Red Teaming: The Ultimate Sanity Check for Security Teams

“The key to greatness is to be in reality what we appear to be.” - Socrates

In a modern twist on the words of Socrates, Red Teaming is the key to cybersecurity greatness. Organizations engaged in Red Teaming seek to achieve an operational reality where they not only appear to have a secure environment but can prove it, too. Hypothesizing how a team will react to an attack or guessing how tools will thwart intrusion attempts, without solid operational planning, doesn’t cut it against today’s threats or for decision makers holding the purse strings. This is where Red Teaming comes to the rescue to help security team leaders, VPs, CISOs, C-Suite, and the Board avoid security heartburn with a pragmatic offensive security solution.

On February 14, we celebrated Valentine’s Day in true hacker style with the launch of our webcast Avoid Security Heartbreak with Red Teaming. Hear my perspective, as a former CISO, on improving the Blue Team’s defenses, justifying and optimizing spend on security operations and tools, and how testing specific attack scenarios that matter to your organization can inform security decisions in 2023 and beyond. 

“CISOs have a tough job. They are tasked with protecting organizations with very limited resources and need to get buy-in across the stakeholders involved. So, they need to gauge which battles are worth fighting and what efforts will truly draw down risk. The answer to those questions requires an accurate map of the threat landscape and security controls.” - Trevin Edgeworth, Red Team Practice Director at Bishop Fox

Red Teaming: A Baseline Understanding

At the most basic level, Red Teaming is simply objective-based adversary emulation. Expanding upon that definition, it is an authorized, goal-driven method of simulating advanced adversary attacks to identify weaknesses and improve organizational resiliency against real-world threats. There are two core fundamentals to Red Teaming:

• Objective-based trophy hunting
• Adversary emulation, rooted in threat intelligence

Red Teaming engagements are based entirely on pre-determined attack objectives aka trophies. This can ­include scenarios like compromise and exfiltration of employee data, forcing an ATM to spill out cash, unauthorized wire transfers, or planting listening devices in executive board rooms. Unlike traditional penetration testing, Red Teaming utilizes many different attack paths outside of a network exploitation approach. Social engineering, gaining unauthorized physical access to a facility, or pivoting and traversing through a chain of networks and applications are all valid attack paths as Red Teams hunt for trophies.

Red Teaming emulates real world adversaries as closely as possible by using threat intelligence. This underscores that Red Teams emulate specific types of adversaries (as closely as possible) against an organization’s specialized security controls and environments to test real-world resiliency.

Red Teaming does many things, but a few things that it is not:

• Penetration testing
• Application testing
• Bug bounty or vulnerability hunting
• Risk or process auditing
• Policy or compliance review
• Standalone social engineering exercises

Now that we’ve covered what Red Teaming can and can’t do for organizations, we can explore why it is gaining traction amongst security leaders as a leading offensive security solution.

Red Teaming is Trending Up

Data Analytics

Internet searches for Red Teaming services are on the rise. Data analytics and search-term research from Google and Bishop Fox Marketing suggests that Red Teaming is growing in popularity. With economic recession on our doorstep, leaders and decision makers are looking closely at security investment ROI as budgets and staff diminish.

In terms of demand, there are several driving forces leading to increased demand for Red Teaming. Organizations are closely examining current realities and acknowledge that protection from cyber threats is necessary. Several years of newsworthy cybersecurity events like WannaCry, Log4j, Eternal Blue, and SolarWinds software supply chain attacks are just a few examples that no doubt put cybersecurity as the No. 1 priority for many organizations. Let’s not forget about new sophisticated ransomware attacks that victimize critical infrastructure and manufacturing entities, municipal areas, and school districts. These attacks are not conducted by run-of-the-mill cybercriminal groups anymore – nation-state actors have joined the party. These attacks and the threat actors carrying them out send a clear message that no organization is completely safe.

There is also significant geopolitical turmoil influencing the cyber world; the crisis in Ukraine and strife in Southeast Asia are strong influencing forces driving organizations to seek more robust, proactive cyber protection.

On the supply side, a lack of cybersecurity personnel to fill critical roles perpetuates across the industry, impacting organizations that outsource cybersecurity services. Red Teaming is a niche under the offensive security umbrella, and Red Teamers usually have a unique blend of skillsets and advanced tradecraft capabilities… meaning the supply is particularly scarce in the current workforce gap. Whether security teams outsource red teaming services or attempt to build an in-house team, there is a distinct lack of personnel supply.

The bottom line is that companies and boards are asking better questions to their security teams like: “Are we buttoned up against XYZ threat and could we potentially be a target?” They are seeking trusted and independent validation to build effective mitigation and remediation strategies. The demand for Red Teaming has increased significantly, yet supply can’t catch up.

