Security News

<< Next Post - Previous Post >>

How to build a Red Team and Why?

I recently gave a talk at the Rant Forum in London on the topic of "RedTeam, why this is more than a buzz word?". It was an interesting experience and whilst different from traditional security events, as the crowd can and will interrupt you at any time, it was very enjoyable.
Many attendees asked if I could produce some "slides" after the talk. As no slides were used, below is a collection of notes from wich the talk was based on.

In this post we will explain what RedTeam is, how does it fit with other similar security services and what advantages does it bring to an organisation. We will also look into what works? what doesn’t? And where is this “new” type of service going?
1. DEFINITION
A Red Team is part of a trio of services which increases in sophistication: Vulnerability Assessment, Penetration Testing and then Red Teaming. We will describe below what each of those services typically delivers through an example against a typical company selling/buying goods.

1.1 Vulnerability Assessment
This service attempts to answer the question: "How many potential security vulnerabilities does the company have?".
It is traditionally a semi automated security scanning service, cheap, aimed at audit check lists and further risk management reviews. It provides a baseline security view highlighting potential security vulnerabilities across a large number of assets.

In our typical company example, it would provide a (lengthy) report listing potential issues affecting the company's web servers, database missing a patch, servers running old Operating System, etc.
Risk managers would need to review (and try to understand) those findings to decide which of those potential vulnerabilities would need more attention to confirm their existence and impact to the company.

1.2 Penetration Testing
This service attempts to answer the question: "Is a company's specific asset really vulnerable?"
It is typically focused on critical assets requiring more advanced/manual skills and found vulnerabilities are confirmed/exploited. Although the cost is higher it also provides a much more accurate technical security assessment of a given asset.

In our previous example, it would provide a technical report explaining how to exploit a vulnerability on the company's web server, and potentially highlighting other related issues such as the fact it is possible, through the compromised website, to access all their clients credit cards details.

1.3 Red Team
This service attempts to answer the question: "How can the company actually get hacked and what could a hacker do?"
It is a relatively new type of service, the name comes from the Military and differentiates between a Blue team (defence) and a Red team (attack).
A Red team engagement is not restricted to an asset and is instead scenario based. Its aim is to emulate as realistically as possible how different threat actors may target an organisation/infrastructure to achieve their goal. Threat actors and their level of sophistication will depend on the engagement.
As such, the scope is wider: Physical security, Open Source Intelligence, Social Engineering and advanced IT Security attacks.
It means other forms of vulnerabilities can be found and different paths to the targeted information or outcome will be explored.

Arguably, Pen Testing engagements that include various attack methods could be considered similar to Red Team engagements. However, there is a major difference: Pen testing activities will varies greatly in their scope and ambition whilst Red Team activities will always be scenario based with a very wide and broad scope to achieve their goals.

In our previous example, a Red Team engagement would first seek to understand the company's business critical processes/data and would identify, beforehand, that although credit card details are of course sensitive, the most important company's data is their price list (product purchase price/margin/location/vendors/buyers) which if leaked would badly harm the company for years to come.
A scenario targeting that secret price list will be defined and tested. Compromising their website will not be the end goal but one of the many starting points to move laterally within the company exposing different physical/human/cyber security gaps resulting in the disclosure of their trade secret.

2. CHALLENGES
The first challenge when building a Red Team is finding the people with the right skills. Whilst for Pen Testing activities you can use people with different level of experience from beginners to veterans, it is not possible with Red Team Activities.
You can only use very experienced security professionals with a wide area of knowledge (Network, programming, Architecture, OSI, etc) and with a deep understanding of both attack and defence technics.
You also want hackers skills but not hackers behaviours, again, this is where recruiting experienced professionals can help. Yet, you need people willing to push the boundaries (within the laws) and not be too restricted by their past regimented/change controlled work experience.
In other words, you need exceptionally experienced individuals with creativity, curiosity, integrity, and who can understand both how hackers and corporations think/behave.
There is also a challenge related to staff retention. Not only will they be in high demand but they can also rapidly get bored if not actively doing Red Team "stuff" (aka hacking), All the preparations, upper management relationship, marketing, legal, business related activities should not be driven by those core Red Team individuals.
Another challenge is to get the right mandate and support at a high level within the organisation to allow the Red Team activities to go uninterrupted. Getting those wavers or carte blanche before a Red Team engagement is key to its success.
Finally, a Red Team must be able to provide a realistic hacking view whislt still operating under certain rules and laws.

