What is Red Teaming?
Red teaming is a proactive approach to cybersecurity, where a group of ethical hackers simulates real-world attacks on an organization's systems to identify vulnerabilities and test its defenses. This process helps organizations improve their security posture by revealing weaknesses before malicious actors can exploit them.
To help you gain a better understanding of this particular exercise, we’re going to explain what red teaming is—including common tactics—and the benefits. We’ll also answer some frequently asked questions and give you some of your own to ask when debating whether to move forward with a red teaming exercise.
That way, you’ll be more sure whether it’s the right thing for your organization.
What is Red Team Testing?
To start, let’s define what red teaming is.
A red team assessment is a (truly) comprehensive evaluation of your organization’s overall security posture. Unlike some other, similar options—such as penetration testing that has a specific focus—a red team assessment allows you to choose a broader mandate that tests any aspect of your security, including your physical security and your employees’ resistance to social engineering campaigns.
Once you decide your goal for the exercise, the red team you engage would act as real-world attackers would, and attempt different, sophisticated—and sometimes unrelated—combinations of techniques to exploit your decided targeted systems and/or people. They challenge your defensive strategies and assumptions before identifying the gaps or flaws in them.
That’s why the success of a red team exercise isn’t measured in the number of systems breached or vulnerabilities discovered—rather, you’d consider it a success after using the red team's unique perspective and their practical suggestions to enhance your organization's overall security posture, whether that means additional controls or additional employee training.
Penetration Testing (Pen Testing) vs Red Teaming
To start, penetration testing involves simulating a specific attack from a malicious actor—with your organization's full knowledge and cooperation—to evaluate the technical controls/security of a specific system, application, or network. When you engage a pen test team, their goal will be to identify vulnerabilities in the tested system so that you can shore these areas up before they’re exploited by real attackers.
Though red teaming and penetration testing are similar in that they both involve simulating or emulating an attack from an adversary and a review of the weaknesses in your technical controls, red teaming also assesses your human processes and procedures (e.g., user awareness and incident response).
General Steps of a Red Team Assessment
The ultimate goal of a red team assessment is to identify alternative ways to gather information or exploit vulnerabilities in your environment, and though each red team will likely tailor their approach each time—as is the case for Schellman’s red team methodology—most red team exercises usually unfold in the following steps:
The red team works with decision-makers to determine your objectives and discuss potential outcomes.
During this phase of the red teaming exercise, operators will work to find vulnerabilities and entry points and develop a targeted approach to your security measures.
Through this active testing, red teamers will identify attack paths and select appropriate ones based on whether successful exploitation will help achieve the goal of the red team assessment.
The red team will employ their chosen security assessment techniques to safely attempt to circumvent your security measures and gain access to systems.
Credential Access / Discovery and Lateral Movement
Having gained access, the red teamers will analyze their findings to determine if privileges are relevant to the objectives and adjust as necessary.
Red team operators will attempt to access sensitive information from the targeted environment while avoiding detection.
After the simulated attack is complete, the red team will share their findings in a report and conduct a discussion with you regarding how to move forward and strengthen your security.
Common Red Teaming Tools and Tactics
Red teaming and its holistic approach can provide you with a thorough understanding of how well your security operations deal with a threat, but what does a red team do during the exercise to unlock this knowledge?
As we mentioned before, a red team exercise mocks an actual attack. Therefore, during your assessment, your red team will mimic techniques and tools available to malicious actors that would seek to find ways past both your physical and cyber security. This range of tactics could include:
- Application Penetration Testing – Used to identify application layer flaws such as injection flaws, broken authentication, security misconfigurations, and more.
- Network Penetration Testing – Used to find flaws within the organization’s network or systems to identify security risks such as any wireless network vulnerabilities.
- Physical Penetration Testing – Used to assess physical security controls and security personnel by attempting to access targeted areas—e.g., walking directly into your server room and attempting to extract sensitive data.
- Social Engineering Penetration Testing – Used to understand the security education of readiness of your personnel through techniques like phishing, spoofing phone calls, and more.
Because red teaming is meant to measure the security capabilities of your people, networks, and physical security controls, you should expect (and prefer) a strong red team to use a combination of these tactics to breach your defenses.
4 Big Benefits of a Red Team Assessment
If any organization could benefit, your next question is likely how you can benefit. So, what advantages do you stand to gain from this type of investment?
