Red Team engagements are designed to stretch and test the capability of network defenders, and to simulate the activities of known threat actors and malicious groups. As such, the capabilities and techniques used will prioritise covert access and data theft over assessment breadth and vulnerability assessment coverage. This means that the outcome of a Red Team Engagement should be treated differently to that of a penetration test.
It is important to understand that Red Teaming is not just a more advanced type of penetration testing - it is a completely different activity with a different overall objective. The primary purpose of a Red Team engagement is to evaluate the effectiveness of the Blue Team, including both the technical monitoring and alerting systems that are in place, and the supporting processes used by the organisation to identify and response to security incidents.
Red Teaming is a highly bespoke service, and the specifics of each engagement will vary significantly based on target environment and overall objectives. The following key steps will typically be included in an engagement:
- Planning - establishing the scope and objectives of the exercise.
- Reconnaissance - initial information gathering from publicly available sources, in order to identify targets for physical and social engineering attacks, as well as identifying useful background information about the target.
- Technical Ingress Point Identification - low intensity scanning and initial vulnerability assessment, in order to identify likely targets for technical attacks.
- Initial Compromise - the initial compromise, using technical, physical or social engineering attacks.
- Persistence and C2 - establishing persistent access to the compromised systems(s) and an effective Command and Control (C2) channel to allow further attacks.
- Lateral Movement and Privilege Escalation - compromising other systems within the target environment and escalating privileges to gain access to sensitive information.
- Data Exfiltration - exfiltrating sensitive target information from the environment to CODA owned systems.
- Clean-up - removing implants and traces that the attack has taken place.
- Reporting and Analysis - producing a high level narrative-based report that clearly explains the process used to compromise the target, supported by detailed technical findings and recommendations for how to increase the overall security of the target environment.
- Knowledge Transfer - follow up calls and meetings to discuss the findings of the exercise, ensure that they have been understood, and to provide recommendations and guidance for the next steps.
In order to provide a more cost-effective service, “white-carding” may be used during the engagement. This is where information or access is provided to the Red Team in order to save time, or to simulate attacks that cannot be easily carried out within the scope and timeframe of the engagement. This could include providing access such as:
- A compromised workstation or set of low-privileged credentials, in order to simulate a successful phishing attacks, physical intrusion or rogue insider.
- A low privileged account on an external system, in order to simulate a zero day exploit.
- A device connected to a guest wireless network, to remove the requirement to carry out testing onsite at a remote location.
White-carding can significantly reduce the cost and time required to carry out Red Teaming engagements, while still providing an effective test of the internal security controls and processes that are in place.