What Is Red Team in Cyber Security?

How can we be satisfied with cybersecurity defense capabilities that are only theoretical? We no longer have to wait to be bombarded by cybercriminals to realize whether our threat detectors, firewalls and other defensive strategies and security controls are efficient. We no longer have to wait for malicious hackers to detect vulnerabilities in our systems to be able to act on them. Although it may seem counterintuitive, in the cybersecurity field, we can request the service of being attacked. These attacks are done, though, in an ethical and regulated manner to find out how strong we are. We can hire professionals to show us vividly what an attacker could do against us and how well we and our systems would respond to those real threats. In this post, we will talk about red teams and red teaming so that you can better understand this solution.

We are not referring to Liverpool, Bayern Munich, or some similar team here. We are focused on a red team in cybersecurity. This red team is a group of individual security experts, inside or outside the target company, with the required skills and, of course, the permission to simulate "real-world" cyberattacks. In these attacks, they must emulate tactics, techniques and procedures used by today's threat actors to compromise an organization's systems and cyber defenses. Red team testing evaluates the effectiveness of the company's threat prevention, detection and response strategies. It delivers reports of detected vulnerabilities and exploitation impacts as feedback for vulnerability remediation and improvement of the organization's cyber defenses. Typically, when we talk about red teams, blue teams often come up in the conversation.

A red team is made up of specialists in offensive security (ethical hackers) whose mission, as mentioned above, is to impact and compromise an information system and its defenses. The size of this team is variable and sometimes depends on the complexity of the tasks. The members of this team are expected to have extensive technical knowledge, creativity and cunning to gain access to systems and move through them undetected. Ideally, their skills and backgrounds are miscellaneous. Some may be more adept, for example, in software development, penetration testing, social engineering, business knowledge, IT administration, threat intelligence or security controls and tools.

A blue team is made up of specialists in defensive security, including incident response consultants, for example. They must guide the organization to assess its environment and organize, implement and improve security controls to identify and stop or deal with red team intrusions or real threat actors. Their defensive work seeks to prevent damage to the structure and operations of the organization's systems. In some cases, the blue team may intervene in the planning or implementation of recovery measures. The members of this team must fully understand security strategies, both at the technological and human levels. They must be highly skilled in the detection of threats, the appropriate response to them and the correct use of tools that support these purposes.

Both teams can have as a knowledge source of tactics, techniques and procedures of threat actors the MITRE ATT&CK Framework, which is a product of real-world experiences. Usually, the red and blue teams have a leading role in the red teaming practice. However, the presence of the latter may not be indispensable.

In line with the above, to define red teaming, we refer to the offensive art with which we can help a company know how secure its systems are. Apparently, this was a practice that originated in the military context. In an adversarial approach, the idea was to confront two teams simulating reality to evaluate the quality and strength of their strategies. (Something like this happens in Attack-Defense style CTF contests for hacker groups.) This gave rise to the red team and the blue team. In a controlled environment, a red team attack tests an organization's threat prevention, detection and response capabilities and strategies —factors in which a blue team may be involved with plans, systems and standards.

Many times, the blue team or the members of the security team of the company under evaluation may not be aware that red teaming or simulated attacks are taking place. (In fact, this is ideal; see "Attacking Without Announcing.") As we discussed some time ago in regard to the TIBER-EU tests, a white team, close to the blue team, may also come into play. A white team is a small group in the organization that may be the only one aware of the red teaming. This team is responsible for approving and requesting the initiation and interruption of attacks. It also acts as a liaison between the other two groups. It is always expected that, after red teaming exercises, the target organization will mature its security by refining its controls and remediating its vulnerabilities. Incidentally, it is the company's mission to ensure that what it receives is red teaming and not just penetration testing.

Both red teaming and pentesting are offensive security approaches. In both cases, "real-world" cyberattacks are simulated under controlled conditions to evaluate system security. Among the differences often mentioned is that penetration testing acts on a narrower scope. For instance, applications under development or individual components belonging to a network are evaluated. On the other hand, red teaming is more oriented towards testing a complete enterprise environment in production with all its systems involved simultaneously. It may not focus on finding and reporting all vulnerabilities as pentesting does. The red team may concentrate on meeting specific infiltration and impact objectives. Further, some say that pentesting can be conducted by a single individual, while red teaming must involve several.

