The term ‘Red Team’ has become increasingly prevalent in cybersecurity over the past few years, as defensive tactics increase against a very capable adversary. Could using this method of exercise really be the best stress test? Dan Raywood investigates the concept.

From the concept of the red pill and blue pill of The Matrix, to the concept of red meaning ‘danger’ or ‘warning’, the idea of a Red Team suggests that something is not safe and should be treated with caution. The concept of a Red Team has its origins in the US military, or according to some reports, the church. As Micah Zenko’s book Red Team – How to Succeed by Thinking Like the Enemy outlines: “Red Teaming is a practice as old as the role of the Devil’s Advocate, the eleventh-century Vatican official charged with discrediting candidates for sainthood.” According to an article published in Armed Forces Journal in November 2012, Lt Col Brendan Mulvaney, who directed the commandant’s Red Team and was the Marine officer in charge at the Army Directed Studies Office from 2009-2011, said: “Red Teaming is a white light that takes on various characteristics as it shines through the prism of different organizations. Some teams focus on physical intrusions, while others strive for projections or emulations; and the cyber realm has ushered in a whole host of new challenges.” If, as Mulvaney says, the general idea of Red Teaming is a “bright light we shine on ourselves to expose areas where we can improve effectiveness”, it is perhaps not a surprise that this concept has transferred over to the cybersecurity industry. The art of the Red Team is to take a team approach at attacking a company using multiple vectors, and it is an extension of the penetration test to use social engineering and surveillance tactics. These methods will be used, and later reported to the company for them to understand where the weaknesses are and better understand its fallibility.

"Red Teaming is a simulated attack and a specific scenario is put in place and you have defined goals and not holes."

The Simulated Attack and Specific Scenario Red Teaming exercises now form a crucial part of cyber-exercises and this is evident in global training programs. One such trainer is Nettitude, who claimed that Red Teaming and penetration testing are ‘two different animals’, as in the case of a penetration test you know where all of the holes are and how an average person can exploit and manipulate a vulnerability. “Red Teaming is a simulated attack and a specific scenario is put in place and you have defined goals and not holes”, says Miles Corn, growth account manager for the North America team. Rob Shapland, principal cybersecurity consultant at First Base, explains that a Red Team exercise enables you to understand what a business is worried about and what they could lose, and assess the threat that the company faces. “You go through who is attacking them and talk with the client about who will likely attack them, rate the motivation and assess what an attacker will be after,” he explains. “So with organized crime or stealing a CEO’s file, we storyboard out ideas and come up with scenarios.” The concept of a Red Team is an extension of the penetration test, moving beyond finding vulnerabilities in applications and software to an overall effort to get to a company’s intellectual property by any means necessary. This can include breaking physical security, conducting social engineering exercises to get access to the company and cyber-attacks to get into an organization from the outside. According to the SANS Institute document ‘Red Teaming: The Art of Ethical Hacking’, “Red Teaming is a process designed to detect network and system vulnerabilities and test security by taking an attacker-like approach to system/network/data access.” A Red Team will use tools to probe for vulnerabilities and rather than seeking a single vulnerability, a Red Team “should test for all types of attacks (access, modification, denial of service, and repudiation) to provide a complete security assessment.” Shapland describes Red Teaming as “more creative than penetration testing” as this requires different skills, including a combination of ‘sneaking in’ and technical skills. He says that it allows the attacker to be more imaginative, and that it is “more about social engineering and having the confidence to act in a certain manner and knowing how to act in a certain role.” “You want someone from a background in acting or military, [for example, which is] an eclectic mix. The more resources you have, the more of a good job you can do”, he adds, citing the example of the 2001 movie Ocean’s Eleven, where a group of hackers, confident tricksters and characters winning the trust of staff were able to rob Las Vegas casinos.

The People Behind the Deception So what kind of people make a good Red Team? Shapland says that it is typically a combination of contracted staff and consultants, all of whom are trusted and vetted, and the size of the team depends on the task. For an exercise at a small to medium business, only two or three people may be required but a team of double that size may be required for a larger job. “The challenge for a good Red Team is people with the right skills”, says Shapland. Often, a team can also combine different age ranges as a typical penetration tester may be younger, while social engineers are of all ages, he adds. Kieran Combes is the Red Team manager at Marks & Spencer, part of a full-time team within the security department. He explains that with a background in penetration testing and network and infrastructure, he was attracted by the ability to affect change and use a methodology for testing for vulnerabilities as Red Teaming can provide a broader remit for finding and reporting issues. “From my background, if I found a critical vulnerability that had a serious or severe impact, I would let people know as soon as possible,” Combes says. “If I find a way to exploit an organization, then I don’t sit on it for a month, I would let people know.” How does a scenario begin? Combes explains that you would start by looking for a vulnerable insider and understand what access they have, while another member of the team would create a scenario acting as a regular employee to gain access and see how far they could go before being detected prior to getting to the end goal. “A good Red Team manager should sort out a scenario and be able to figure out the end goal and starting parameters.” That’s what makes a Red Team, but who actually uses them? Corn says that exercises are very common in financial services and companies with critical information that use a Red Team to “understand the threats out there and to simulate what an attacker looks like.” Corn claims that there is a lot more activity in the UK than USA at present, but he expects to see that change as “this is a proactive approach” where users are “going about it in a proactive and aggressive manner.” He explains that most companies take an attitude of “we want you to access this and can you get there”, so a Red Team will prepare using social media and dark markets to understand what the actual threats are. “So if it is a bank, we look at who is talking about it on the dark web and craft a simulated attack based on what we are seeing.” Shapland adds that interest in Red Teaming has increased in the last few years, even though he has been “banging the drum for more than 10 years” about the benefits of doing an exercise. “It started in banking and defense sectors, and filtered down to retail and insurance,” he says. “A company needs a baseline though, as if they have never had a penetration test done, a Red Team will rip you apart. The interest is increasing and big companies are looking to do this now.”

