Red team testing is a key way to help prevent data breaches today. Most cyber defense focuses on spotting openings and fixing general risks in your environment. Red teaming not only reduces risks, but also prevents possible breaches. Methods, such as threat modeling, static analysis and dynamic testing, reduce the attack surface but do not eliminate risk. With red teaming, your team encounters real-life attacks in a safe scenario, making them more prepared for the threats to come.
Red Teaming: A Structured Approach
Red teaming is a multi-part attack simulation designed to test cloud or other systems. To be specific, it’s an intentional test attack on live systems without the knowledge of the infrastructure or platform owner. The red team takes the role of the threat, trying real attacks to get past the defending blue team. This test measures how well a company’s people, networks, applications and physical defenses can withstand an attack from a real-life threat. Red-teaming checks how well your team does on security detection and response. It helps to identify production issues, configuration errors and other problems in a controlled way.
Setting Up a Red Teaming Strategy
Red teaming is a structured approach, so you need to define some strategies before you start:
- Determine your target system
- Know the goals of the exercise
- Establish rules of engagement between the two teams.
Once you have established and formalized the plan, it’s time to start. The red team works in phases using multiple tools, methods and approaches in the chosen time frame. They should perform foot printing and reconnaissance, network and application penetration testing, launch social engineering and physical attacks and report their findings. Then, discuss the exercise and do closing documentation.
In the first phase, during foot printing and reconnaissance, the red team researches the details about the target, people, process, system and locations. Next, in network and application pen testing, they identify at-risk networks and applications. Then, during the attacks, the red team exposes open processes, locations and people. At the end, in phase four, the red team delivers their risk summary and executive and technical reports.
Why Use Red Teaming?
This exercise helps find loopholes that could provide chances for attackers (either internal or external) to gain access to target systems, which could then result in a serious data breach. Red teaming is also key because it highlights gaps in the detect and response tools in place.
For example, once all objectives are finished, the red team triggers the detect and response system on purpose, which causes an alert. At first, the blue team does not know if the alert was triggered from actual attackers or from internal red team members. But, blue team should treat the incident as a real alert until proof it came from the red team can be established and confirmed. This is the best method for building real-world defense.
Automation or Simulation?
There are two main types of red teaming today. Red team automation increases the operational efficiency of a red team. It enables them to automate rote and scouting actions, spot openings in the target system, and see a clear picture of what they are up against, quickly.
A new approach, red team simulation, takes this a step further. It allows a red team to make complex attack scenarios that execute across the full kill chain, i.e. making custom APT flows. Instead of running a bank of commands to find loopholes, it performs a multi-path, sequenced flow of executions. The primary advantage of this approach is that it includes logic into the flow.
Red teaming makes possible attacks real by exposing gaps in your systems’ defenses. By exploiting
production risks, it also helps to define a baseline of defense that can be regularly checked and changed. In the face of growing cyber attacks, red teaming helps enterprise understand their risk and openness to attacks. In short, it helps make their cloud segments more secure.
Security and Data Privacy Consultant, IBM
Ankit Tripathi is a contributor for SecurityIntelligence.