The term ‘Red Team’ has become increasingly prevalent in cybersecurity over the past few years, as defensive tactics increase against a very capable adversary. Could using this method of exercise really be the best stress test? Dan Raywood investigates the concept.
From the concept of the red pill and blue pill of The Matrix, to the concept of red meaning ‘danger’ or ‘warning’, the idea of a Red Team suggests that something is not safe and should be treated with caution.
The concept of a Red Team has its origins in the US military, or according to some reports, the church. As Micah Zenko’s book Red Team – How to Succeed by Thinking Like the Enemy outlines: “Red Teaming is a practice as old as the role of the Devil’s Advocate, the eleventh-century Vatican official charged with discrediting candidates for sainthood.”
According to an article published in Armed Forces Journal in November 2012, Lt Col Brendan Mulvaney, who directed the commandant’s Red Team and was the Marine officer in charge at the Army Directed Studies Office from 2009-2011, said: “Red Teaming is a white light that takes on various characteristics as it shines through the prism of different organizations. Some teams focus on physical intrusions, while others strive for projections or emulations; and the cyber realm has ushered in a whole host of new challenges.”
If, as Mulvaney says, the general idea of Red Teaming is a “bright light we shine on ourselves to expose areas where we can improve effectiveness”, it is perhaps not a surprise that this concept has transferred over to the cybersecurity industry. The art of the Red Team is to take a team approach at attacking a company using multiple vectors, and it is an extension of the penetration test to use social engineering and surveillance tactics. These methods will be used, and later reported to the company for them to understand where the weaknesses are and better understand its fallibility.
"Red Teaming is a simulated attack and a specific scenario is put in place and you have defined goals and not holes."
The Simulated Attack and Specific Scenario
Red Teaming exercises now form a crucial part of cyber-exercises and this is evident in global training programs. One such trainer is Nettitude, who claimed that Red Teaming and penetration testing are ‘two different animals’, as in the case of a penetration test you know where all of the holes are and how an average person can exploit and manipulate a vulnerability. “Red Teaming is a simulated attack and a specific scenario is put in place and you have defined goals and not holes”, says Miles Corn, growth account manager for the North America team.
Rob Shapland, principal cybersecurity consultant at First Base, explains that a Red Team exercise enables you to understand what a business is worried about and what they could lose, and assess the threat that the company faces.
“You go through who is attacking them and talk with the client about who will likely attack them, rate the motivation and assess what an attacker will be after,” he explains. “So with organized crime or stealing a CEO’s file, we storyboard out ideas and come up with scenarios.”
The concept of a Red Team is an extension of the penetration test, moving beyond finding vulnerabilities in applications and software to an overall effort to get to a company’s intellectual property by any means necessary. This can include breaking physical security, conducting social engineering exercises to get access to the company and cyber-attacks to get into an organization from the outside.
According to the SANS Institute document ‘Red Teaming: The Art of Ethical Hacking’, “Red Teaming is a process designed to detect network and system vulnerabilities and test security by taking an attacker-like approach to system/network/data access.” A Red Team will use tools to probe for vulnerabilities and rather than seeking a single vulnerability, a Red Team “should test for all types of attacks (access, modification, denial of service, and repudiation) to provide a complete security assessment.”
Shapland describes Red Teaming as “more creative than penetration testing” as this requires different skills, including a combination of ‘sneaking in’ and technical skills. He says that it allows the attacker to be more imaginative, and that it is “more about social engineering and having the confidence to act in a certain manner and knowing how to act in a certain role.”
“You want someone from a background in acting or military, [for example, which is] an eclectic mix. The more resources you have, the more of a good job you can do”, he adds, citing the example of the 2001 movie Ocean’s Eleven, where a group of hackers, confident tricksters and characters winning the trust of staff were able to rob Las Vegas casinos.
The People Behind the Deception
So what kind of people make a good Red Team? Shapland says that it is typically a combination of contracted staff and consultants, all of whom are trusted and vetted, and the size of the team depends on the task. For an exercise at a small to medium business, only two or three people may be required but a team of double that size may be required for a larger job.
“The challenge for a good Red Team is people with the right skills”, says Shapland. Often, a team can also combine different age ranges as a typical penetration tester may be younger, while social engineers are of all ages, he adds.
Kieran Combes is the Red Team manager at Marks & Spencer, part of a full-time team within the security department. He explains that with a background in penetration testing and network and infrastructure, he was attracted by the ability to affect change and use a methodology for testing for vulnerabilities as Red Teaming can provide a broader remit for finding and reporting issues.
