7 Must-Haves for a Rockin' Red Team
Follow these tips for running red-team exercises that will deliver added insight into your operations.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt55ed2d638f2c0055/64f0d3e90b661a8061407600/Slide1CoverArt.jpg?width=700&auto=webp&quality=80&disable=upscale)
With the threat landscape as dangerous as it is today, all organizations need deeper insights into their networks. That's where red-team exercises can help.
Despite the expense, the vast majority of companies will engage with third parties to conduct them. But building an in-house team is also an option. Either way, everyone should understand some red-team basics.
"Start by trusting your gut and don't overthink complex problems," says Daniel Wood, associate vice president of consulting at Bishop Fox, who recently posted a blog based on his experience managing red teams. "If you start to think something might be amiss or just plain wrong for the environment you're in, chances are it is. And if you are too reactive to what's around, you will be one step behind. A primary goal of a red team is to dictate and develop the situation, not to let others do it for you."
What should happen after that gut check? This list of seven tips will help you get the most from a red-team exercise.
Companies should understand what they are trying to protect, says Quentin Rhoads-Herrera, director of professional services at CriticalStart. For power plants or utilities with SCADA systems, it's often very specific. But most companies can identify their "crown jewels." For a financial company, it's PCI data and credit card names and addresses. For a medical practice, it's sensitive medical information. Government contractors will want to protect military secrets or sensitive government agency data.
Protecting mission-critical assets and crown jewels requires another order of security magnitude compared with simply ensuring the company has good vulnerability and patch management, Bishop Fox's Wood adds.
Many companies make sure they are patched and configured properly, but there are many other issues to consider: What does the attack path look like from each asset or profile of assets to the things the company really cares about? Once malware gets installed, where could an attacker pivot? What accounts or data are exposed? How could an attacker exfiltrate sensitive data? How could poor business practices or inadequate policies, standards, and guidelines expose the organization to more risk? If the company focuses only on the easy "threat landscape" and not the holistic environment, it leaves the organization open to risk, Wood says.
Security teams need to think more strategically about the real benefits of red teams. David "Moose" Wolpoff, founder and CTO of Randori, says companies should start thinking more holistically about the costs. Sure, they have to know what it will cost to protect against an adversary, but they also need to have a better handle on what it will cost the adversary to penetrate the company's crown jewels. Only then can companies start determining the budget dollars they'll need to protect sensitive data.
Bishop Fox's Wood says red-team leads (RTLs) have to accept that they don't know everything. They have to let the experts on the team be free to do their jobs without fear of reprisal. They should also encourage disagreements and multiple perspectives on any one security issue.
Here's Wood's idea of how companies can staff red teams:
Situations will change, and the team needs people who can think creatively and come up with new approaches, Bishop Fox's Wood says. For example, there was a time his company was working with a government agency, and the employees couldn't receive links or attachments. A red team needs someone who can think of an alternative way to break into the network. In this case, they devised an email lure in which the supposed head of the agency sent the employees to a website where they could obtain cash rewards. The site was actually a "watering-hole" site infested with malware that let the red team enter the network.
CriticalStart's Rhoads-Herrera says he looks for the type of person who could pull off that attack when hiring. In the case that Wood describes, he says, unless someone had the right technical background, they would not have the skills to launch that watering-hole attack. In one case he hired somebody with no red-team experience, but the person was eager and willing to learn. He had a background in reverse-engineering malware, so Rhoads figured he would be the type of person who could succeed on a red team.
"The guy learns technology tasks very fast and over the past two years has become one of the top members of our team," Rhoads says.
Commercial tools can often help red-team members work faster, but open source tools are just as effective and make red-team members work more creatively. CriticalStart's Rhoads says in the offensive security space there's usually an open source equivalent of a closed source tool. An example of that would be with command-and-control (C2) applications. Rhoads uses the open source PowerShell Empire as opposed to Cobalt Strike, the closed tool. The functionality in PS Empire has enough for his team to execute a high-quality assessment, and any missing functionality they conduct on our own, he says.
