Red Teaming

Fingerprint Icon

Red team engagements are designed to stretch and test the capability of network defenders (blue teams), and to simulate the activities of a wide variety of known threat actors and malicious groups. As such, the capabilities and techniques used will prioritise engagement objectives, for example covert access and data theft, over assessment breadth and vulnerability assessment coverage.

Unlike penetration testing, which aims identify vulnerabilities in a system, the objective of a red team engagement is to provide a comprehensive test of the effectiveness of a target organisation’s detection and response capabilities, measured against real-world attacks.

Red teaming is a highly bespoke service, and the specifics of each engagement will vary significantly based on target environment and overall objectives. The following key steps will typically be included in an engagement:

  • Planning - establishing the scope and objectives of the exercise, and forming an agreement of the types of threat to be simulated.
  • Reconnaissance - information gathering from available sources, in order to identify targets for physical and social engineering attacks, as well as identifying useful background information about the target.
  • Technical Ingress Point Identification - this may involve low intensity scanning and initial vulnerability assessment, potentially conducted covertly through anonymisation services if appropriate, in order to identify likely targets for technical attacks.
  • Initial Compromise - the initial compromise, using technical, physical or social engineering attacks. This phase is often taken as read for an “assumed breach” style engagement.
  • Persistence and C2 - establishing persistent access to the compromised systems(s) and an effective Command and Control (C2) channel to allow further attacks.
  • Lateral Movement and Privilege Escalation - compromising other systems within the target environment and escalating privileges to gain access to sensitive information. This may also be used to strengthen any persistence already obtained, or to contextualise information obtained during initial reconnaissance.
  • Data Exfiltration - exfiltrating sensitive target information from the environment to CODA owned systems, where permitted by the Rules of Engagement (ROE). In some cases, this phase can be simulated if data protection or classification concerns would make genuine data exfiltration within the engagement window problematic.
  • Clean-up - removing implants and traces that the attack has taken place, where permitted by the ROE, and where appropriate to the level of covertness being simulated.
  • Reporting and Analysis - producing a high level narrative-based report that clearly explains the process used to compromise the target, supported by detailed technical findings and recommendations for how to increase the overall security of the target environment.
  • Knowledge Transfer - follow up calls and meetings to discuss the findings of the exercise, ensure that they have been understood, and to provide recommendations and guidance for the next steps.

As part of this process, it can be beneficial to collaborate closely with the blue team. Different levels of interaction can be used, from a detailed run-though of the attack timeline after the engagement is completed, all the way up to embedding a member of the red team into the blue team for the duration of the exercise (sometimes called purple teaming), to provide real-time insights into the ongoing attacks.

In order to provide a more cost-effective service, some steps of the process can be skipped or assumed to have happened “out of game” This process is otherwise known as “white-carding” or “de-chaining” depending on the specific context and engagement type. By providing information or access to the red team, the red team can save time and therefore cost, by focusing on simulating attacks that are likely to yield meaningful data, rather than confirming potentially time-consuming and complex vulnerabilities that would be better assessed through penetration testing or auditing. This could include providing access such as:

  • A compromised workstation or set of low-privileged credentials, in order to simulate a successful phishing attacks, physical intrusion or rogue insider.
  • A low privileged account on an external system, in order to simulate a zero-day exploit (0-day).
  • A device connected to a guest wireless network, to remove the requirement to carry out testing onsite at a remote location.

Cyber adversary simulation (CyAS) is a variant of red teaming that focuses on a specific threat actor, rather than considering the broader threat model. This can be beneficial when an organisation has specific threat intelligence suggesting that they are likely to be targeted by a known threat actor.

The overall approach is similar to red teaming, however the tactics, techniques and procedures (TTPs) used would be more closely aligned with a specific group, to provide a more realistic and focused simulation of an attack by them.