly important, but it is only one part of a whole host of redtiming activities. The activities of the "red team" have much broader goals than those of pentesters, who often simply seek to access the network. Reduction often involves more people, resources and time as the Red Team dig deep to fully understand the true level of risk and vulnerability in the technology and human and physical assets of an organization.



In addition, there are other differences. Redteaming is usually used by organizations with more mature and advanced cybersecurity measures (although in practice this is not always the case).



Usually, these are companies that have already conducted penetration testing and fixed most of the vulnerabilities found, and are now looking for someone who can again try to access confidential information or hack security in any way.

This is why redtiming relies on a team of security experts focused on a specific goal. They target internal vulnerabilities and employ both electronic and physical social engineering techniques against the organization's employees. Unlike pentesters, the red teams take their time during their attacks, wanting to avoid detection, as a real cybercriminal would.



Red Teaming benefits







There are many advantages to comprehensively simulating real-world attacks, but most importantly, this approach provides a comprehensive picture of an organization's cybersecurity level. A typical end-to-end attack simulation process would include penetration testing (network, app, mobile phone, and other device), social engineering (live onsite communication, phone calls, email, or text messages and chat), and physical intrusion ( picking locks, detecting dead zones of security cameras, bypassing warning systems). If there are vulnerabilities in any of these aspects of your system, they will be detected.



Once vulnerabilities are found, they can be fixed. An effective attack simulation procedure does not end when vulnerabilities are discovered. Once the security flaws are clearly identified, you will want to work on fixing them and retesting them. In fact, the real work usually begins after the Red Team intrusion, when you conduct a forensic analysis of the attack and try to reduce the vulnerabilities found.



In addition to these two main benefits, redtiming also offers a number of others. Thus, the "red team" can:



  • identify risks and vulnerabilities to attacks in key business information assets;
  • simulate the methods, tactics and procedures of real attackers in an environment with limited and controlled risk;
  • assess your organization's ability to detect, respond, and prevent complex targeted threats;
  • stimulate close interaction with information security departments and "blue teams" to ensure significant mitigation and conduct comprehensive practical workshops based on the discovered vulnerabilities.


How does Red Teaming work?



A great way to understand how redirecting works is to look at how it usually happens. A typical complex attack simulation process consists of several stages:



  • The organization will agree with the "red team" (internal or external) the purpose of the attack. For example, such a goal may be to retrieve confidential information from a specific server.
  • « » . , , - . .
  • , XSS-. .
  • , « » . .
  • « » . .
  • .


In fact, an experienced Red Team practitioner will use a myriad of different methods to complete each of these steps. However, the key takeaway from the above example is that small vulnerabilities on individual systems can escalate into catastrophic failures when chained together.



What should be considered when referring to the "red team"?







To get the most out of your redirecting, you need to prepare carefully. The systems and processes used by each organization are different, and a quality level of redirecting is achieved when it is aimed at finding vulnerabilities in your systems. For this reason, it is important to consider a number of factors:



Know what you are looking for



First of all, it is important to understand which systems and processes you want to test. You may know that you want to test a web application, but you are not very well aware of what this actually means and what other systems are integrated with your web applications. Therefore, it is important that you have a good understanding of your own systems and fix any obvious vulnerabilities before embarking on a comprehensive simulation of a real attack.



Know your network



This is related to the previous recommendation, but more about the technical specifications of your network. The better you can quantify the testing environment, the more accurate and specific your Red Team will be.



Know your budget



Red-timings can be performed at different levels, but simulating the full range of attacks on your network, including social engineering and physical intrusion, can be costly. For this reason, it is important to understand how much you can spend on such a check and, accordingly, outline its scope.



Know your level of risk



Some organizations may tolerate a fairly high level of risk as part of their standard business procedures. Others will need to limit their level of risk to a much greater extent, especially if the company operates in a highly regulated industry. Therefore, it is important to focus on the risks that really pose a threat to your business when doing a red-temping.



Red Teaming: tools and tactics







If implemented correctly, the red team will carry out a full-scale attack on your networks using all the tools and techniques used by hackers. This includes, among others:



  • Application Penetration Testing - Aims at identifying application-level flaws such as cross-site request forgery, data entry flaws, weak session management, and many others.
  • Network Penetration Testing - Aimed at identifying flaws at the network and system level, including misconfigurations, wireless vulnerabilities, unauthorized services, and more.
  • Physical Penetration Testing - Testing the effectiveness and strengths and weaknesses of physical security controls in real life.
  • Social Engineering - aims to exploit human weaknesses and human nature, testing people's susceptibility to deception, persuasion and manipulation through phishing emails, phone calls and text messages, and physical contact on the spot.


All of the above are components of redirecting. This is a full-blown, multi-layered attack simulation designed to determine how well your people, networks, applications, and physical security controls can withstand an attack from a real attacker.