Use Red Teaming to Make Tough Decisions

Since around 2010, there has been an explosion of cybersecurity technology firms offering products and services (roughly ~4,000 vendors), resulting in layered defense approaches comprised of multiple tool stacks. At this point, it is not uncommon for organizations to operate with up to 50 security vendors simultaneously. Alert fatigue anyone?

It turns out that Red Teaming is an excellent resource to help provide a baseline sanity check for security teams and beyond. Introducing Red Teaming into a security program can play a very important role in a top-down security strategy. A top-down strategy starts with defining:

• Company mission
• Organizational threat landscape
• Known threats
• Critical assets aka crown jewels
• Attack pathways to compromise the crown jewels

All these combined factors then drive the strategy for needed controls, assets, and personnel.

Here is where the Red Team comes into action. The threat scenarios against the critical assets are played out in a Red Team engagement as accurately as possible, revealing ground truth around how well the existing security controls operate. This also exposes inefficiencies across people, processes, and technology that are used to protect the organization.

“Boards wanted to know if they were spending money on the right things. Nothing was as satisfying to the Board, or myself as a CISO, than to say that we have run ourselves through the real paces of a real-world ransomware simulation that is mapped as closely as possible to the TTPs of the real adversary. This is how we fared across all our security posture against that particular threat scenario.” - Trevin Edgeworth, Red Team Practice Director at Bishop Fox

How Red Teams Inform Organizational Stakeholders

Security Operations

Red Teams are the ultimate sparring partner for Blue Teams. They operate as much as possible like the real adversary and then dissect every piece of the interaction for the Blue Team to absorb every win-loss that occurred. For a security operations team, the real value lies in that a Red Team shares the entire narrative to move the needle for the Blue Team’s improved security posture. Partnership through Purple Teaming is key to enabling security operations to detect and respond effectively.

Executive Leadership & Board

There are very few security solutions that truly show how a security organization come together as a whole through the lens of an actual simulation. Red Teaming is truly one-of-a-kind in this regard. Adopting a security approach with Red Teaming can assist in justifying the spending on new tools or alternatively show that the anticipated ROI for existing security stacks isn’t adding up. Red Teaming can also shine a light on redundancy in the security stack and offer objective results that leaders can use to pivot security funding in a more impactful direction.

Unicorns Among Unicorns

There isn’t a magic formula for building a Red Team, but here are our thoughts on we’ve assembled several Red Teams in the past, including at Bishop Fox:

• Find people that are passionate about their craft.
• Team members can demonstrate excellent communication both internally and with clients.
• Creativity is non-negotiable.
• The sum is greater than its parts; no team member is great at everything. .

To learn more about internal Red Team culture, check out 10 Ground Rules for Red Teams.

Tips for Finding the Right Red Team Vendor

Ensure Adaptability

Don’t be afraid to ask questions to understand each vendor’s distinct capabilities. Red Teaming should be highly adaptable to each organization’s attack-objective scenarios. Look for vendors that are flexible, creative, and clearly able to customize to your organization’s threat needs.

At Bishop Fox, we conduct an architecture and attack graphing exercise, where we work with organizations to understand their core technologies coupled with how attackers could compromise the associated unique attack pathways. If your organization is considering hiring Red Team services for ransomware preparedness, a subset of Red Teaming, check out this guide to assess your current state of readiness.

Don’t Cut Corners

An offensive security provider should never cut corners when it comes to protecting a client’s environment. The right vendor should be spinning up new attack infrastructure for every single customer, so data is never cross-pollinated on the same system as another customer. Discussing the defined rules of the engagement process is very important and should be a critical factor in evaluating vendors.

Approach to Purple Teaming

If Purple Teaming is on the horizon, ask not only if it is supported, but how is it approached. Aim to define distinctive approaches before an engagement commences. This will lead to maximum ROI benefits.

Don’t Ghost a Red Team

Since Red Teaming focuses on very specific scenarios and objectives during an engagement, there are usually additional attack simulations that an organization would like to try in the future. For example, in complex financial institutions, there are so many different functions – retail locations, ATMs, wire transfer capabilities, and different lines of business. The best approach to Red Teaming is to adopt it as a strategic solution to analyze different parts of the attack surface at different points in time, such as quarterly engagements.

Don’t Get Security Heartburn

In short, Red Teaming is a logical next step for any organization seeking to thoroughly test defenses against the most perilous threats. Don’t leave security to chance – pressure test with Red Teaming to understand exactly where you stand against today’s most advanced threats.

To learn about more Bishop Fox Red Teaming, check out the following resources:

• Getting Red Teaming Right: A How-to Guide
  
• Ready or Not? Test Your Ransomware Defenses Against Real-World Playbooks
• Ransomware Emulations: Pressure-Testing Scenarios for Cybersecurity Defense Teams
• Combating Ransomware with an Offensive Roadmap
• The Offensive Security Guide to Ransomware Readiness