While closed source software usually has more capabilities than open source equivalents, Rhoads says good red teamers should have the ability to conduct their work without relying on tools, especially closed source, as they should understand fundamentally what those tools are doing and how to deploy the same tactics manually. Commercial tools speed up aspects of tests and take out some of the manual work, but they can come at a steep cost. Other commercial tools, like Dradis, help security professionals speed up reporting -- an area that makes sense to spend money on, Rhoads says.
Junior red-team members need guidance from senior members so they don't waste too much time on unnecessary research and manual tasks, Bishop Fox's Wood says.
Many junior members will "trust and not verify" automated scanner results, which can lead to false positives and negatives. Doing this can lead to inaccurate results or lost opportunities of approaching a target. Additionally, they will often point out very narrow and tactical remediation and mitigation steps to address vulnerabilities and caps/weaknesses.
"They don't play the scenario forward far enough to think about what a more holistic approach to addressing the problem could be to prevent similar problems from occurring in the future and addressing the root cause, not just the symptom," Wood explains.
Security pros differ on whether red teams should stop at a certain point and tell the client or company they can't break into their networks. Bishop Fox's Wood says red teams need to understand when they've reached the "point of failure" in an exercise. He says it's also OK if the red team doesn't penetrate the network, pointing out the value in having the company understand what they do well and where they need to improve. CriticalStart's Rhoads says if one of his red teams can't penetrate the network, they will ask the company to let them in and look for vulnerabilities further down the chain.
But Randori's Wolpoff believes this kind of talk sells red teams short. It's not an authentic experience to have a red teamer work inside the company's environment without trespassing its exterior, he says.
"Ask yourself, would you ever give an attacker access to your internal environment?" Wolpoff says. "No. Then why would you give a red-teamer access? When you're looking for a red-team engagement, you want the experience to be as authentic as possible, as true to what a real attacker would do. A real attacker is not limited by time; he's not given a scope. He typically has an objective -- steal some IP, get to sensitive data, or access a domain controller. You should design your red-team experience the same way."
Security pros differ on whether red teams should stop at a certain point and tell the client or company they can't break into their networks. Bishop Fox's Wood says red teams need to understand when they've reached the "point of failure" in an exercise. He says it's also OK if the red team doesn't penetrate the network, pointing out the value in having the company understand what they do well and where they need to improve. CriticalStart's Rhoads says if one of his red teams can't penetrate the network, they will ask the company to let them in and look for vulnerabilities further down the chain.
But Randori's Wolpoff believes this kind of talk sells red teams short. It's not an authentic experience to have a red teamer work inside the company's environment without trespassing its exterior, he says.
"Ask yourself, would you ever give an attacker access to your internal environment?" Wolpoff says. "No. Then why would you give a red-teamer access? When you're looking for a red-team engagement, you want the experience to be as authentic as possible, as true to what a real attacker would do. A real attacker is not limited by time; he's not given a scope. He typically has an objective -- steal some IP, get to sensitive data, or access a domain controller. You should design your red-team experience the same way."
With the threat landscape as dangerous as it is today, all organizations need deeper insights into their networks. That's where red-team exercises can help.
Despite the expense, the vast majority of companies will engage with third parties to conduct them. But building an in-house team is also an option. Either way, everyone should understand some red-team basics.
"Start by trusting your gut and don't overthink complex problems," says Daniel Wood, associate vice president of consulting at Bishop Fox, who recently posted a blog based on his experience managing red teams. "If you start to think something might be amiss or just plain wrong for the environment you're in, chances are it is. And if you are too reactive to what's around, you will be one step behind. A primary goal of a red team is to dictate and develop the situation, not to let others do it for you."
What should happen after that gut check? This list of seven tips will help you get the most from a red-team exercise.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024