Mark Nicholls, principal security consultant, Context Information Security
Mark Nicholls, principal security consultant, Context Information Security

Red teaming is the use of realistic attacker tactics that replicate a genuine targeted threat. This can include deployment of bespoke Trojans and physical testing of defences - such as targeting staff to gain entry to a building or network through the use of spear-phishing techniques. While a penetration test usually relies on the client providing information such as IP addresses to scan or credentials to access an application, a red team starts from the same position as a real attacker.

Red team exercises take place without the knowledge of most personnel at the target organisation, so there is no opportunity to prepare for the attack. This highly realistic exercise enables a company to effectively measure its security posture at multiple levels against sophisticated and highly targeted attacks. Traditional penetration testing does not provide that same in-depth view of border protection, employee awareness and how well processes and procedures cope with a real-life attack scenario.

Effective recon

Red team exercises will generally commence with passive reconnaissance or open source intelligence gathering through social media and online searches to identify individuals to target within the organisation. Effective planning and recon also provides a good base of information for use in later stages of the exercise. Not only will properly conducted recon provide information on systems, people and locations, but it will also be the starting point to uncover potential vulnerabilities that can be exploited to gain further access. 

The multi-staged attack

Once reconnaissance is complete, the information gathered is used to plan and deliver a multi-staged attack. The first stage will be attack delivery and exploitation, which may involve the creation of custom exploits or implants, to target employees and gain access to the internal network. A typical implant will act in a similar way to a Trojan, with the difference being that its actions are under full control of the red team. The Trojan implant infects target machines to enable remote control from red team HQ. By customising the implant for each engagement, the red team can optimise the chances of it evading detection. There are no surprises when it comes to delivering these implants with techniques such as email attachments, exploiting known vulnerabilities and fake websites being common methods.

The attack exploitation stage may also involve physical penetration testing on the client with wireless site surveying and external infrastructure probing to circumvent network access controls. All of these attack phases are divided into waves that last a few days each and build upon information derived from the previous wave. Red teaming is not an instant gratification exercise and the whole testing window usually lasts between four to six weeks; including the internal system attack, which probes the network and identifies assets of interest such as key systems and critical data, which will often have been specified by the client as targets. These assets are then used as concrete evidence of a successful breach.

A successful breach can also be measured in terms of the footprint left behind. This is why red teams place importance on the exfiltration stage, where client systems are cleaned to remove any evidence, including uninstallation of the implanted Trojan from any infected laptops, for example. This just leaves the reporting phase, which is where the real business benefit of red teaming can be found. This needs to be both comprehensive and high level, it has to detail all the activities that have been undertaken but also assess the susceptibility of the target organisation and provide mitigation advice where vulnerabilities have been identified.

Is it legal?

What about the legal implications of using a red team, especially when we are talking about the use of bespoke Trojans and phishing attacks? Overall, the legal implications are much the same as a penetration test, meaning the attack team could potentially be in contravention of the Computer Misuse Act and the Data Protection Act (DPA) could come into play where access to data is concerned. Provision of the relevant authorisation by the organisation being tested avoids the former and if the security company conforms to standards such as ISO27001 and ISO9001 then DPA issues can be avoided. However, a company using an implant needs to ensure that it is a trusted application and any data being sent from the company network is being transmitted securely. In most cases, an organisation being tested would want assurance that an implant is safe and the only real way to provide this is to use a custom implant or approved third party application. Thus red teams usually oversee the development of these implants to be in control of the functionality they possess, rather than risk malicious activity from an unknown Trojan.

Measuring the business benefit

The business benefit of a properly conducted red team exercise extends much further than simply identifying gaps in security practices and controls; it determines how an organisation is equipped to deal with real world attacks. The in-depth penetration conducted across an extended period and involving multiple attack layers, will put an organisation's security posture to the test like nothing else. Nobody wants to find out how well equipped they are to detect and repel threats and how effective incident monitoring and response processes are, when under the pressure of a malicious criminal attack. The red team mimics this scenario, while keeping on the right side of the law and not damaging the network or data.

Results can be used to engage the board of directors for investment in IT security, as the basis for ongoing staff awareness training and to spot vulnerabilities which can go unseen without threat-based testing. But the real business benefit is delivered by being on the receiving end of a breach and adopting whatever lessons are learned as a result.

Contributed by Mark Nicholls, principal security consultant, Context Information Security