ProHoster > Blog > Administration > Red Teaming is a complex simulation of attacks. Methodology and tools

Red Teaming is a complex simulation of attacks. Methodology and tools

Red Teaming is a complex simulation of attacks. Methodology and tools
Source: Acunetix

Red Teaming is a complex simulation of real attacks in order to assess the cybersecurity of systems. "Red Team" is a group pentesters (specialists performing a penetration test into the system). They can be either hired from outside or employees of your organization, but in all cases their role is the same - to imitate the actions of intruders and try to penetrate your system.

Along with the "red teams" in cybersecurity, there are a number of others. For example, the Blue Team works together with the Red Team, but its activities are aimed at improving the security of the system's infrastructure from the inside. The Purple Team is the link, assisting the other two teams in developing attack strategies and defenses. However, redtiming is one of the least understood methods of managing cybersecurity, and many organizations remain reluctant to adopt this practice.
In this article, we will explain in detail what lies behind the concept of Red Teaming, and how the implementation of complex simulation practices of real attacks can help improve the security of your organization. The purpose of this article is to show how this method can significantly increase the security of your information systems.

Red Teaming Overview

Red Teaming is a complex simulation of attacks. Methodology and tools

Although in our time, the "red" and "blue" teams are primarily associated with the field of information technology and cybersecurity, these concepts were coined by the military. In general, it was in the army that I first heard about these concepts. Working as a cybersecurity analyst in the 1980s was very different from today: access to encrypted computer systems was much more restricted than it is today.

Otherwise, my first experience of war gamesβ€”simulation, simulation, and interactionβ€”was very similar to today's complex attack simulation process, which has found its way into cybersecurity. As now, great attention was paid to the use of social engineering methods to convince employees to give the "enemy" improper access to military systems. Therefore, although the technical methods of attack simulation have advanced significantly since the 80s, it is worth noting that many of the main tools of the adversarial approach, and especially social engineering techniques, are largely platform independent.

The core value of complex imitation of real attacks has also not changed since the 80s. By simulating an attack on your systems, it's easier for you to discover vulnerabilities and understand how they can be exploited. And while redteaming used to be used primarily by white hat hackers and cybersecurity professionals looking for vulnerabilities through penetration testing, it has now become more widely used in cybersecurity and business.

The key to redtiming is to understand that you can't really get a sense of the security of your systems until they are attacked. And instead of putting yourself at risk of being attacked by real attackers, it's much safer to simulate such an attack with a red command.

Red Teaming: use cases

An easy way to understand the basics of redtiming is to look at a few examples. Here are two of them:

  • Scenario 1. Imagine that a customer service site has been pentested and successfully tested. It would seem that this suggests that everything is in order. However, later, in a complex mock attack, the red team discovers that while the customer service app itself is fine, the third-party chat feature cannot accurately identify people, and this makes it possible to trick customer service representatives into changing their email address. in the account (as a result of which a new person, an attacker, can gain access).
  • Scenario 2. As a result of pentesting, all VPN and remote access controls were found to be secure. However, then the representative of the "red team" freely passes by the registration desk and takes out the laptop of one of the employees.

In both of the above cases, the "red team" checks not only the reliability of each individual system, but also the entire system as a whole for weaknesses.

Who Needs Complex Attack Simulation?

Red Teaming is a complex simulation of attacks. Methodology and tools

In a nutshell, almost any company can benefit from redtiming. As shown in our 2019 Global Data Risk Report., a frighteningly large number of organizations are under the false belief that they have complete control over their data. We found, for example, that on average 22% of a company's folders are available to every employee, and that 87% of companies have more than 1000 outdated sensitive files on their systems.

If your company is not in the tech industry, it may not seem like redtiming will do you much good. But it's not. Cybersecurity is not only about protecting confidential information.

Malefactors equally try to get hold of technologies irrespective of a sphere of activity of the company. For example, they may seek to gain access to your network in order to hide their actions to take over another system or network elsewhere in the world. With this type of attack, the attackers do not need your data. They want to infect your computers with malware in order to turn your system into a group of botnets with their help.

For smaller companies, it can be difficult to find resources to redeem. In this case, it makes sense to entrust this process to an external contractor.

Red Teaming: Recommendations

The optimal time and frequency for redtiming depends on the sector you work in and the maturity of your cybersecurity tools.

