Comparison with penetration testing
For better understanding, we will start the description of the Red Teaming service by comparing it to the penetration testing. Probably every more informed person working in IT, and especially one in its security segment, has heard the term penetration testing. A popular way to describe penetration testing is to show it as a simulated attack on a selected IT area. The subject of penetration testing is always a certain isolated part of the company's IT ecosystem, such as a web app, desktop app or network infrastructure. The word
isolated in the previous sentence should be twice underlined. Because the greatest weakness of the penetration testing lies in this very isolation. As a result of periodical performance of this testing, we may get an information that all security risks have been mitigated to an acceptable level and the tested system is resistant to attack.
However, what we do not learn from the penetration testing results, is that the system can be compromised by sending an e-mail containing malware to its administrator or that it is possible to break into its data by compromising a completely different system, which however shares the same data storage with the original system, etc. Simply put, penetration tests are narrowly focused on a specific area and thus by definition, they cannot cover the complexity of interconnections in the whole company's ecosystem and the resulting risks.
- Methodical approach
- Strictly defined scope
- Usually takes 1-3 weeks
- Announced in advance
- Aiming at identification of vulnerabilities in a specific area
- Flexible approach
- Unlimited scope
- Usually takes 1–3 months
- Secret, only the White Team is aware of it
- Aiming at testing the resistance of the whole company’s environment to an attack
In this chapter, it is the Red Teaming’s turn. This is a term derived from a Red Team, referring to a team of experienced ethical hackers performing simulated attacks while using the same sophisticated means as real attackers. Red Teaming includes a very wide range of attack vectors and targets people and technology, as well as physical assets. In addition to attempting penetration by the exploitation of vulnerabilities in a specific technology, it also utilizes the means of social engineering, gathering information from open sources (OSINT, dumpster diving) or physical intrusion.
The so-called Blue Team is the force opposing the Red Team in the target company. Blue Team is a team of experts specialized in the prevention, detection and the resolution of cyber incidents. The team aims to do everything in their power in order for the attack not to succeed. And in case it has already succeeded, then to detect it and detain it as quickly as possible, while preventing its recurrence. Currently, for most larger companies, these are the Security Operations (SOC) or Cyber Defence Centre (CDC) departments.
Red Team vs Blue Team
The roles of the Red Team and the Blue Team are asymmetrical. In the initial phase, when the attacking team tries to penetrate the internal network protected by the defence team, the Red Team has the upper hand. The Blue Team has to secure each of the many potential attack vectors - and that is a very wide field. The attacking team only needs to find one vulnerability, one mistake, take advantage of the trust of only one employee and it will gain access to the network.
However, at this point, the situation is reversing. The advantage tilts in favour of the defence team. The attacking team enters the unfamiliar soil of the internal network, which is firmly under the Blue Team’s control. As soon as the Red Team makes a single mistake here, starts behaving too "loudly", activates the honeypot or brings attention to its activities in any other way, it is unmercifully removed from the internal network by the Blue Team and its work starts all over again. The comparison with the imaginary cat-and-mouse-game is more than appropriate here.
And in case the Red Team enters the Blue Team’s field, what is really its goal?
The goal is to come undetected and obtain the so-called Flag, which is defined in accordance with the client at the beginning of the Red Teaming exercise. For example, it can mean gaining access to a certain segment of the internal network, access to a specific server or the data prepared upfront in the database, physical access to the server room, stealing a laptop or installation of a HW backdoor.
The principle is to define the Flag in a way allowing to say after it has been claimed by the Red Team that the security on the technical, physical and process level is not sufficient enough to prevent a targeted external infiltration. The whole attack including any dead ends and failed infiltrations is then analysed and described in detail in the resulting report. It also contains recommendations for successful protection across various areas.
It follows from the statements above that to gain results as close to reality as possible, it is necessary not to inform the target company’s employees, and above all, the people in IT departments (IT Operations, SOC, CDC) about the Red Teaming exercise. Only a very close circle of people, the so-called White Team, knows about the Red Teaming activities at the customer’s. This team provides cooperation over the course of the service rendering process. If agreed, the attacks may take place also outside working hours, which requires the contact person to be available at any time. In case of physical intrusion, the Red Team members get the so-called Get Out of Jail Free card to identify themselves in case they are successfully discovered.