3. TECHNICS
The technics from a Red Team engagement are not much different from a Pen Test, they will however cover a wider ground through physical and logical exploitations.
Following a typical 5 phases cycle, a Red Team engagement will go through Reconnaissance, Exploitation, Foothold, Exfiltration and Reporting phases. Some of technics used more specifically in Red Team involve:
- Open Source Intelligence Profiling of the targeted assets/individuals;
- Physical reconnaissance of the targeted buildings/individuals;
- Physical breach testing such as access card cloning, lock picking, eavesdropping, social engineering, etc;
- Physical and Logical compromise using listening devices if authorised, network tapping, WIFI Man in the Middle, spear phishing emails with actual payloads, etc;
- Logical exploitation of servers and lateral movement within the targeted organisation.

4. WHAT DOESN'T WORK?
- Just renaming a Pen Testing Team to a Red Team doesn't work. It requires a slightly different mindset, drive and expertise;
- As mentioned in the Challenges above, keeping this type of staff happy is difficult especially when starting a new Red Team where roles and responsibilities are often not fully defined or enforced;
- Finding relevant and up to date training for Red Team is complicated, because almost all conventional Security Training courses do not go far enough to gain those cutting edge hacking skills required;
- Red Team staff may not be given enough time for their own training/research. They need to dedicate a lot of personal and continuous time to research, read, listen, watch hacking new technics/incidents through more esoteric sources of information such as attending hacking conferences, joining hacking forums, etc;
- Red Team Scenarios can sometimes be too wide with no real milestones/goals and also be too ambitious.

5. WHAT DOES WORK?
- As an answer to the previous point, what works is setting up clear milestones, and call out contextual wins whenever possible. Such as a webserver getting compromised along the way to the real target;
- When setting those milestones they must be mapped to the different Red Team engagement phases. If they are not reached within a set timeline, the missing information/access should be provided so progress can still be made through the different layers of the targets' security onion or through the lense of a different threat actor (i.e.: malicious insider);
- Stakeholders get better context, they understand the results better as they are more relevant to their understanding of the business risks. When presenting back, being able to do live demonstration pertinent to the audience will make those stakeholders take notice, remember and engage more;
- To get better context, Red Team engagement scenarios should be intelligence led using different sources from business insight, industry threats to more global threat intelligence;
- The methods and results of a Red Team engagement will be more realistic than any other cyber exercises. Instead of providing an "issue snapshot" they provide a fuller "issues, gaps and risks view" over a complete kill chain;
- Having a small and motivated team with different skills bouncing back ideas will help creating a creative environment and drive better results.

6. FUTURE
The increase interest in Red Teaming shows a desire and need for a more realistic way of assessing a company's security. In many ways it is a more offensive framework of doing security.
Offensive is a key word here, there is a trend for more offensive security within the corporate world and although companies are currently only turning those skills against their own/internal assets, it is only a small step to attack hackers back with all the legal challenges this type of activty would bring.
As we see an increase of cyber attacks done at an international/governmental level, it will be interesting to see how Red Teams evolve in such geopolitical context in 10 years times.

To conclude, arguably you could say an advanced vulnerability scanning is similar to a Pen Testi exercise, and an advanced Pen Test exercise is similar to a Red Team engagement.
These 3 services are not the same, they got different names not for marketing reasons but to help differentiate the level of expertise and scope each of those services will provide.
Red Team engagements are making a real difference on how security is stress tested within the corporate world and are helping raise the efficiency of security controls. Also, it is the closest, today, one can get to (legally) hire an active hacker!

<< Next Post - Previous Post >>