Red Teaming Is More Relevant Than Ever

Red Teaming, a form of proactive adversarial attack testing, was long been viewed as an extension of penetration testing but that is something of a deservice. Unlike a penetration test which tends to be limited in scope and overt, red teaming employs the tactics, techniques and procedures (TTPs) that a real attacker would use in a simulated attack and is carried out covertly.

It’s this ‘real world’ capability that sets it apart, with the red team seeking to exploit any chinks in the organisation’s defences and to continue to push forward and pivot the attack.  

Conversely, the blue team is composed of defenders who will attempt to detect any offensive activity. Their job is to identify the point of ingress, remove access or mitigate lateral movement in a bid to thwart the ‘attack’. In this respect, red teaming exercise can also be used to test the speed and agility of the blue team also often referred to as Mean Time to Detect (MMTD) and Mean Time to Respond (MTTR). Purple teaming sees both the red and blue teams collaborate, sharing TTPs to work together to identify vulnerabilities and can be useful for testing playbooks, for instance.

As to when to conduct a red team test, the general consensus is that the organisation needs to have a mature cyber security posture with good security hygiene in place by which we mean patching, monitoring and access control measures. There are numerous reasons why businesses embark on a red team test, from significant changes within the business in terms of transformation or a merger or acqusition, to risk assessing the infrastructure and its supply chain, to meet insurance or compliance demands or, of course, after the event when a security incident has already happened to reduce the risk of future compromise. But what is becoming apparent is that the need for red teaming is increasing.

Chinks In The Armour

Scenario-based testing never been more relevant thanks to a number of developments. Firstly, the way in which we work has changed enormously both in terms of the remote workforce and the move to distributed network architectures using the cloud. Securing both is far more challenging, requiring stringent endpoint monitoring and access control mechanisms based on the concept of Zero Trust. 

As of today, very few organisations have been able to successfully implement Zero Trust wholesale and Gartner predicts only 10% of large organisations will have mastered it by 2026. As a result, there are inevitably gaps in the infrastructure that an attacker can exploit. Application Programming Interfaces (APIs), which provide a fast and convenient way to spin up new services, or the Internet of Things (IoT), which again provides enhanced connectivity, have both been rapidly rolled out, for instance, and Gartner warns that its network elements such as these that could act as points of compromise. 

At the same time as technology has advanced, so too has the sophistication of attacks. We’ve seen the emergence of ransomware-as-a-service (RaaS), lowering the bar to entry, and organised assaults by nation state actors. There’s been a decrease in the time between when an attack commences and when it is detected, referred to as the dwell time, which went from a median of 10 days to 8 days for all attacks and from 9 days to 5 for ransomware attacks from 2022 to 2023, according to the Active Adversary Report for Tech Leaders 2023 from Sophos. This is most likely due to both improved detection capabilities but also the fact that attackers are speeding through the attack stages faster. They’re getting in and getting out with what they came for more quickly, indicating they have refined their TTPs.

Future Threats

We are now on the brink of AI-driven attacks that will further up the ante. Generative AI is expected to reduce costs for cybercriminals  by up to 96% according to the New Scientist by automating attacks. It will enable the reverse engineering of code, rapid malware development and the creation of backdoors, as well as the crafting of much more convincing phishing campaigns. The latter is particularly worrying when you consider that the majority of cyber attacks today (41%) use phishing as the vector for infection, according to the IBM Threat Intelligence Index 2023

To fight back against these escalating and emerging threats the organisation must become more proactive in identifying possible attack vectors and prioritising defences. Nothing will illuminate those threats more accurately than a red team test either conducted during a limited time period or until the attack/s are discovered by the blue team. Experienced providers will also often supplement their toolkits with open source and customised solutions to ensure maximum leverage so its worth asking what’s in their arsenal.

The value red testing confers lies in the reporting which will then unveil how far the red team were able to get and a detailed breakdown of each phase of the attack, from reconnaissance through to the development of payloads, exploit of vulnerabilities, escalation of privileges and potential exfiltration of data. By delving into these findings the security team can better understand the security posture, from identifying attack paths, to prioritising vulnerabilities and putting in place controls to mitigate issues. But the benefits can also extend further across the business, such as by informing end user education and training and helping to communicate risk to the board.

It's this ability to make security real and relevant to the business that makes red teaming so valuable. As the stakes increase, with business network architectures and workforces becoming more dispersed and attacks faster and more targeted, it’s this customised form of security testing that will help prioritise and target defence, helping to improve resilience.

Phil Robinson is Principal Consultant at Prism Infosec                                         Image: AndreyPopov

You Might Also Read: 

Why Are Businesses Ignoring Incident Response?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Critical Cyber Security Tips For Home & Family
British Voters Wide Open To Attack »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Bayshore Networks

Bayshore Networks

Bayshore Networks was founded to safely and securely protect Industrial IoT (IIoT) networks, applications, machines and workers from cyber threats.

Napatech

Napatech

Napatech develops and manufactures high speed network accelerators specifically designed for real-time network monitoring and analysis applications.

CONCERT

CONCERT

CONCERT is a Computer Emergency Response Team and cyber security information sharing network for companies, institutes and government in Korea.

MAY Cyber Technology

MAY Cyber Technology

MAY Cyber Technology is a Security Management solutions provider located in Turkey & Germany.

LiveVault

LiveVault

LiveVault delivers fully automated, turnkey, backup over the Internet or a private network connection for uninterrupted remote data protection.

Repulsa

Repulsa

Repulsa provides state-of-the-art, patented, fast filtering with over 700 million malicious IP addresses and over 30 million categorized site listings updated daily.

InGuardians

InGuardians

InGuardians is an independent information security consulting firm specializing in penetration testing, threat hunting, and hardware hacking.

Tyler Technologies

Tyler Technologies

Tyler Technologies is a leading provider of end-to-end information management solutions and services for local governments.

ThreatX

ThreatX

ThreatX provides complete web application & API protection to address expanding app footprints and complex attacks.

Mosaic Insurance

Mosaic Insurance

Mosaic is a next-generation global specialty insurer distinguished by an exceptional team, agile technology, and a structure that combines Lloyd’s of London strength with a global distribution network

Secuna Software Technologies

Secuna Software Technologies

Secuna is the most trusted Cybersecurity Testing Platform in the Philippines. Our pool of vetted security researchers will find and ethically report security vulnerabilities in your product.

SK Shieldus

SK Shieldus

SK shieldus are a converged security provider with business capabilities in both cybersecurity and physical security based on Big-Tech.

Paperclip

Paperclip

Paperclip provides paperless solutions while enabling compliance and security for the exchange of critical content.

CloudBees

CloudBees

CloudBees is building the world’s first end-to-end automated software delivery system, enabling companies to balance governance and developer freedom.

SecAI

SecAI

SecAI is an innovative threat intelligence-driven, and AI-powered vendor aiming at cyber threat detection and response.

Gibbs Consulting

Gibbs Consulting

Gibbs Consulting provides innovative, flexible, on-demand IT Services and IT Consulting that delivers value and successful outcomes for our clients.