Many mature and sophisticated infosec teams are moving their focus from traditional penetration testing engagements to Red Teaming exercises. As you consider this move, what should you look for in a Red Team vendor? Capabilities and objectives can vary wildly. For starters, let’s look at the differences between red teaming and what’s known as purple teaming.
Red Teaming services enable organizations of all sizes to mature their security posture by testing the overall effectiveness of the “Blue Team” defenses. Organizations want to know how quickly their Blue Teams can identify, analyze, and neutralize a sophisticated attack. Many large organizations spend millions of dollars each year on new tools, processes, and people to gain greater confidence in their cybersecurity programs. But how do you know if your deployed countermeasures and processes are proving the expected Return on Investment (ROI)?
As the proverbial saying goes, if you can’t measure it, you can’t improve it. Red Teaming exercises are being adopted by many organizations to address this very need. Unlike your traditional pen testing projects, these engagements are typically larger in scale and goals. They also tend to be more aligned with an organization’s current business objectives.
To illustrate, a penetration test is like examining a single tree, whereas a Red Teaming exercise is like looking at the terrain of a vast forest of trees. For instance, it’s common practice to have certain goals outlined (e.g. gaining access to a c-level executive’s emails or pushing malicious code into a production environment via the CI/CD pipeline, etc.) at various stages of the Red Teaming exercise. These goals will guide the red team on which techniques to include, for example, we may use a highly customized targeted spear-phishing campaign to capture valid user credentials. Alternatively, the Red Team may leverage social engineering techniques, where offensive operators reach out to prospective targets via social media or even the phone to gain a foothold on the network. These individuals may impersonate a recent hire or new consultant on a project, much like a sophisticated attacker would do.
Red Teaming exercises may also include but are not limited to:
- Accessing SaaS services via credential stuffing and/or various password cracking techniques
- Assessment of Windows Active Directory Environments for Common Security Mistakes
- Mobile, Web and Network discovery, reverse engineering, and exploitation
- Open-Source Intelligence (OSINT) review previous breach data analysis
Documentation is of the utmost importance. Every execution and every screenshot needs to be timestamped and logged accurately. Failure to do so will make the report less impactful later when you want to see if your mitigation efforts are successful. After all, the very reason you’re doing a Red Teaming engagement in the first place is to be able to take corrective action from its output.
The report needs to outline actionable information. It needs to be specific, not a mere red, yellow, green report. A recommendations list has to be included in the report. So make sure you have this (aka “get well plan”) outlined in your scope.
Purple Teaming is a variation of Red Teaming, but far more collaborative. During Purple Teaming events, offensive operator(s) work in tandem with the defensive blue team. This is very beneficial for the blue teamers, as you can see how an active attack looks from your vantage point. Sophisticated Red Teamer shops are methodical and have a “low & slow” approach. They want to keep noise to a minimum and look to rove about without being easily detected.
It’s not so much about whether they were able to detect you or not, it’s more about what specific tradecraft is being used in real-time. What did your tools see? Which ones? How did you respond? These learnings sessions give you a window into the adversarial mindset and are critical for all Blue Teamers that want to take their game to the next level. These exercises shorten the feedback loop between the red and blue teams as they read and react to what’s occurring in real-time.
Which one’s right for my organization? Well, that ultimately depends on your current needs and your overall cybersecurity maturity.
Our team at Aurora can help you implement these strategies into your environment to improve your cybersecurity posture. Email firstname.lastname@example.org or call us at 888-282-0696 to learn more.