By Kane Cutler
In the world of information security which is riddled with acronyms, the deceptively simple ‘Red Team’ may take a little explaining. Breaking down the initial letters of industry terms usually provides a clear indication of the service provided. But the term Red Team has its origins in the US intelligence community and its actual meaning is a little more mysterious. In that context, a Red Team explores alternative futures, challenging an organisation to improve its effectiveness. In our context, a Red Team provides real-world attack simulations designed to assess and significantly improve the effectiveness of an entire information security programme.
So, once you have undertaken a vulnerability assessment followed by a penetration test, engaging a Red Team is the next step. Its purpose is to go beyond the basic measures, subjecting your in-scope systems/applications to more advanced, persistent and bespoke attack scenarios.
The key difference between a penetration test and Red Team engagement is the extent of scope; thus replicating the wider view an actual attack would have. Because, while a penetration test is often focused upon a key application or system and is scoped following threat modelling, a Red Team engagement is fully bespoke and often ‘goal orientated’. This goal will often be: ‘we have this highly sensitive network/piece of data – can you get access to it?’
As a result, Red Team engagement includes a wide variety of applications, systems, people and physical locations within the scope of testing. Naturally the extent to which the Red Team will operate and engage will be defined by you, but it will take a wider view of potential attack vectors and mirror a persistent attacker. A Red Team engagement will therefore have free rein in terms of attempting to gain access to the defined goal whilst ensuring a controlled approach through in depth scoping.
In addition to the activities included as part of a vulnerability assessment and penetration test the Red Team will also employ a variety of other attack methods – such as Open Source Intelligence Review (OSINT) Phishing, Vishing, Smishing, Wireless Exploitation, Physical Testing and ‘Drop Box’ placement. Naturally the use and scope of these attack vectors will be driven by client requirements and the defined goal.
The benefits of this approach is that it allows you to validate your protection, monitoring and response solutions or processes. This assists in ensuring your organisation can respond to an emulated ‘real-world’ attack where varying avenues of approach can be used, rather than a limited focus on a single system.
The ultimate goal is to use offensive techniques to enable you to identify areas for improvement and/or to validate the capability of your response.
In the event that some of the attack methods don’t fit with your requirements (e.g. you don’t want Physical Intrusion/’Drop Box’ placement) then a Red Team approach may not be for you yet. However, SRM are able to fully tailor a testing solution that fits your needs in order to provide the most value to you. Where physical testing is not in scope you may better benefit from penetration testing with a wider scope defined, coupled with Phishing.
If you feel any of the above may be of benefit to you and your organisation, or if you simply would like to hear more please don’t hesitate to get in touch.