Red Teaming: real world exercise

The most imaginative form of penetration testing is the Red Team Test: a simulated but realistic attack on an organization's IT environment, performed by operators in a Red Team. They pull out all the stops to break in, while that IT environment is defended by a Blue Team. The purpose of the test is to assess the effectiveness of the security and to learn what can be improved.

In 2020, according to Gartner, more than 113 billion euros was spent worldwide on products and services in information security and risk management. It is expected to grow by 12.4% to more than 127 billion by 2021. Gartner also expects executives to demand more numbers and insight into the effectiveness and return of those investments in cybersecurity. After all, they should provide demonstrably better security. If you want to know how safe your IT environment really is, a Red Team can carry out an attack as if they were real criminal hackers.

The purpose of a Red Team Test is to assess the security level of an organization, list the most important vulnerabilities and show how well an organization is prepared for a real attack. Like hackers, the members of a Red Team try to get into a secure organization undetected. This can also be done by physically penetrating buildings, for example to find passwords on paper or to gain access to an open system.

Red, Blue, Purple and White

There are different forms of Red Team Testing. The Red Team is always the attacking side. With an arsenal of 'tactics, techniques and procedures' (TTPs) that are also used by malicious hackers. Examples are (spear) phishing, ransomware, (identity) spoofing, session hijacking and injection attacks. Social engineering and psychological manipulation of employees can also be used. If an employee clicks on a link in an e-mail message sent by the Red Team with the aim of entering, then it's a hit.

The specialists in the Blue Team form the defence. It is their day job to ensure that the IT environment is secure, that someone without rights cannot get into systems and that hackers cannot steal data or money. The security guards also have all kinds of systems and methods at their disposal, such as 2FA, email filters, a SOC (Security Operations Center), SIEM (Security Information and Event Management), patch management and so on.

A relatively new form of this test is done with a Purple Team. In a Purple Team, the attackers and the defenders work together. It is an efficient form of testing, partly because it leads to results faster. The defenders inform the attackers about their systems, controls and procedures, the attackers are open about their TTPs. The mutual exchange of knowledge ensures continuous process improvements.

A Red Team Test can also be performed with a White Team, which has contact with the red and blue team during the attack and maintains an overview. The Blue team is not aware of the attack so that they also react as would happen in real life. In a situation where, for example, the Red Team gets stuck, the White Team can give the red team a so-called 'leg up', which helps the Red Team one step further in the scenario. When a phishing campaign has no results because no one clicks on the link, the red team can request a 'leg up'. Then someone involved in the conspiracy can consciously click on the link so that the rest of the test plan can also be carried out.

"Our Red Teams work according to the Unified Kill Chain. A method that maps all steps in an attack by hackers. We follow the same structure." Yorick Koster

The Red Team Test process

A Red Team Test always proceeds according to a preconceived plan. The scope, duration and purpose of the test is determined in consultation with the client. This is followed by the reconnaissance phase, in which the red team collects as much information as possible about the organization, the systems in place and the target of the attack, for example the crown jewels. The scenario is also created during this phase. The choice of scenario depends on how mature the IT security of the organization is. And whether an organization wants to know whether they can withstand a certain TA, where they will recreate the path of a certain TA

This is followed by the Initial Foothold with which access to a system, a workplace or a user account is obtained. Once inside, the Red Team attempts to extend control by increasing user privileges and achieving remote control over internal resources in the network. Then the search for the most valuable assets of the organization starts, for example access to the payment system. This is the Trophy Hunt.

Yorick Koster, co-founder of Securify often has the role of Team Lead at Red Team Testing. Koster: "Our Red Teams work according to the Unified Kill Chain. A method that maps all steps in an attack by hackers. We follow the same structure." After the test, the client is presented in a findings meeting what the Red Team has done and how far they have come. An extensive report also contains recommendations and advice for improving security. If desired, an advisory process can be started in which our security specialists help to resolve the issues found.

What is a Red Team Test?

A Red Team Test provides insight into the state and effectiveness of your IT security. It answers questions such as: How quickly are intrusions detected? Where are the greatest vulnerabilities and how effective is the SOC or SIEM? Which functions in security products are underused and which products can be discarded? A Red Team Test gives confidence. You can tell management how quickly intruders are spotted and how the security budget has been or can be spent wisely.

Questions or feedback?