Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/20/2018
05:50 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Think Like An Attacker: How a Red Team Operates

Seasoned red teamers explain the value-add of a red team, how it operates, and how to maximize its effectiveness.

If you want to stop an attacker, you have to think like an attacker.

That's the general mindset of someone on the red team, a group of people within an organization responsible for, well, attacking it. Their goal is to act like the adversary and figure out different ways to break into a company so it can strengthen its defenses.

"The whole idea is, the red team is designed to make the blue team better," explains John Sawyer, associate director of services and red team leader at IOActive. It's the devil's advocate within an organization; the group responsible for finding gaps the business may not notice.

Red teaming is markedly different from penetration testing, though the two are often confused, he continues. In the early days of pen testing, it resembled modern-day red teaming.

"When we talk about ethical hacking and pen testing in the late 90s, it was no-holds-barred kind of penetration testing," says Sawyer. As pen testing became mainstream, it also became commoditized. Now, instead of testing the system as a whole, one-off pen tests target specific parts of the ecosystem: Web application tests, social engineering tests, network tests.

"At its core, pen testing is trying to find as many vulnerabilities as you can, usually within a specific timeline," says Josh Schwartz, director of offensive engineering at Oath. Pen testers are given a target system, product, or source code, and try to find as many bugs as they can. While pen tests are still useful, they don't test the business to the extent that a red team does.

A red team considers the full ecosystem, Sawyer says, and its ultimate goal is to figure out how a determined threat actor would break in. Instead of solely trying to breach a Web application, red teamers might combine multiple attack vectors – a combination of external attacks, maybe a social engineering phone call, trying to gain access to a physical office.

"The main function of red teaming is adversary simulation," says Schwartz. "You are simulating, as realistically as possible, a dedicated adversary that would be trying to accomplish some goal. It's always going to be unique to the target. If you're going to get the maximum value out of having a red teaming function, you probably want to go for maximum impact."

Smooth Operators

Red team operations start with gathering open-source intelligence, or OSINT, on the organization and building a threat profile, says Tyler Robinson, head of offensive services and managing senior security analyst with InGuardians. The team considers every aspect of their target company: its industry, monetary value, its risk factors, its worst-case scenario.

As Schwartz puts it: "What does the apocalypse look like for your company?"

A chat with the organization can unearth valuable intel: insight into the business, where their crown jewels are, what they value. For a financial institution this might be reputation and money; for a healthcare firm it might be health data and sensitive patient data.

It's worth noting an organization using a red team likely has a mature security posture, says Sawyer. The red team assumes security controls are in place, a SOC is monitoring these controls, and an incident response plan exists in the event of a breach. If the company has never done a penetration test, he adds, it's likely not ready to get hit with a red team.

When it's time to plot the offensive, Robinson considers the ways someone could physically break in. This could involve a Google Maps scan to scope out entrances, or YouTube and Instagram to check for employee badges. Red teams will also investigate Web applications and do password sprays to see if the company is vulnerable. "All we need is one foothold," he says.

Red teams will also scour the Dark Web to learn the latest hacker tools and tactics, how they work, and what's new and being used in the wild. What the red team does is identical to what they find. "We try to maintain that edge," he says. "Constant retooling, constant battling."

The team ends up chaining together a small series of attacks – low-level vulnerabilities, misconfigurations – and use those to own the entire domain without the business knowing they were there, he says. Typically, few employees know when a red team is live.

Sawyer's team recently worked with a financial trading organization. They combined a variety of social engineering and physical attacks, along with external network testing, to break in. Red teamers went on site, dressed like the employees, and arrived with badges similar to theirs in order to bypass physical security controls, he explains.

Once inside, they could gain access to offices and connect to their machines and networks. "That was in coordination with other activities we had," he says, noting that they also leveraged phishing and phone calls to break the target's defenses.

Robinson's red team team was recently able to take over the network of a major organization by breaking into a printer. "We owned a very large financial organization through a single printer," he emphasizes, adding how this illustrates the need for organizations to focus on the basics of security, including securing all networked devices. There's a lot of money going toward next-gen tools, he says, but the real value is in the fundamentals of proper configuration.

Red and blue teams may work together in some engagements to provide visibility into the red team's actions. For example, if the red team launches a phishing attack, the blue team could view whether someone opened a malicious attachment, and whether it was blocked. After a test, the two can discuss which actions led to which consequences.

"We want to ultimately say that while we found these ways to get in, we really think by improving these places we were able to get in, you'll have more complete protection," Sawyer says.

Red Team Recruitment: How to Hire

"Our rule of thumb is there's always three operators" in a red team, says Robinson. Sawyer says a red team needs at least two people to be effective, though many range from two to five. While a large company might have 12-25 people, says Schwartz, only three or four will work on a single operation.

Each red team is made up of different skill sets to maximize the group's effectiveness.

It helps to have at least one person knowledgeable in physical security; someone who can understand the safeguards around the business, pick locks, bypass door codes and security cameras. You might also have social engineers who can send phishing emails, call up the organization, or appear on-site pretending to be an employee or delivery person.

And, of course, you need technical chops. Sawyer points to a range of valuable skills to have on a red team: Web exploitation, hardware expertise, reverse engineering, understanding of Windows and Active Directory, post-exploitation, and gaining access to sensitive data.

It's also interesting to pull in subject matter experts based on the target, Schwartz says. If you're outsourcing a red team, it could help to bring an employee onto their project and make them part of the attack group. "People generally want to be part of those types of activities because they're educational," he adds.

In-House vs. Outsourcing

More and more companies are starting to realize if they limit themselves to the core fundamentals of security, they're waiting for something bad to happen in order to know whether their steps are effective, says Schwartz. Red teaming can help them get ahead of that.

"Security is one of those areas it's tough to get funding for," says Sawyer. "It's seen as a sinkhole … it's hard because unless you have a breach or something is attacking you, how do you know that the stuff you're investing in is doing a good job?"

How your company acquires red teaming capabilities depends on its size and budget. Many companies are building red teams in-house to improve security; some hire outside help.

"There are some ways to outsource red teaming and red teaming activities," says Schwartz. "It's a good way to start," he notes, and smaller businesses can buy these skills from various consulting companies and in doing so, make a case for hiring an internal red team.

The main reason behind building a red team internally is because as it grows and improves along with defenses. As security improves, so do the skills of red teamers. Offensive experts and defenders can attack one another, playing a cat-and-mouse game that improves enterprise security, he continues. Internal teams are also easier to justify from a privacy perspective.

Overall, the pros argue a full red team can help prepare for modern attackers who will scour your business for vulnerabilities and exploit them – but they'll help you stop real adversaries.

"The difference between a red team and an adversary is, the red team tells you what they did after they did it," Schwartz says.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.