“From my background, if I found a critical vulnerability that had a serious or severe impact, I would let people know as soon as possible,” Combes says. “If I find a way to exploit an organization, then I don’t sit on it for a month, I would let people know.”
How does a scenario begin? Combes explains that you would start by looking for a vulnerable insider and understand what access they have, while another member of the team would create a scenario acting as a regular employee to gain access and see how far they could go before being detected prior to getting to the end goal. “A good Red Team manager should sort out a scenario and be able to figure out the end goal and starting parameters.”
That’s what makes a Red Team, but who actually uses them? Corn says that exercises are very common in financial services and companies with critical information that use a Red Team to “understand the threats out there and to simulate what an attacker looks like.”
Corn claims that there is a lot more activity in the UK than USA at present, but he expects to see that change as “this is a proactive approach” where users are “going about it in a proactive and aggressive manner.”
He explains that most companies take an attitude of “we want you to access this and can you get there”, so a Red Team will prepare using social media and dark markets to understand what the actual threats are. “So if it is a bank, we look at who is talking about it on the dark web and craft a simulated attack based on what we are seeing.”
Shapland adds that interest in Red Teaming has increased in the last few years, even though he has been “banging the drum for more than 10 years” about the benefits of doing an exercise.
“It started in banking and defense sectors, and filtered down to retail and insurance,” he says. “A company needs a baseline though, as if they have never had a penetration test done, a Red Team will rip you apart. The interest is increasing and big companies are looking to do this now.”
"It's more about social engineering and having the confidence to act in a certain manner and knowing how to act in a certain role."
The Need for a Persistent Red Team
If a penetration test is done every year or when new software is being used, then how often should a Red Team exercise take place? Shapland believes this can commonly take place around once a year, as working with a large company can take two to three months to do the preparation, and then time is needed after the exercise to allow the recipient company to interpret the results, “as if you do it often there is no time to put improvements in place.”
Speaking to Infosecurity Stephen Kapp, CTO of Cortex Insight, says that the Red Team concept is far from perfect though, as many companies see it as the ‘flavor of the month’ but are not ready to deal with the results.
“The issue is people don’t realize a Red Team exercise should be a long term thing,” he argues. “A lot of people see it as an extensive penetration test, whereas a Red Team will do it all in three weeks as opposed to an event in a few days.” Kapp says that restricting actions on a Red Team exercise will do neither the Red Team or company any good, as it should be more about ‘a no holds barred attack’ on an organization where everything can be accessed. “What a Red Team is supposed to do is mimic what a real-world attacker can do with their resources and potentially try everything they can to get in.”
Kapp claims that a Red Team exercise has turned into a “glorified penetration test with a bit more stuff”, and typically a company does not want to spend lots of money on an exercise, but does want the defined scope that a Red Team can deliver.
He says that in an exercise conducted this year which he was expected to complete in a couple of weeks, there was not enough time to execute it properly. “The whole point of a Red Team and testing is about preparedness and how existing systems are there to protect you. The whole point of a Red Team exercise is to detect when an attacker gets in, and how to withstand that.”
One way to achieve resilience is to conduct Red Team exercises all year round, as has been the case with Marks & Spencer. Kapp claims that if it is persistent and constant, the company ‘Blue Team’ defenders will not know when it is happening, so an exercise will look like a normal attack.
What Does it Take to be a Red Teamer?
So what about the skills needed to be a good Red Teamer? The key roles involved are relatively defined, but Kapp states that a good penetration tester will know how a system administrator will work and as a lot of good Red Teamers have been penetration testers, they would acquire the additional skills over time.
Combes adds that Red Teaming appeals to people who want to try and break things and prove that they can do it, and those that want a challenge. “Good penetration testers realize they can stop when they finish the job, but some want to keep investigating and keep wanting to find more,” he says.
This type of person would understand what the goal is, how to reach it and know it was possible to reach the goal without being hampered or delayed.
Combes sees a lot of job adverts for Red Teamers now, and it is something that companies are becoming more aware of as they realize the benefits and use it to test controls and defenses in a better fashion than an annual penetration test offers, particularly as the landscape changes during a year, and a checkbox nature doesn’t give a CISO assurance that things are being done in an appropriate manner.
“With constant Red Team engagements you can create a scenario and see how controls are affected and how other threat actors are working against you”, Combes concludes.