Continuous development of Red Teaming methods



The nature of complex simulations of real-world attacks, in which red teams try to find new security vulnerabilities and blue teams try to fix them, leads to the constant development of methods for such checks. For this reason, it is difficult to compile an up-to-date list of modern redtiming techniques as they quickly become obsolete.



Therefore, most re-tempers will spend at least some of their time researching new vulnerabilities and how to exploit them, using the many resources provided by the Red Teams community. The most popular of these communities are:



  • Pentester Academy — , -, , , , , .
  • (Vincent Yiu) — « », .
  • Twitter — , . #redteam #redteaming.
  • (Daniel Miessler) — , , - « ». : « , » « , , ».
  • Daily Swig -— -, PortSwigger Web Security. , — , , , - .
  • (Florian Hansemann) — « » , « » .
  • MWR labs — , . , Twitter , .
  • (Emad Shanab) — « ». Twitter , « », SQL- OAuth.
  • Mitre's Adversarial Tactics, Techniques and Common Knowledge (ATT & CK) — . , .
  • The Hacker Playbook — , , , , . (Peter Kim) Twitter, .
  • SANS Institute — . Twitter-, , SANS -.
  • Red Team Journal. , , Red Teaming , , « ».
  • , Awesome Red Teaming — GitHub, , Red Teaming. « », , .


« » — ?







With so many multicolored teams, it can be difficult to determine which type your organization needs.



One of the alternatives to the red team, or rather another type of team that can be used in conjunction with the red team, is the blue team. Blue Team also assesses the security of the network and identifies any potential vulnerabilities in the infrastructure. However, it has a different purpose. Teams of this type are needed to find ways to protect, change and regroup defenses to make incident response much more effective.



Like the red team, blue must have the same knowledge of attacker tactics, techniques and procedures in order to create response strategies based on them. However, Blue Team's responsibilities are not limited to just defending against attacks. It is also involved in strengthening the entire security infrastructure using, for example, an Intrusion Detection System (IDS), which provides continuous analysis of unusual and suspicious activity.



Here are some of the steps the blue team takes:



  • security audit, in particular DNS audit;
  • analysis of logs and memory;
  • analysis of network data packets;
  • analysis of risk data;
  • digital footprint analysis;
  • reverse engineering;
  • DDoS testing;
  • development of scenarios for the implementation of risks.


Differences between the red and blue teams



A common question for many organizations is which team they should use — red or blue. This question is also often accompanied by friendly hostility between people who work "on opposite sides of the barricades." In reality, no command makes sense without the other. So the correct answer to this question is that both teams are important.



The "red team" attacks and is used to test the preparedness of the "blue team" for defense. Sometimes the red team can find vulnerabilities that the blue team completely overlooked, in which case the red team must show how these vulnerabilities can be fixed.



It is vital for both teams to work together against cybercriminals to strengthen information security.



For this reason, it doesn't make sense to choose only one side or invest in only one type of team. It is important to remember that the goal of both parties is to prevent cybercrime.

In other words, companies need to establish mutual cooperation between both teams to provide a comprehensive audit - with logs of all attacks and checks performed, records of discovered features.



The “red team” provides information on the operations they performed during the simulated attack, and the blue one on the actions they took to fill in the gaps and eliminate the vulnerabilities found.



The importance of both teams cannot be underestimated. Without their ongoing security audits, penetration testing, and infrastructure improvements, companies would not be aware of their own security status. At least until a data leak occurs and it becomes painfully clear that the security measures weren't enough.



What is the Purple Team?



The Purple Team is the result of attempts to combine the Red and Blue teams. The Purple Team is a concept rather than a separate type of team. It is best seen as a combination of the red and blue teams. She engages both teams, helping them work together.



Team Purple can help security teams improve vulnerability detection, threat scans, and network monitoring by accurately modeling common threat scenarios and helping to create new methods for detecting and preventing threats.



Some organizations employ the “purple team” for one-off targeted activities that clearly define safety goals, timelines, and key results. This includes recognizing deficiencies in attack and defense, and identifying future training and technology requirements.



An alternative approach now gaining traction is to view the Purple Team as a conceptual model that works throughout the organization to foster a culture of cybersecurity and continual improvement.



Conclusion



Red Teaming, or Comprehensive Attack Simulation, is a powerful method for testing an organization's security vulnerabilities, but it should be used with caution. In particular, in order to use it, you need to have sufficiently developed means of information security protection , otherwise it may not meet the expectations placed on it.

Red-temping can reveal vulnerabilities in your system that you never imagined, and help fix them. By adopting an adversarial approach between the blue and red teams, you can simulate the actions of a real hacker if he wanted to steal your data or damage your assets.


More articles:


All Articles