Red Teaming

How can we be satisfied with cybersecurity defense capabilities that are only theoretical? We no longer have to wait to be bombarded by cybercriminals to realize whether our threat detectors, firewalls and other defensive strategies and security controls are efficient. We no longer have to wait for malicious hackers to detect vulnerabilities in our systems to be able to act on them. Although it may seem counterintuitive, we can request the service of being attacked in the cybersecurity field. These attacks are done, though, in an ethical and regulated manner to find out how strong we are. We can hire professionals to show us vividly what an attacker could do against us and how well we and our systems would respond to those real threats. In this post, we will talk about red teams and red teaming so that you can better understand this solution.

We are not referring to Liverpool, Bayern Munich, or some similar team here. We are focused on a red team in cybersecurity. This "cyber red team" is a group of security experts and professional hackers, inside or outside the target company, with the required skills and, of course, the permission to simulate "real-world" cyberattacks. In these attacks or red team activities, playing specific roles, red team members must emulate tactics, techniques and procedures used by today's threat actors to compromise an organization's systems and cyber defenses. Red team testing is a kind of security testing that evaluates the effectiveness of the company's threat prevention, detection and response strategies. It delivers reports of detected vulnerabilities and exploitation impacts as feedback for vulnerability remediation and improvement of the organization's cyber defenses.

Typically, when we talk about red teams, blue teams (and sometimes purple teams) come up in the conversation.

A red team is made up of specialists in offensive security (ethical hackers) whose mission, as mentioned above, is to impact and compromise an information system and its defenses. The size of this team is variable and sometimes depends on the complexity of the tasks.

The members of this team are expected to have extensive technical knowledge, creativity and cunning to gain access to systems and move through them undetected. Ideally, their skills and backgrounds are miscellaneous. Some may be more adept, for example, in software development, penetration testing (aka pentesting), social engineering, business knowledge, IT administration, threat intelligence or security controls and tools.

Becoming a red team member is complex and requires education, experience, skill development, and a particular mindset. It’s necessary to first build a strong foundation in cybersecurity, either by formal education or intense self-thought training. Certifications related to red teaming solidify expertise. Gain practical experience through labs, bug bounty programs, or by being in a blue team. Networking with industry professionals provides invaluable connections and knowledge. Soft skills like communication and critical thinking are crucial when it comes to teamwork and reporting findings. There is an inherent ethical responsibility in red teaming, which must always be upheld and remembered. Embrace continuous learning and explore new areas, evolving with the ever-changing cybersecurity landscape. If interested, we recommend our Tribe of Hackers posts series based on the book by the best-selling author (and hacker) Marcus J. Carey.

A blue team is made up of specialists in defensive security, including incident response consultants, for example. They must guide the organization to assess its environment and organize, implement and improve security controls to identify and stop or deal with red team intrusions or real threat actors. Their defensive work seeks to prevent damage to the structure and operations of the organization's systems. In some cases, the blue team may intervene in the planning or implementation of recovery measures. The members of this team must fully understand security strategies, both at the technological and human levels. They must be highly skilled in the detection of threats, the appropriate response to them and the correct use of tools that support these purposes.

Finally, the purple team. From childhood, you know that mixing red and blue makes purple. So, in cybersecurity, a purple team is made up of offensive and defensive security experts. Sometimes, this team is referred to as an intermediary, responsible for assessing, coordinating and facilitating interactions between the red and blue teams. Other times, it is referred to as members of both teams collaboratively working in unison. The intention is to maximize the contributions of both groups of experts in favor of an organization's cybersecurity posture.

Despite all this, it is generally enough to speak only of red and blue teams. Both of them can have as a knowledge source of tactics, techniques and procedures of threat actors the MITRE ATT&CK Framework, which is a product of real-world experiences. Usually, the red and blue teams have a leading role in the red teaming practice. However, the presence of the latter may not be indispensable.

In line with the above, to define red teaming, we refer to the offensive art with which we can help a company know how secure its systems are. Apparently, this was a practice that originated in the military context. In an adversarial approach, the idea was to confront two teams simulating reality to evaluate the quality and strength of their strategies. (Something like this happens in Attack-Defense style CTF contests for hacker groups.) This gave rise to the red team and blue team. In a controlled environment, a red team attack tests an organization's threat prevention, detection and response capabilities and strategies —factors in which a blue team may be involved with plans, systems and standards.

