A Red Team in cybersecurity is a group that attempts to gain access to corporate systems through: a sponsored external attack, classic penetration, long-term persistence, corporate system privileged escalation and even alteration and theft of business strategic information.
You should consider the Red Team services different from conventional penetrational tests in order to fully understand the benefits of the Red Team services.
A penetration test takes a snapshot of one’s security status through a limited number of assets at a specific time and under specific conditions. Even though a penetration test is a great tool for revealing ad-ac network vulnerabilities, it does not provide contextual information on the infrastructure’s global security. Time and scope limits distort the results to the current security level status.
The Red Team periodically reports on findings and future actions to a select group of people instructed by the client. This way, the client can always stay up to date on the campaign progress, as well as first-hand information on the defending team (Blue Team) performance.
Benefits of Red Team services
Red Team services help detect and contain a penetration event at an early stage which results in preventing strategic information theft and corporate system down-time. This goal is gradually achieved thanks to:
- Detection of the company’s transversal weaknesses.
- Improvement and strengthening of response procedures
- Improvement of monitoring systems, identifying and solving vulnerabilities in the detection process and event analysis.
- Training of security personnel to respond to real incidents
All these benefits resulting from Red Team services translate into a faster evolution of the defensive team capabilities, allowing to counteract potential threats in a more efficient way.
From Perimeter Breach to Ransomware Simulation
Red Team Scenarios
Red Team Scenarios mimic threat actors like Remote Attackers, Malicious Employees or Ransomware Simulation among others.
Companies are continuously exposed to threat actors or adversaries that can introduce risks in several ways. According to that context, our Red Team simulates threat actors or adversaries looking for a particular objective. That is what it is called a Red Team Scenario.
The following table illustrates some alternatives that could be used to define the most suitable Red Team Scenario for a particular exercise:
- Remote attacker
- Compromised Third Party or collaborator
- Compromised or disgruntled employee
- Activist / Terrorist
- Any other threat actors to be agree with our Clients
- Vulnerability exploitation
- Social Engineering (including phishing)
- Password guessing
- WiFi or Ethernet
- Remote Access or VPN
- Leaked information (including user accounts)
- Privilege escalation
- Targeted compromise (ERP, Treasury, OT, SCADA)
- Deploy Ransomware
- Leak sensitive information
- Leak/manipulate/sabotage products (software, patents)
- Force payments
- Any other objective to be agreed with our Clients
Red team scenarios examples
In fact, like a real threat actor, Red Team services can simulate multiple scenarios to maximize success.
By choosing the most relevant Threat Actors and Objectives, it is possible to define particular Red Team Scenarios that can be found in a real environment. The following scenarios are only representative examples of what it can be found in a real environment:
- A competitor using a leaked user account to access sensitive information (patents)
- An activist trying to exploit a vulnerability to access SCADA infrastructure and perform sabotage activities
- A disgruntled employee collaborating to perform a malicious payment to a third party account
- A partner accessing corporate services, leads to a major compromise of deploying ransomware
This list is endless, and any realistic scenario could be reproduced as a Red Team Scenario
It is important to note that Red Teaming is much more than a Red Team scenario, but Ransomware Simulation exerciseshave gained some attention in the last few months. As ransomware attacks are becoming more frequent and sophisticated, organizations are increasing their effort to face any potential ransomware attack. Frequent questions clients ask us:
- Is my organization prepared to face a ransomware attack?
- Would my defensive layers identify, contain and recover from a targeted ransomware attack?
- Does my organization have experience to learn from other ransomware attacks and learn lessons from that experience?
Resilience in front of a ransomware attack
In the case that some of your answers were “no”, you may consider performing a Red Team Scenario focused on Ransomware Simulation exercises. In the particular case of Ransomware Simulation exercises we suggest two differentiated stages:
- Red Team Scenario: Performing activities included in a Ransomware Simulation exercise by replicating a realistic targeted ransomware attack.
- Gap-Analysis.: One advisor analyzes how our client defensive layers have detected, contained and recovered assets during the Red Team Scenario identifying improvement possibilities you can implement.
This example is only one particular Red Team Scenario, but if you are interested in doing a Red Team exercise, do not hesitate to let us know. We will help you define the best Red Team Scenario for your company profile.
Red team FAQs
What is a Red Team exercise?
A Red Team exercise is the design and execution of an offensive operation aimed to simulate a certain Malicious Actor. This can verify the organization’s defensive layers and identify not only high/critical risk vulnerabilities but also testing the real detection and response capabilities provided by the organization.
What is the difference between pentesting and red teaming?
While a penetration test usually is constrained to a particular scope and focuses mainly on vulnerabilities, a red team service should not have a limited scope but at the same time maintain focus on resilience rather than on vulnerabilities.
Under that context the outcome of a red team exercise should be a representation about how well an organization is prepared to face a certain Malicious Actor.
How long does it take to conduct a red teaming service?
It depends on the designed exercise. Typically, an exercise without any previous information about an organization, could take a minimum of 3 months to obtain results. This however will represent the real situation of the defensive layers. Meanwhile other exercises starting with a certain level of access to internal resources could require less time.
Mature organizations tend to hire continuous red teaming operations, allowing them to perform several exercises during the year.
Could a red team service cause any damage or disruption?
As any other offensive service, a red team exercise could lead to undesirable situations including damage or disruption. That is the reason why risk management is a key component of Red Teaming, including not only an extremely experienced and accurated team but also insurance policies to be covered for those unexpected situations.
How does a red team versus blue team exercise help an organization?
During a Red Team exercise Blue Team technology, procedures and people can be trained to test if the defensive layers are working as expected.
Once a Red Team exercise has been completed, establishing working sessions with the Blue Team can help organizations to identify areas of improvement as well as sharing experiences to be prepared in the future.