- In-Depth Analysis of Your Organization’s Cybersecurity Strength and Effectiveness: While this is the most obvious benefit, it’s important to also note that a red team can help identify potential risks and vulnerabilities that may not be immediately apparent otherwise, especially since your red teaming would provide a more objective view—having not been directly involved in your previous process. They’d make a more objective sweep than those more invested in your company would, which would be crucial in avoiding situations with severe consequences.
- Improved Overall Security Culture: A red team's criticisms can help spark new ideas and perspectives from and among your internal security team, and that can lead to more creative and effective solutions and create an environment that encourages questioning, problem-solving, and continuous improvement.
- Enhanced Adaptability: Your red team consists of cybersecurity experts with the latest knowledge of pertinent threats, so their work could also enlighten you about different viewpoints and possible scenarios, enabling you to bolster your preparedness in areas you might’ve not previously considered while also reducing your risk of a costly breach.
- FedRAMP Compliance Help: As of CA-8(2) within the latest Revision 5 of FedRAMP’s security baselines, cloud service providers (CSPs) are now required to perform (or acquire 3PAOs to perform) red team assessments—while this makes a red team investment a requirement, the benefit for CSPs is in clearing this hurdle on their to FedRAMP Authorization.
Are You Ready for a Red Teaming Exercise? 3 Questions to Ask
Still, while you do stand to benefit from a red team assessment before you do proceed with one, there are three questions you should ask.
1. Does Your Organization Already Perform Risk Assessments Through Pen Testing/Vulnerability Management?
Because red team engagements are designed to provide an adversarial point of view on security risks based on real-life scenarios that could affect your organization, you must already have a deep understanding of the risk environment and your security strategy that risk assessments and vulnerability management measures can provide.
2. Does Your Organization Have a Defense Team or a Security Operations Center (SOC)?
Red teams challenge your defense (blue) team and find gaps in your security, but an assessment may not lead to significant improvements if you don’t have a defense team in place to implement them.
3. What Do You Want Out of a Red Team Assessment?
Again, these endeavors are comprehensive, but they can still be tailored to suit your organization, and you must align the assessment goals with your specific security needs and strategy.
Red Teaming FAQ
Why Is It Called Red Team?
The term “Red Team” comes from military wargames where the red team signified the attackers.
How Long Does Red Teaming Take?
Because red teaming is a complex operation that assesses your entire security ecosystem for exploitable security vulnerabilities, there’s no simple answer. What we can tell you is that important factors that may affect the timeline include your objective, any included physical locations, the number of staff, and more.
What is the Difference Between Red Teaming and Blue Teaming?
Red teaming involves mimicking a real-life cyberattack the way a malicious actor would. Meanwhile, blue teams focus on defending against the red team. (When you combine these, you get a purple team assessment.)
Who Needs a Red Team Assessment?
Any organization that wants to improve its security posture and discover vulnerabilities that only a third-party assessor can identify will gain from a red team assessment, but if you fall into one of the following categories, you could particularly benefit:
- Organizations with large and complex networks—think multinational corporations—may have vulnerabilities that are more difficult to detect without a comprehensive test like a red team assessment.
- Organizations with a mature security program could use a red team to test the effectiveness of their robust control implementation efforts and identify any remaining gaps.
Though it will involve building a solid knowledge base and thorough preparation, collaborating with a trusted red team can help you gain confidence in the proactive measures you’ve taken to protect your business against cyber threats. Now that you understand a bit more about how it works and its benefits, you can move forward more confidently in assessing your different cybersecurity options.
If you should still have some questions, however, Schellman does perform red team engagements—our team has been extensively trained and has experience with:
- Industry-standard red team and offensive security-focused certifications
- Various operating systems
- Various programming languages
- Building custom security tools
- Social engineering (phishing (e-mail) / vishing (phone) / smishing (text message))
- Open-source intelligence gathering
- Physical penetration testing techniques
- Advanced persistence techniques (MITRE ATT&CK framework), as well as other necessary skills.
Are you ready to see how your organization and security teams will hold up against a red team assessment? Contact us today to start the conversation regarding how best to achieve your specific security goals.
About JOSH TOMKIEL
Josh Tomkiel is a Director and Penetration Tester based in Philadelphia, PA with over 10 years of experience within the Information Technology field. Josh has a deep background in all facets of penetration testing and works closely with Schellman's other service lines to ensure penetration testing requirements are met. Additionally, Josh leads the Schellman's Red Team service offering, which provides an in-depth security assessment focusing on different tactics, techniques, and procedures (TTPs) for clients with mature security programs.