In particular, you should have automated activities such as asset exploration and vulnerability analysis. Your organization should also combine automated technology with human oversight by regularly conducting full penetration testing.
After completing several business cycles of penetration testing and finding vulnerabilities, you can proceed to a complex simulation of a real attack. At this stage, redtiming will bring you tangible benefits. However, trying to do it before you have the basics of cybersecurity in place will not bring tangible results.

A white hat team is likely to be able to compromise an unprepared system so quickly and easily that you get too little information to take further action. To have a real effect, the information obtained by the "red team" must be compared with previous penetration tests and vulnerability assessments.

What is penetration testing?

Red Teaming is a complex simulation of attacks. Methodology and tools

Complex imitation of a real attack (Red Teaming) is often confused with penetration testing (pentest), but the two methods are slightly different. More precisely, penetration testing is just one of the redtiming methods.

The Role of a Pentester well defined. The work of pentesters is divided into four main stages: planning, information discovery, attack, and reporting. As you can see, pentesters do more than just look for software vulnerabilities. They try to put themselves in the shoes of hackers, and once they get into your system, their real work begins.

They discover vulnerabilities and then carry out new attacks based on the information received, moving through the folder hierarchy. This is what distinguishes penetration testers from those who are hired only to find vulnerabilities, using port scanning software or virus detection. An experienced pentester can determine:

  • where hackers can direct their attack;
  • the way the hackers will attack;
  • How will your defense behave?
  • possible extent of the breach.

Penetration testing focuses on identifying weaknesses at the application and network levels, as well as opportunities to overcome physical security barriers. While automated testing can reveal some cybersecurity issues, manual penetration testing also takes into account the vulnerability of a business to attacks.

Red Teaming vs. penetration testing

Undoubtedly, penetration testing is important, but it is only one part of a whole series of redtiming activities. The activities of the "red team" have much broader goals than those of pentesters, who often simply seek to gain access to the network. Redteaming often involves more people, resources and time as the red team digs deep to fully understand the true level of risk and vulnerability in technology and the organization's human and physical assets.

In addition, there are other differences. Redtiming is typically used by organizations with more mature and advanced cybersecurity measures (although this is not always the case in practice).

These are usually companies that have already done penetration testing and fixed most of the vulnerabilities found and are now looking for someone who can try again to access sensitive information or break the protection in any way.
This is why redtiming relies on a team of security experts focused on a specific goal. They target internal vulnerabilities and use both electronic and physical social engineering techniques on the organization's employees. Unlike pentesters, red teams take their time during their attacks, wanting to avoid detection like a real cybercriminal would.

Benefits of Red Teaming

Red Teaming is a complex simulation of attacks. Methodology and tools

There are many advantages to complex simulation of real attacks, but most importantly, this approach allows you to get a comprehensive picture of the level of cybersecurity of an organization. A typical end-to-end simulated attack process would include penetration testing (network, application, mobile phone, and other device), social engineering (live on-site, phone calls, email, or text messages and chat), and physical intrusion ( breaking locks, detecting dead zones of security cameras, bypassing warning systems). If there are vulnerabilities in any of these aspects of your system, they will be found.

Once vulnerabilities are found, they can be fixed. An effective attack simulation procedure does not end with the discovery of vulnerabilities. Once the security flaws are clearly identified, you'll want to work on fixing them and retesting them. In fact, the real work usually begins after a red team intrusion, when you forensic analyze the attack and try to mitigate the vulnerabilities found.

In addition to these two main benefits, redtiming also offers a number of others. So, the "red team" can:

  • identify risks and vulnerabilities to attacks in key business information assets;
  • simulate the methods, tactics and procedures of real attackers in an environment with limited and controlled risk;
  • Assess your organization's ability to detect, respond, and prevent complex, targeted threats;
  • Encourage close collaboration with security departments and blue teams to provide significant mitigation and conduct comprehensive hands-on workshops following discovered vulnerabilities.

How does Red Teaming work?

A great way to understand how redtiming works is to look at how it usually works. The usual process of complex attack simulation consists of several stages:

  • The organization agrees with the "red team" (internal or external) on the purpose of the attack. For example, such a goal could be to retrieve sensitive information from a particular server.
  • Then the "red team" conducts reconnaissance of the target. The result is a diagram of target systems, including network services, web applications, and internal employee portals. .
  • After that, vulnerabilities are searched for in the target system, which are usually implemented using phishing or XSS attacks. .
  • Once access tokens are obtained, the red team uses them to investigate further vulnerabilities. .
  • When other vulnerabilities are discovered, the "red team" will seek to increase their level of access to the level necessary to achieve the goal. .
  • Upon gaining access to the target data or asset, the attack task is considered completed.

In fact, an experienced red team specialist will use a huge number of different methods to get through each of these steps. However, the key takeaway from the above example is that small vulnerabilities in individual systems can turn into catastrophic failures if chained together.

What should be considered when referring to the "red team"?

Red Teaming is a complex simulation of attacks. Methodology and tools

To get the most out of redtiming, you need to prepare carefully. The systems and processes used by each organization are different, and the quality level of redtiming is achieved when it is aimed at finding vulnerabilities in your systems. For this reason, it is important to consider a number of factors:

Know what you are looking for

First of all, it is important to understand which systems and processes you want to check. Perhaps you know that you want to test a web application, but you don't understand very well what it really means and what other systems are integrated with your web applications. Therefore, it is important that you have a good understanding of your own systems and fix any obvious vulnerabilities before starting a complex simulation of a real attack.

Know your network

This is related to the previous recommendation, but is more about the technical characteristics of your network. The better you can quantify your testing environment, the more accurate and specific your red team will be.

Know your budget

Redtiming can be performed at different levels, but simulating the full range of attacks on your network, including social engineering and physical intrusion, can be costly. For this reason, it is important to understand how much you can spend on such a check and, accordingly, outline its scope.

Know your level of risk

Some organizations may tolerate a fairly high level of risk as part of their standard business procedures. Others will need to limit their level of risk to a much greater extent, especially if the company operates in a highly regulated industry. Therefore, when conducting redtiming, it is important to focus on the risks that really pose a danger to your business.

Red Teaming: Tools and Tactics

Red Teaming is a complex simulation of attacks. Methodology and tools

If implemented correctly, the "red team" will carry out a full-scale attack on your networks using all the tools and methods used by hackers. Among other things, this includes:

  • Application Penetration Testing - aims to identify weaknesses at the application level, such as cross-site request forgery, data entry flaws, weak session management, and many others.
  • Network Penetration Testing - aims to identify weaknesses at the network and system level, including misconfigurations, wireless network vulnerabilities, unauthorized services, and more.
  • Physical penetration testing β€” checking the effectiveness, as well as the strengths and weaknesses of physical security controls in real life.
  • Social Engineering - aims to exploit the weaknesses of people and human nature, testing people's susceptibility to deceit, persuasion and manipulation through phishing emails, phone calls and text messages, as well as physical contact on the spot.

All of the above are redtiming components. It's a full-blown, layered attack simulation designed to determine how well your people, networks, applications, and physical security controls can withstand an attack from a real attacker.

Continuous development of Red Teaming methods

The nature of the complex simulation of real attacks, in which red teams try to find new security vulnerabilities and blue teams try to fix them, leads to the constant development of methods for such checks. For this reason, it is difficult to compile an up-to-date list of modern redtiming techniques, as they quickly become obsolete.

Therefore, most redteamers will spend at least part of their time learning about new vulnerabilities and exploiting them, using the many resources provided by the red team community. Here are the most popular of these communities:

  • Pentester Academy is a subscription service that offers online video courses focused primarily on penetration testing, as well as courses on operating system forensics, social engineering tasks, and information security assembly language.
  • Vincent Yiu is an "offensive cybersecurity operator" who regularly blogs about methods for complex simulation of real attacks and is a good source of new approaches.
  • Twitter is also a good source if you're looking for up-to-date redtiming information. You can find it with hashtags #redteam ΠΈ #redteaming.
  • Daniel Miessler is another experienced redtiming specialist who produces a newsletter and podcast, leads Web site and writes a lot about current red team trends. Among his recent articles: "Purple Team Pentest Means Your Red and Blue Teams Have Failed" ΠΈ "Vulnerability Rewards and When to Use Vulnerability Assessment, Penetration Testing, and Comprehensive Attack Simulation".
  • Daily Swig is a web security newsletter sponsored by PortSwigger Web Security. This is a good resource to learn about the latest developments and news in the field of redtiming - hacks, data leaks, exploits, web application vulnerabilities and new security technologies.
  • Florian Hansemann is a white hat hacker and penetration tester who regularly covers new red team tactics in his Π±Π»ΠΎΠ³Π΅.
  • MWR labs is a good, albeit extremely technical, source for redtiming news. They post useful for red teams Toolsand their Twitter feed contains tips for solving problems that security testers face.
  • Emad Shanab - Lawyer and "white hacker". His Twitter feed has techniques useful for "red teams", such as writing SQL injections and forging OAuth tokens.
  • Mitre's Adversarial Tactics, Techniques and Common Knowledge (ATT & CK) is a curated knowledge base of attacker behavior. It tracks the phases of the life cycle of attackers and the platforms they target.
  • The Hacker Playbook is a guide for hackers, which, although quite old, covers many of the fundamental techniques that are still at the heart of complex imitation of real attacks. Author Peter Kim also has Twitter feed, in which he offers hacking tips and other information.
  • SANS Institute is another major provider of cybersecurity training materials. Their Twitter feedFocused on digital forensics and incident response, it contains the latest news on SANS courses and advice from expert practitioners.
  • Some of the most interesting news about redtiming is published in Red Team Journal. There are technology-focused articles such as comparing Red Teaming to penetration testing, as well as analytical articles such as The Red Team Specialist Manifesto.
  • Finally, Awesome Red Teaming is a GitHub community that offers very detailed list resources dedicated to Red Teaming. It covers virtually every technical aspect of a red team's activities, from gaining initial access, performing malicious activities, to collecting and extracting data.

"Blue team" - what is it?

Red Teaming is a complex simulation of attacks. Methodology and tools

With so many multi-colored teams, it can be difficult to figure out which type your organization needs.

One alternative to the red team, and more specifically another type of team that can be used in conjunction with the red team, is the blue team. The Blue Team also assesses network security and identifies any potential infrastructure vulnerabilities. However, she has a different goal. Teams of this type are needed to find ways to protect, change and regroup defense mechanisms to make incident response much more effective.

Like the red team, the blue team must have the same knowledge of attacker tactics, techniques, and procedures in order to create response strategies based on them. However, the duties of the blue team are not limited to just defending against attacks. It is also involved in strengthening the entire security infrastructure, using, for example, an intrusion detection system (IDS) that provides continuous analysis of unusual and suspicious activity.

Here are some of the steps that the "blue team" takes:

  • security audit, in particular DNS audit;
  • log and memory analysis;
  • analysis of network data packets;
  • risk data analysis;
  • digital footprint analysis;
  • reverse engineering;
  • DDoS testing;
  • development of risk implementation scenarios.

Differences between red and blue teams

A common question for many organizations is which team should they use, red or blue. This issue is also often accompanied by friendly animosity between people who work "on opposite sides of the barricades." In reality, neither command makes sense without the other. So the correct answer to this question is that both teams are important.

The Red Team is attacking and is used to test the readiness of the Blue Team to defend. Sometimes the red team may find vulnerabilities that the blue team has completely overlooked, in which case the red team must show how those vulnerabilities can be fixed.

It is vital for both teams to work together against cybercriminals to strengthen information security.

For this reason, it makes no sense to choose only one side or invest in only one type of team. It is important to remember that the goal of both parties is to prevent cybercrime.
In other words, companies need to establish mutual cooperation of both teams in order to provide a comprehensive audit - with logs of all attacks and checks performed, records of detected features.

The "red team" provides information about the operations they performed during the simulated attack, while the blue team provides information about the actions they took to fill in the gaps and fix the vulnerabilities found.

The importance of both teams cannot be underestimated. Without their ongoing security audits, penetration testing, and infrastructure improvements, companies would not be aware of the state of their own security. At least until the data is leaked and it becomes painfully clear that the security measures weren't enough.

What is a purple team?

The "Purple Team" was born out of attempts to unite the Red and Blue Teams. The Purple Team is more of a concept than a separate type of team. It is best viewed as a combination of red and blue teams. She engages both teams, helping them work together.

The Purple Team can help security teams improve vulnerability detection, threat discovery, and network monitoring by accurately modeling common threat scenarios and helping to create new threat detection and prevention methods.

Some organizations employ a Purple Team for one-time focused activities that clearly define safety objectives, timelines, and key results. This includes recognizing weaknesses in attack and defense, as well as identifying future training and technology requirements.

An alternative approach now gaining momentum is to view the Purple Team as a visionary model that works throughout the organization to help create and continually improve a cybersecurity culture.

Conclusion

Red Teaming, or complex attack simulation, is a powerful technique for testing an organization's security vulnerabilities, but should be used with care. In particular, to use it, you need to have enough advanced means of protecting information securityOtherwise, he may not justify the hopes placed on him.
Redtiming can reveal vulnerabilities in your system that you didn't even know existed and help fix them. By taking an adversarial approach between blue and red teams, you can simulate what a real hacker would do if he wanted to steal your data or damage your assets.

Source: habr.com

Add a comment