Red Teaming | AEC.cz

Red Teaming

This is a term derived from a Red Team, referring to a team of experienced ethical hackers performing simulated attacks while using the same sophisticated means as real attackers. The so-called Blue Team is the force opposing the Red Team in the target company. Blue Team is a team of experts specialized in security, detection and the resolution of cyber incidents. The team aims to do everything in their power in order for the attack not to succeed. And in case it has already succeeded, then to detect it and detain it as quickly as possible, while preventing its recurrence.


 

Do not Rest on Your Laurels

Compliant with its internal security policy, a multinational telecommunications company regularly performed penetration testing and security audits of its individual systems, infrastructure and employees. Any serious bugs detected over the course of this testing and audits were corrected in cooperation with the suppliers on a regular basis, and subsequently, a re-test was performed to verify the quality of the deployed countermeasures.
Recently, the company has also started building its own Security Operations Centre (SOC) team aiming to establish a single point of complex centralization of security event and incident management in order to minimize incident response times and any resulting damage.
One Wednesday, it was autumn and near the end of working hours, several selected management members received an anonymous e-mail claiming that a group of attackers – hackers had infiltrated the company’s critical systems containing customer data. Unless the company pays the required amount in the specified cryptocurrency within 48 hours, all this data will be published. A link to a data archive was attached as evidence. After data analysis, the thing they feared the most was confirmed – it really was a selection of data from their production databases.
The management has been already aware that notwithstanding the request for the ransom to be paid, the detected incident has to be reported in compliance with the GDPR, since the security of customer personal data has clearly been compromised. The situation thus looked twice as bad and the following media coverage of the incident resulted in a sharp outflow of customers.
But what happened? Where did the company make a mistake? After all, it had all its systems regularly tested and audited. And it has been building a SOC team to deal exactly with such cases of attack detection and prevention as well. At this point, it is appropriate to quote John Chambers, Cisco’s CEO: “There are two types of companies: those that have been hacked, and those who don't know they have been hacked.”
Analysis of the attack gave us the answer to the question stated above. Yes, the individual isolated systems were secured above standard. However, the attackers, after gaining an initial access to the network by phishing a new helpdesk employee, elegantly wove around the internal infrastructure and got all the way to the protected segment of the network, using a successful privilege escalation to gain access to sensitive data. They avoided all tested and secured systems, in fact, they did the opposite – targeted their attacks on the older, even forgotten machines, which could be still found in the network. After that, they accessed the aforementioned secured systems in the administrator role, bypassing security measures in the process.
The attack vector described above is completely out of scope for any standard penetration testing or a security audit, but it would be detected through Red Teaming.

Solution Description

Comparison with penetration testing

For better understanding, we will start the description of the Red Teaming service by comparing it to the penetration testing. Probably every more informed person working in IT, and especially one in its security segment, has heard the term penetration testing. A popular way to describe penetration testing is to show it as a simulated attack on a selected IT area. The subject of penetration testing is always a certain isolated part of the company's IT ecosystem, such as a web app, desktop app or network infrastructure. The word isolated in the previous sentence should be twice underlined. Because the greatest weakness of the penetration testing lies in this very isolation. As a result of periodical performance of this testing, we may get an information that all security risks have been mitigated to an acceptable level and the tested system is resistant to attack.

However, what we do not learn from the penetration testing results, is that the system can be compromised by sending an e-mail containing malware to its administrator or that it is possible to break into its data by compromising a completely different system, which however shares the same data storage with the original system, etc. Simply put, penetration tests are narrowly focused on a specific area and thus by definition, they cannot cover the complexity of interconnections in the whole company's ecosystem and the resulting risks.

Penetration testing Red Teaming​
  • Methodical approach
  • Strictly defined scope
  • Usually takes 1-3 weeks
  • Announced in advance
  • Aiming at identification of vulnerabilities in a specific area
  • Flexible approach
  • Unlimited scope
  • Usually takes 1–3 months
  • Secret, only the White Team is aware of it
  • Aiming at testing the resistance of the whole company’s environment to an attack
 

Red Teaming

In this chapter, it is the Red Teaming’s turn. This is a term derived from a Red Team, referring to a team of experienced ethical hackers performing simulated attacks while using the same sophisticated means as real attackers. Red Teaming includes a very wide range of attack vectors and targets people and technology, as well as physical assets. In addition to attempting penetration by the exploitation of vulnerabilities in a specific technology, it also utilizes the means of social engineering, gathering information from open sources (OSINT, dumpster diving) or physical intrusion.

The so-called Blue Team is the force opposing the Red Team in the target company. Blue Team is a team of experts specialized in the prevention, detection and the resolution of cyber incidents. The team aims to do everything in their power in order for the attack not to succeed. And in case it has already succeeded, then to detect it and detain it as quickly as possible, while preventing its recurrence. Currently, for most larger companies, these are the Security Operations (SOC) or Cyber Defence Centre (CDC) departments.

Red Team vs Blue Team

The roles of the Red Team and the Blue Team are asymmetrical. In the initial phase, when the attacking team tries to penetrate the internal network protected by the defence team, the Red Team has the upper hand. The Blue Team has to secure each of the many potential attack vectors - and that is a very wide field. The attacking team only needs to find one vulnerability, one mistake, take advantage of the trust of only one employee and it will gain access to the network.

However, at this point, the situation is reversing. The advantage tilts in favour of the defence team. The attacking team enters the unfamiliar soil of the internal network, which is firmly under the Blue Team’s control. As soon as the Red Team makes a single mistake here, starts behaving too "loudly", activates the honeypot or brings attention to its activities in any other way, it is unmercifully removed from the internal network by the Blue Team and its work starts all over again. The comparison with the imaginary cat-and-mouse-game is more than appropriate here. And in case the Red Team enters the Blue Team’s field, what is really its goal?

The goal is to come undetected and obtain the so-called Flag, which is defined in accordance with the client at the beginning of the Red Teaming exercise. For example, it can mean gaining access to a certain segment of the internal network, access to a specific server or the data prepared upfront in the database, physical access to the server room, stealing a laptop or installation of a HW backdoor. The principle is to define the Flag in a way allowing to say after it has been claimed by the Red Team that the security on the technical, physical and process level is not sufficient enough to prevent a targeted external infiltration. The whole attack including any dead ends and failed infiltrations is then analysed and described in detail in the resulting report. It also contains recommendations for successful protection across various areas.

It follows from the statements above that to gain results as close to reality as possible, it is necessary not to inform the target company’s employees, and above all, the people in IT departments (IT Operations, SOC, CDC) about the Red Teaming exercise. Only a very close circle of people, the so-called White Team, knows about the Red Teaming activities at the customer’s. This team provides cooperation over the course of the service rendering process. If agreed, the attacks may take place also outside working hours, which requires the contact person to be available at any time. In case of physical intrusion, the Red Team members get the so-called Get Out of Jail Free card to identify themselves in case they are successfully discovered.

Solution Benefits

Our solution makes sense because:

    • We will simulate attacks precisely as the real attackers would execute them
    • We will detect attack vectors, which were out of scope for the penetration testing and audits
    • By executing the Red Teaming, the Blue Team (SOC) is being tested and educated at once
    • We will test the resiliency of the whole company's environment, not only one isolated system
    • We will test the physical, psychological and cyber security aspects

References

We have a long-term cooperative relationship with companies and organizations across the market. You can find multinational companies among our customers, as well as small companies and entrepreneurs. We try to satisfy everyone's requirements as much as possible and provide custom services with regard to their size and area of operation. We will be happy to provide specific references upon request.