What is the red team?
Red teams are offensive security professionals who specialize in attacking systems and penetrating defenses. Blue teams are defensive security professionals responsible for maintaining internal network defenses against all cyber attacks and threats. Red teams simulate attacks against blue teams to test the effectiveness of network security. These red and blue team exercises provide a comprehensive security solution that ensures robust defense while taking into account evolving threats. Compared to penetration testing, red teaming is technically more complex, time-consuming, and a more rigorous exercise to test an organization's response capabilities and the security measures they have in place. The goal of the red team is to improve enterprise information assurance by showing the effects of successful attacks and by showing what works for defenders (i.e. the blue team) in an operational environment.
A red team consists of security professionals who act as adversaries to overcome cybersecurity controls. Red teams are often composed of independent ethical hackers who evaluate system security in an objective manner.
They use all available techniques to find weaknesses in people, processes and technology to gain unauthorized access to data. As a result of these simulated attacks, red teams provide recommendations and plans on how to strengthen the organization's security posture.
How does the red team work?
You might be surprised to find that red teams spend more time planning attacks than actually attacking. In fact, red teams employ a number of methods to access a network.
Common information collected at this stage includes the following:
Discover the operating systems in use (Windows, macOS or Linux).
Identifying the make and model of network equipment (server, firewall, switch, router, access point, computer, etc.).
Identification of physical controls (doors, locks, cameras, security personnel).
Learning what ports are opened/closed on the firewall to allow or block certain traffic.
Create a map of the network to determine which hosts run which services and where traffic is sent.
Once the red team has a more complete idea of the system, it creates a plan designed to target specific vulnerabilities based on the information it gathered above.
Once vulnerabilities are identified, a red team will attempt to exploit these weaknesses to gain access to your network. Once an attacker is on your system, the usual course of action is to use privilege escalation techniques, whereby the attacker tries to steal the credentials of an administrator who has more/full access to the highest levels of critical information.
What are the 3 questions before evaluating the red team?
Before conducting a red team assessment, talk to your organization's key stakeholders to learn about their concerns. Here are some questions to consider when identifying your future assessment goals:
What could happen to my organization that would cause serious damage to reputation or revenue (for example, a leak of sensitive customer data or an extended service outage)?
What is the common infrastructure used across the organization (consider both hardware and software)? In other words, is there a common component that everything relies on?
What are the most valuable assets across the organization (data and systems) and what are the consequences if they are compromised?
Tiger team
In the early days of network security, a tiger team performed many of the functions of a red team. The term has evolved over the years and now refers to tiger teams as an elite, highly specialized group recruited to address a specific challenge to an organization's security posture.
Examples of red team exercises
Red teams use various methods and tools to exploit weaknesses and vulnerabilities in a network. It's important to note that red teams will use whatever means necessary to break into your system based on the circumstances of the engagement. Depending on the vulnerability, they may use malware to infect hosts or even bypass physical security controls by impersonating access cards.
Some actions that a red team takes are:
Lawful hacking
Hacking and information security
Exploitation and vulnerability
Social engineering
Scan web applications
Red Teaming uncovers risks to your organization that traditional penetration testing misses because they only focus on one aspect of security or a narrow scope.