Red Team Series : Introduction to red teaming

What is red teaming?

Red teaming is a concept that has become prevalent in the cyber security industry, yet its meaning and purpose is often misunderstood or distorted. This confusion can stem from a number of factors, including the misappropriation of the term in vendor marketing, and a lack of standardization in compliance requirements. In this article, we aim to provide a clear and accurate definition of red teaming, to help readers understand its purpose and application.

Red teams provide an adversarial perspective by challenging assumptions made by organizations and defenders. For example, an organization may assume that they are secure because they regularly patch their systems, or that only a limited number of people can access certain systems. However, these assumptions are often flawed and can be easily exploited by attackers. By testing these assumptions, red teams can identify areas for improvement in an organization’s defense mechanisms.

It’s worth noting that Red Teaming is different from Penetration Testing, while both are used to identify vulnerabilities, Red Teaming is a more comprehensive approach. Penetration testing is typically focused on a single technology stack and aims to identify as many vulnerabilities as possible, while red teams have a clear objective defined by the organization and emulate real-life threats. Red teams also look at the overall security posture of an organization, including people and processes, as well as technology. They also put a heavy emphasis on stealth and the “principle of least privilege” to test the detection and response capabilities of the organization.

OPSEC

In the context of red teaming, Operations Security (OPSEC) refers to the practice of protecting sensitive information and activities from being observed and understood by the opposing team, in this case, the blue team. It is a measure of how easy it is for the blue team to detect and interrupt the red team’s actions. The level of ease is relative to the skills and knowledge of the defenders, but it can be predicted based on the overall threat landscape, public knowledge, and consultation with the client.

OPSEC involves understanding the indicators that a red team’s actions will leave behind and the likelihood that they will be detected by the blue team. It also involves taking steps to reduce the risk of detection, such as using stealthy tactics and techniques, and avoiding leaving behind unnecessary traces of activity. Additionally, red teams may use information gathered from the blue team’s systems to operate in ways that the blue team is unaware of or unable to handle.

Overall, the goal of OPSEC in red teaming is to enable the red team to successfully complete its objectives while minimizing the risk of detection and interruption.

Steps of engagements

An overall red team engagement can be broken down into three main phases: Planning, Doing, and Reporting. Most of this series will focus on the “doing” phase, which is also referred to as the “Attack Kill Chain”.

The engagement begins with the planning phase, where the team performs external reconnaissance against the target organization. This involves gathering information about the organization, such as applications, IP ranges, domain names, technologies and products used, employees, organizational structure, service providers, and suppliers. We then use this information to plan out an attack on the organization.

Once a foothold has been obtained in the target organization,we move on to the internal reconnaissance phase. The team may also install backdoors on the foothold(s) to ensure they can maintain persistent access to the environment without having to repeat the initial compromise steps.

We will then move laterally across the network to look for our objective or to gain access to it. We may obtain credentials in various ways, such as on file shares, relay attacks, or by elevating privileges and dumping with tools such as Mimikatz.

Once access to the objective has been achieved,we take the appropriate level of evidence and the engagement may end there or they may choose to reveal themselves to the defenders to gauge their detection threshold.

In conclusion, red teaming is a powerful tool for identifying vulnerabilities and assessing the effectiveness of security measures within an organization or system. By simulating an adversarial attack and thinking like an attacker, red teams can uncover weaknesses that could be exploited by real-world adversaries. The process of red teaming includes planning, execution, and reporting phases, and it involves various tactics such as external and internal reconnaissance, lateral movement, and privilege escalation.

We will dive deep into each and every topic I can cover on red teaming in future articles! Thank you for the read.