What is a Red Team assessment and why are they so important?

Project information, confidential documents, invoices, source code for solutions developed by the company… This is the information that the malicious group HellCat claims to have stolen from Ascom, a Swiss multinational specializing in implementing communications systems in companies.

The hostile actors used compromised credentials of Ascom professionals to access Jira, a ticket management software used by thousands of companies worldwide.

This incident highlights, once again, the importance of companies with a high level of technological maturity carrying out a Red Team assessment to uncover weaknesses in their security strategy and remedy them before cybercriminals can exploit them.

What is a Red Team assessment?

Red Team assessment is an offensive cybersecurity service that goes far beyond a mere security audit. It consists of simulating real attacks by professionals with in-depth knowledge of the techniques, tactics, and procedures used by malicious actors.

By simulating hyper-realistic attacks, a company’s incident prevention, detection, and response mechanisms can be tested in order to optimize them and increase their resilience.

Below, we discuss the key aspects of Red Team services.

What are the characteristics of a Red Team assessment?

The best way to explain what a Red Team assessment consists of is by breaking down its main characteristics. This allows us to see the notable differences between a Red Team assessment and other cybersecurity services, such as penetration testing or security auditing.

• Simulation. The first characteristic of a Red Team assessment is that it is a simulated cyberattack. For example, many Red Team exercises involve ransomware simulations to study how an organization would react to a real attack. Malicious actors seek to infect business assets with ransomware to steal data, threaten business continuity, or extort the company.
• Concealment. Unlike other cybersecurity services, a Red Team assessment is carried out without the company’s defensive layers being aware of it. In addition, to achieve all their objectives, Red Team professionals need to go completely unnoticed, so they use obfuscation tactics to increase persistence.
• Objectives. Security audits only seek to detect vulnerabilities in an organization’s infrastructure, while pen-testing services focus on achieving a specific objective for which they must detect and exploit vulnerabilities. While a Red Team assessment also defines particular objectives, these are more ambitious, as the mission is to compromise the security of the organization where the exercise is carried out. The aim is to compromise the three pillars of an organization:
  • a. Technology.
  • b. People.
  • c. Procedures.
• Scope. The scope of a Red Team assessment is the entire company undergoing the evaluation. This distinguishes Red Team assessments from intrusion tests, which have a limited scope—for example, a specific business asset. In addition, we must bear in mind that when designing a Red Team exercise, multiple attack scenarios can be assumed in order to maximize the success of the Red Team assessment.
• Duration. Given the ambitious objectives of a Red Team assessment and its broad scope, it is logical that it should take much longer than other cybersecurity services. Thus, it is common for a Red Team assessment to extend beyond three months.

What should be considered before conducting a Red Team assessment?

The characteristics we have outlined show that a Red Team assessment is an advanced cybersecurity service that is not equally valuable for every company. Why?

Organizations with a low level of technological and cybersecurity maturity do not need to undergo a Red Team assessment. On the other hand, for companies with a powerful technological infrastructure and high cyber exposure, these services offer significant added value.

How can companies determine whether they need a Red Team assessment? They should:

1. List all the assets that form part of their technological infrastructure and verify their relevance to the operation of the business, including third-party software and hardware.
2. Carefully analyze the impact of a serious incident on their operations, financial health, and reputation.
3. Consider legal obligations regarding cybersecurity, as well as the legal consequences of serious incidents, such as a breach of data protection regulations due to a security breach.
4. Be aware of the main threats facing your economic sector and companies of your size.

This information is not only useful for deciding whether to carry out a Red Team assessment but is also critical when agreeing on the exercises to be performed.

How does a Red Team assessment work?

To understand how a Red Team assessment works, we need to break down the phases that make it up, which are similar to the Cyber Kill Chain, i.e., the sequence of a real cyberattack. After all, the professionals in charge of a Red Team assessment must simulate the behavior of real malicious actors.

1. Gathering intelligence about the organization and the threats it faces.
2. Designing Red Team scenarios. Based on the information obtained in the previous phase and the knowledge accumulated by the professionals in charge of the Red Team assessment, specific attack scenarios are designed for the organization.
3. Detecting vulnerabilities. A thorough search is conducted for exploitable vulnerabilities that could compromise the company’s security.
4. Exploitation of vulnerabilities. Vulnerabilities are actively exploited using the techniques, tactics, and procedures employed by hostile actors.
5. Lateral movement and privilege escalation. Red Team professionals implement tactics to move through corporate systems and escalate privileges in order to achieve their objectives.
6. Persistence and remote control. In addition, as mentioned above, they also seek to remain undetected in the company’s systems and networks for as long as possible. To do this, they use advanced techniques that enable persistence and remote control.
7. Achievement of objectives. In the final phase of the attack simulation, actions are carried out that demonstrate the ability to compromise critical assets or functions of the company.
8. Analysis. The information gathered throughout the exercises is used to prepare a report with recommendations that enable the company to improve its security posture.

What are the benefits for companies of undergoing a Red Team assessment?

The data obtained during a Red Team assessment, together with the expertise of the professionals who carry it out, can bring significant benefits to companies:

1. Detect vulnerabilities across the organization and measure the consequences of their successful exploitation.
2. Train the Blue Team by confronting them with 100% realistic attack scenarios.
3. Optimize the response to security incidents to reduce reaction times and effectively contain malicious actors to mitigate the impact of incidents.
4. Provide a list of recommendations to improve a company’s security posture and implement more effective prevention mechanisms.
5. Improve resilience to advanced persistent threats and limit the impact of the most sophisticated attacks.
6. Continuously update the security structure, taking into account the most innovative malicious techniques, tactics, and procedures.
7. Comply with increasingly stringent cybersecurity regulations. Conducting a Red Team assessment on a regular basis not only helps increase an organization’s resilience but, in some cases, is mandatory. For example, financial institutions subject to DORA regulations must carry out TLPT tests, which include a Red Team assessment.

Conclusions: the importance of undergoing periodic evaluations

In short, conducting regular Red Team assessments is essential for many companies with a high level of cyber exposure and whose business continuity could be threatened by a serious security incident.

Through this type of service, a company can:

• Verify the efficiency of its incident prevention, detection, and response mechanisms and teams.
• Measure the impact of potential cyberattacks on critical assets and business functions.
• Implement the measures recommended by Red Team professionals to increase its resilience.