Both approaches can be integrated. A vendor can initially apply several pentesting cycles within a company's DevSecOps model. Based on what's shown in the reports, the company can perform vulnerability remediation on its systems. After these cycles, a more mature security organization can open the way to red teaming. Then, with specific objectives such as accessing a particular network element or sensitive information, for example, it is possible to test how effective the remediations have been and what security gaps there are in the systems in the face of certain types of attacks.

Red teaming can be seen as a deeper, holistic and more complex penetration testing. Because of this, red teaming can take longer than pentesting. A red team has to employ stealth and evasion. It is often said that in red teaming, as compared to pentesting, the surprise factor prevails (i.e., the blue team is unaware of the attack simulation). Nevertheless, this will depend on what is defined between the provider and the client. Also, red teaming expands the range of attack types to be used, adding, for example, physical penetration and social engineering (e.g., phishing). This means that not only the systems are put to the test, but also the personnel who manages them. That is why it can provide more and better ideas than pentesting for improving plans for prevention, detection and response to threats.

Red teams in their work can establish different objectives from the beginning, among which we highlight the following:

As we pointed out earlier, and as Rafael Alvarez, CTO of Fluid Attacks, once said, ideally, the blue team should not be aware of the execution of the red teaming. In particular, for the blue team to know the times and places where the red team intends to attack may be seen as inappropriate. "In order to know with certainty the security level of your company, these exercises must be as close to reality as possible," says Alvarez. The few members of the organization, i.e., its highest authorities, who will be aware of the red teaming, are the ones who will give the red team express authorization and legal protection for its offensive security exercise.

Red teaming must begin with the establishment of clear objectives, such as those outlined in the previous section. Once these are defined, the red team starts a passive and active target reconnaissance. In this step, the team collects all the information it can and believes necessary about context, infrastructure, equipment, operations, people involved and more. This process leads the red team to acquire and develop a variety of red teaming tools, including assessment, password cracking, social engineering and exploitation tools, that suit the objectives and the target company. The team also carries out weaponization, where, for example, the creation of malicious payloads or pieces of code takes place.

The red team then assesses the attack surface to identify vulnerabilities and entry points, including human weaknesses. Then, it defines vulnerabilities to exploit. Through social engineering, exploitation of a software vulnerability, or any other attack vector, the red team gains access to the target and executes the payload on it. This allows the team to compromise system components and bypass security controls. Attackers always take measures to prevent the blue team from becoming aware of the intrusion. If the latter succeeds, the former is compelled to struggle against any containment effort.

Subsequently, the red team tries to move within the target, keeping in mind the objectives that were initially set. If necessary, it looks for new vulnerabilities to exploit in order to escalate privileges and continue moving through the systems. Once the purposes of the exercise have been achieved, the team proceeds to a reporting and analysis stage. The experts report on what they achieved, the key identified vulnerabilities and the performance of the security controls and the blue team (if there was blue team engagement). The owners of the assessed systems can then receive support for vulnerability remediation and improvement of their procedures to prevent, detect and respond to the types of attacks involved in the red teaming.

In general terms, red teaming provides a broad view of the security status of your organization for a consequent maturation. Some of the specific benefits of red teaming we choose to highlight are the following:

At Fluid Attacks, we are experts in security testing. Our red team can perform both penetration testing and red teaming services for your organization as both parties agree to carry them out. In line with what's been described above, we recommend starting with the first method to continue with the second one as the security of your organization and its systems matures. A red team external to your work environment, unaffected by conflicts of interest, would perform evaluations without absurd inhibitions and deliver transparent reports on your prevention, detection and response measures. Our ethical hackers have certifications such as OSCP, CEH, CRTP, CRTE, CRTO, eWPTv1, and eCPTXv2, among many others. They are also very experienced, possess diverse backgrounds and skills, and work in different roles. On average, we offer more than 15 ethical hackers per project.

Contact us and let our red team hacking tell you for sure, with substantial evidence, what havoc cybercriminals could wreak on your organization's systems.