A Red Team in Cyber security has the purpose to simulate an unauthorized access to corporate systems through a sponsored external attack, a classic penetration, long-term persistence, corporate system privilege escalation, and even alteration and theft of business strategical information.
In order to fully understand the benefits of a Red Team services, it should be differentiated from conventional penetration tests.
A penetration test takes a snapshot of the security status for a limited number of assets at a given time and under specific conditions… Even though a penetration test is a great tool for revealing ad-ac network vulnerabilities, it does not provide contextualized information on the infrastructure global security. Time and scope limitations distort the results in relation to the actual security level status.
The Red Team periodically reports on findings and taken and future actions to a select group of people as directed by the client, so it can always stay updated on the campaign progress, as well as first-hand information on the defending team (Blue Team) performance.
Benefits of Red Team services
Red Team services help detect and contain a penetration event at an early stage, preventing strategic information theft and corporate system down-time. This goal is gradually achieved thanks to a:
- Detection of the company’s transversal weaknesses.
- Improvement of response procedures, strengthening response procedures.
- Improvement of monitoring systems, identifying and solving vulnerabilities in the detection process and event analysis.
- Training of security personnel, to respond to real incidents.
All these benefits resulting from a Red Team translate into a faster evolution of the defensive team capabilities, allowing to counteract potential threats in a more efficient way.
From Perimeter Breach to Ransomware Simulation
Red Team Scenarios
Defining Red Team Scenarios to mimic Threat Actors like Remote Attackers, Malicious Employees or Ransomware Simulation among others.
Companies are continuously exposed to Threat Actors or Adversaries that can introduce risks in several ways. According to that context, our Red Team simulates Threat Actors or adversaries looking for a particular objective. That is what it is called a Red Team Scenario.
The following table illustrates some alternatives that could be used to define the most representative Red Team Scenario for a particular exercise:
- Remote attacker
- Compromised Third Party or collaborator
- Compromised or disgruntled employee
- Activist / Terrorist
- Any other Threat Actors to be agree with our Clients
- Vulnerability exploitation
- Social Engineering (including phishing)
- Password guessing
- WIFI or Ethernet
- Remote Access or VPN
- Leaked information (including user accounts)
- Privilege escalation
- Targeted compromise (ERP, Treasury, OT, SCADA)
- Deploy Ransomware
- Leak sensitive information
- Leak/manipulate/sabotage products (software, patents)
- Force payments
- Any other objective to be agreed with our Clients
Red team scenarios examples
In fact, like a real Treat Actor, Red Team services can assume multiple scenarios to maximize success.
That way, by choosing the most relevant Threat Actors and Objectives it is possible to define particular Red Team Scenarios that can be found in a real environment. The following scenarios are only representative examples of what it can be found in a real environment:
- A competitor using a leaked user account to access sensitive information (patents)
- An activist trying to exploit a vulnerability to access SCADA infrastructure and perform sabotage activities
- A disgruntled employee collaborating to perform a malicious payment to a third party account
- A partner accessing to corporate services, leads to a major compromise to deploying ransomware
This list has no end, and any realistic scenario could be reproduced as a Red Team Scenario
It is important to note that Red Teaming is much more than only a Red Team scenario, but Ransomware Simulation exercises have gained some attention in the last months. As ransomware attacks are becoming more frequent and sophisticated, organizations are increasing their effort to face any potential ransomware attack. Clients ask themselves the following questions:
- Is my organization prepared to face a ransomware attack
- Would my defensive layers identify, contain and recover from a targeted ransomware attack?
- Does my organization have experience to learn from other ransomware attacks and learn lessons from that experience?
Resilience in front of a ransomware attack
In the case of answering any previous question negatively, clients may consider performing a Red Team Scenario focused on Ransomware Simulation exercises. In the particular case of Ransomware Simulation exercises we suggest two differentiated stages:
- Red Team Scenario: Performing activities included in a Ransomware Simulation exercise by replicating a realistic targeted ransomware attack.
- Gap-Analysis.: One advisor analyses how our client defensive layers have detected, contained and recovered assets during the Red Team Scenario Identifying improvement possibilities you can implement.
Anyway this is only a particular Red Team Scenario, but In the case of considering a Red Team exercise, do not hesitate to let us know and we will help you to define the best Red Team Scenario to your company profile.
Red team FAQs
What is a red team exercise?
A Red Team exercise is the design and execution of an offensive operation aimed to simulate a certain Malicious Actor to verify the organization’s defensive layers, allowing that way identifying not only high/critical risk vulnerabilities but also testing the real detection and response capabilities provided by the organization.
What is the difference between pentesting and red teaming?
While a penetration test usually is constrained by a particular scope and focused mainly on vulnerabilities, a red team service should not be scope limited and at the same time that maintains the focus on resilience rather than on vulnerabilities.
Under that context the outcome of a red team exercise should be a representation about how well an organization is prepared to face a certain Malicious Actor.
How long does it take to conduct a red teaming service?
It depends on the designed exercise. While typically an exercise starting from the Internet, without any previous information about an organization, could take a minimum of 3 months to obtain results that represents the real situation of the defensive layers, other exercises starting with a certain level of access to internal resources could require less time.
Mature organizations tend to hire continuous red teaming operations, allowing that way to perform several exercises during the year.
Could a red team service cause any damage or disruption?
As any other offensive service, a red team exercise could lead to undesirable situations including damage or disruption. That is the reason why risk management is a key component of Red Teaming, including not only an extremely experienced and accurated team but also insurance policies to be covered under those unexpected situations.
How does a red team versus blue team exercise help an organization?
During a Red Team exercise Blue Team technology, procedures and people can be trained to test if defensive layers are working as expected.
Once a Red Team exercise has been completed, establishing working sessions with the Blue Team helps organizations to identify improvement areas as well as sharing experiences to be prepared in the future.