Think Like An Attacker: How a Red Team OperatesSeasoned red teamers explain the value-add of a red team, how it operates, and how to maximize its effectiveness.
If you want to stop an attacker, you have to think like an attacker.
That's the general mindset of someone on the red team, a group of people within an organization responsible for, well, attacking it. Their goal is to act like the adversary and figure out different ways to break into a company so it can strengthen its defenses.
"The whole idea is, the red team is designed to make the blue team better," explains John Sawyer, associate director of services and red team leader at IOActive. It's the devil's advocate within an organization; the group responsible for finding gaps the business may not notice.
Red teaming is markedly different from penetration testing, though the two are often confused, he continues. In the early days of pen testing, it resembled modern-day red teaming.
"When we talk about ethical hacking and pen testing in the late 90s, it was no-holds-barred kind of penetration testing," says Sawyer. As pen testing became mainstream, it also became commoditized. Now, instead of testing the system as a whole, one-off pen tests target specific parts of the ecosystem: Web application tests, social engineering tests, network tests.
"At its core, pen testing is trying to find as many vulnerabilities as you can, usually within a specific timeline," says Josh Schwartz, director of offensive engineering at Oath. Pen testers are given a target system, product, or source code, and try to find as many bugs as they can. While pen tests are still useful, they don't test the business to the extent that a red team does.
A red team considers the full ecosystem, Sawyer says, and its ultimate goal is to figure out how a determined threat actor would break in. Instead of solely trying to breach a Web application, red teamers might combine multiple attack vectors – a combination of external attacks, maybe a social engineering phone call, trying to gain access to a physical office.
"The main function of red teaming is adversary simulation," says Schwartz. "You are simulating, as realistically as possible, a dedicated adversary that would be trying to accomplish some goal. It's always going to be unique to the target. If you're going to get the maximum value out of having a red teaming function, you probably want to go for maximum impact."
Red team operations start with gathering open-source intelligence, or OSINT, on the organization and building a threat profile, says Tyler Robinson, head of offensive services and managing senior security analyst with InGuardians. The team considers every aspect of their target company: its industry, monetary value, its risk factors, its worst-case scenario.
As Schwartz puts it: "What does the apocalypse look like for your company?"
A chat with the organization can unearth valuable intel: insight into the business, where their crown jewels are, what they value. For a financial institution this might be reputation and money; for a healthcare firm it might be health data and sensitive patient data.
It's worth noting an organization using a red team likely has a mature security posture, says Sawyer. The red team assumes security controls are in place, a SOC is monitoring these controls, and an incident response plan exists in the event of a breach. If the company has never done a penetration test, he adds, it's likely not ready to get hit with a red team.
When it's time to plot the offensive, Robinson considers the ways someone could physically break in. This could involve a Google Maps scan to scope out entrances, or YouTube and Instagram to check for employee badges. Red teams will also investigate Web applications and do password sprays to see if the company is vulnerable. "All we need is one foothold," he says.
Red teams will also scour the Dark Web to learn the latest hacker tools and tactics, how they work, and what's new and being used in the wild. What the red team does is identical to what they find. "We try to maintain that edge," he says. "Constant retooling, constant battling."
The team ends up chaining together a small series of attacks – low-level vulnerabilities, misconfigurations – and use those to own the entire domain without the business knowing they were there, he says. Typically, few employees know when a red team is live.
Sawyer's team recently worked with a financial trading organization. They combined a variety of social engineering and physical attacks, along with external network testing, to break in. Red teamers went on site, dressed like the employees, and arrived with badges similar to theirs in order to bypass physical security controls, he explains.
Once inside, they could gain access to offices and connect to their machines and networks. "That was in coordination with other activities we had," he says, noting that they also leveraged phishing and phone calls to break the target's defenses.
Robinson's red team team was recently able to take over the network of a major organization by breaking into a printer. "We owned a very large financial organization through a single printer," he emphasizes, adding how this illustrates the need for organizations to focus on the basics of security, including securing all networked devices. There's a lot of money going toward next-gen tools, he says, but the real value is in the fundamentals of proper configuration.
Red and blue teams may work together in some engagements to provide visibility into the red team's actions. For example, if the red team launches a phishing attack, the blue team could view whether someone opened a malicious attachment, and whether it was blocked. After a test, the two can discuss which actions led to which consequences.
"We want to ultimately say that while we found these ways to get in, we really think by improving these places we were able to get in, you'll have more complete protection," Sawyer says.
Red Team Recruitment: How to Hire
"Our rule of thumb is there's always three operators" in a red team, says Robinson. Sawyer says a red team needs at least two people to be effective, though many range from two to five. While a large company might have 12-25 people, says Schwartz, only three or four will work on a single operation.
Each red team is made up of different skill sets to maximize the group's effectiveness.
It helps to have at least one person knowledgeable in physical security; someone who can understand the safeguards around the business, pick locks, bypass door codes and security cameras. You might also have social engineers who can send phishing emails, call up the organization, or appear on-site pretending to be an employee or delivery person.
And, of course, you need technical chops. Sawyer points to a range of valuable skills to have on a red team: Web exploitation, hardware expertise, reverse engineering, understanding of Windows and Active Directory, post-exploitation, and gaining access to sensitive data.
It's also interesting to pull in subject matter experts based on the target, Schwartz says. If you're outsourcing a red team, it could help to bring an employee onto their project and make them part of the attack group. "People generally want to be part of those types of activities because they're educational," he adds.
In-House vs. Outsourcing
More and more companies are starting to realize if they limit themselves to the core fundamentals of security, they're waiting for something bad to happen in order to know whether their steps are effective, says Schwartz. Red teaming can help them get ahead of that.
"Security is one of those areas it's tough to get funding for," says Sawyer. "It's seen as a sinkhole … it's hard because unless you have a breach or something is attacking you, how do you know that the stuff you're investing in is doing a good job?"
How your company acquires red teaming capabilities depends on its size and budget. Many companies are building red teams in-house to improve security; some hire outside help.
"There are some ways to outsource red teaming and red teaming activities," says Schwartz. "It's a good way to start," he notes, and smaller businesses can buy these skills from various consulting companies and in doing so, make a case for hiring an internal red team.
The main reason behind building a red team internally is because as it grows and improves along with defenses. As security improves, so do the skills of red teamers. Offensive experts and defenders can attack one another, playing a cat-and-mouse game that improves enterprise security, he continues. Internal teams are also easier to justify from a privacy perspective.
Overall, the pros argue a full red team can help prepare for modern attackers who will scour your business for vulnerabilities and exploit them – but they'll help you stop real adversaries.
"The difference between a red team and an adversary is, the red team tells you what they did after they did it," Schwartz says.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio