A red team exercise can be a valuable way of testing how effective your security controls are. Having your internal security team, or an external consultant, simulate an attacker trying to breach your defences can reveal plenty. Their success or otherwise can show where you need to improve from a security perspective, or what you’re doing right.
I asked Neha Thethi, senior cybersecurity analyst at BH Consulting, to explain how a red team exercise works, how it can be useful, and how to interpret the results.
Firstly, she said that they’re best suited to companies with advanced security already in place. Part of the aim is to check how the organisation reacts when it discovers a breach or attack in progress. For anyone still understanding their risk exposure, a more general vulnerability assessment is more useful than a red team.
Whereas pen testing usually involves testing a specific server for technical flaws, a red team exercise has a much wider brief. That could involve finding a weakness in the company’s online application or dropping USB keys near its offices to see if someone will try it on their machine and unwittingly infect the network with malware. In some cases, it’s about using social engineering to gain physical entry to a target’s building or to learn information by a phone call.
“The very nature of red team is to check how you can infiltrate an organisation through whatever means possible, so it could be anything and everything,” Neha explains.
A red team generally starts by carrying out reconnaissance of its target, just like any good attacker would. This stage involves gathering open source intelligence, also called OSINT. In practice, Neha describes this as “Google the hell out of them and gather email addresses of key employees from places like LinkedIn.” This can reap big returns for attackers, as it’s a great chance to size up a target’s weak spots.
With a red team exercise, nothing is out of scope unless the client specifically asks for it. Neha says it’s worth agreeing in advance what systems or processes if any are included in the scope of the project.
Allocating the right time to a red team exercise is a matter of balancing budgets and priorities. Some red team exercises can go on for months. When the brief is simply to “try and break in”, the “attacker” has the element of surprise on their side. Other times, the goal is to see what progress a supposed attacker could make within a defined period. This might be as little as a week. So, the attacker might find vulnerabilities in a victim’s application but may not get to exploit them in time. Even such cases yield valuable intelligence for the organisation. It identifies potential threats they might not have known about, and they can assess the risk to decide if they need to invest in making it more secure.
So what benefit does an organisation get from asking a red team to probe and poke at its security? “The most value the organisation gets is getting the assurance about the areas that they’re good in. it’s very important not just to know what they were weak at, but to report on the things they do well,” Neha says.
The outcome of a red team exercise is a report highlighting any negative aspects of security that the “attacker” uncovers. The document should make recommendations about ways to make those weak points more secure. Equally, it’s just as important to highlight areas where the organisation is doing things right. Many real-world attacks start with phishing. So if a red team’s attempt was unsuccessful because the organisation had trained its employees to spot suspicious emails, that’s a valid finding to include. “One of the most important things in a report is to assure the customer that the measures they have are effective,” Neha says.
With a red team report, context is everything. Some security people tend to focus only on weaknesses. While they have their place, it’s important to take the red team’s findings in context. There will usually be room for improvement, but it’s always encouraging to know what you’re doing right.