Many times, the blue team or the members of the security team of the company under evaluation may not be aware that red teaming or simulated attacks are taking place. (In fact, this is ideal; see "Attacking Without Announcing.") As we discussed in another post regarding the TIBER-EU tests, a white team, close to the blue team, may also come into play. A white team is a small group in the organization that may be the only one aware of the red teaming. This team is responsible for approving and requesting the initiation and interruption of attacks. It also acts as a liaison between the other two groups. It is always expected that, after red teaming exercises, the target organization will mature its security by refining its controls and remediating its vulnerabilities. Incidentally, it is the company's mission to ensure that what it receives is red teaming and not just pentesting.

Both approaches can be integrated. A vendor can initially apply several penetration testing cycles within a company's DevSecOps model. Based on what's shown in the reports, the company can perform vulnerability remediation on its systems. After these cycles, an organization that is more mature in its security can open the way to red teaming. Then, with specific objectives such as accessing a particular network element or sensitive information, for example, it is possible to test how effective the remediations have been and what security gaps there are in the systems in the face of certain types of attacks.

Red teaming can be seen as a deeper, holistic and more complex penetration testing. Because of this, red teaming can take longer than pentesting. A red team has to employ stealth and evasion. It is often said that in red teaming, as compared to penetration testing, the surprise factor prevails (i.e., the blue team is unaware of the attack simulation). Nevertheless, this will depend on what is defined between the provider and the client. Also, red teaming expands the range of attack types to be used, adding, for example, physical penetration and social engineering (e.g., phishing). This means that not only the systems are put to the test, but also the personnel who manage them. That is why it can provide more and better ideas than pentesting for improving plans for prevention, detection and response to threats.

As we pointed out earlier, and as Rafael Alvarez, CTO of Fluid Attacks, once said, ideally, the blue team should not be aware of the execution of red teaming. In particular, for the blue team to know the times and places where the red team intends to attack may be seen as inappropriate. "In order to know with certainty the security level of your company, these exercises must be as close to reality as possible," says Alvarez. The few members of the organization, i.e., its highest authorities, who will be aware of the red teaming, are the ones who will give the red team express authorization and legal protection for its offensive security exercise.

When we asked Andres Roldan, VP of Hacking at Fluid Attacks, about the red teaming methodology they use in the hacking exercises they conduct from the company, he told us that they follow the "kill chain strategy."

The cyber kill chain 3.0 is an update (with minor changes) of the previous model for a better defense that was suggested by Corey Nachreiner, WatchGuard's Chief Technology Officer. This red team kill chain has the following stages:

Linked to this question, you could also ask yourself, "What to look for in a red team tool?" The tools for these security assessment exercises should be helpful for applying tactics such as those mentioned above. Red team tools can be classified according to the phase of red teaming in which they serve specific functions. The following are just a few examples:

You may still be wondering, "Why do I need red team cyber security?" Although we already have a blog post where we extensively justify the value or importance of red teaming for organizations' cybersecurity, we can summarize it as follows: A closer approximation to reality. A cyberattack simulation by a red team puts to the test the cybersecurity program of an organization, attending to its prevention, detection, defense and response strategies. Strategies that the organization has ready to deal with cybercriminals on a daily basis and that, with the red team's assessment, may show weaknesses that should be addressed as soon as possible.

At Fluid Attacks, we are experts in security testing. Our red team can perform penetration testing, red teaming and ethical hacking services for your organization as both parties agree to carry them out. In line with what's been described above, we recommend starting with pentesting to continuing with red teaming as the security of your organization and its systems matures. A red team external to your work environment, unaffected by conflicts of interest, would perform evaluations without absurd inhibitions and deliver transparent reports on your prevention, detection and response measures. Our ethical hackers have certifications such as OSCP, CEH, CRTP, CRTE, CRTO, eWPTv1, and eCPTXv2, among many others. They are also very experienced, possess diverse backgrounds and skills, and work in different red team roles. On average, we offer more than 15 ethical hackers per project.

Contact us and let our red team hacking tell you for sure, with substantial evidence, what havoc cybercriminals could wreak on your organization's systems.