Most companies conduct some form of security testing against their assets. This includes their network infrastructure, both external and internal, as well as any web or mobile applications.
These assessments generally focus on breadth instead of depth and are constrained to the given component being tested. Red teaming differs from this entirely. Red teaming is an adversarial goal-based assessment that provides a real-world view into what an attacker would do to compromise your organisation's assets. A red teamer will not solely focus on just your network infrastructure or web applications, instead they will identify potential weak points and string together seemingly unrelated vulnerabilities to create composite attack scenarios.
How a red team works
In a red team engagement, all aspects of your organisation are tested. Traditional penetration testing occurs as part of these engagements, which results in traditional technical vulnerabilities. Red teaming also focuses on your organisation's human element to find ways into the organisation.
This includes email and phone-based phishing, physical penetration testing, and scouring social media for insight into the culture of your organisation and how it behaves. This type of testing uncovers business process-related issues that aren't covered by traditional penetration testing. This may include a lack of awareness about phishing, a lax social media policy, or gaps in your corporate physical security policy.
The anatomy of a composite attack
We have frequently seen a traditional low-rated vulnerability or server misconfiguration become the initial foothold needed to launch a more complex attack against an organisation in pursuit of our goal. Although your internal IP disclosure on your web server may have a low rating by itself, a red team can use that information to gain insight into your organisation's network. They can use that information in phone-based attacks by pretending to be a member of the organisation with insider knowledge. The attacker may use this insider knowledge to gain the trust of the person they are talking to. They can then manipulate that trust to get them to perform some action which allows the attacker to get further into the organisation. This is only one example of a composite attack, which demonstrates how red team engagement differs drastically from a traditional penetration test.
Are you prepared for an attack?
Another use for a red team is to test your organisation's response to an attack. Do your employees notify the IT department when they receive a suspicious email? How does IT respond when receiving notifications about suspicious emails? How well do the network protections in place, including anti-virus software, firewalls, and intrusion-detection systems, actually detect or stop an attack?
While you may have policies in place that answer the questions above, you must thoroughly test them to ensure that employee training, education, and technical defences adequately cover these scenarios. Your team can work closely with the red team after their engagement to understand how they got into your organisation and learn ways to prevent it. The report generated from a red team engagement should contain detailed information on what the red team did to compromise the stated goal and, more importantly, actionable remediation advice and guidance to prevent a similar attack in the future.
In some of our red team engagements, we uncovered significant gaps in both our clients' policy and training. This ranged from social media posting to insufficient security-awareness training. The result of the red team engagement led to organisational policy changes that enable them to better protect themselves from other attacks.
The bottom line
Since the report is the only tangible artefact from a red team engagement, it is critical to conduct due diligence on the vendors you are considering to ensure their reports will be beneficial to you. You can do this by asking for sample reports to get an understanding of how the vendor conducts their red team engagements. This will also give you a view on how the vendor provides remediation advice.
Contributed by Thomas Richards, consultant at Cigital.