Red Teaming Is More Relevant Than Ever

Uploaded on 2023-09-08 in TECHNOLOGY--Resilience, FREE TO VIEW

Red Teaming, a form of proactive adversarial attack testing, was long been viewed as an extension of penetration testing but that is something of a deservice. Unlike a penetration test which tends to be limited in scope and overt, red teaming employs the tactics, techniques and procedures (TTPs) that a real attacker would use in a simulated attack and is carried out covertly.

It’s this ‘real world’ capability that sets it apart, with the red team seeking to exploit any chinks in the organisation’s defences and to continue to push forward and pivot the attack.

Conversely, the blue team is composed of defenders who will attempt to detect any offensive activity. Their job is to identify the point of ingress, remove access or mitigate lateral movement in a bid to thwart the ‘attack’. In this respect, red teaming exercise can also be used to test the speed and agility of the blue team also often referred to as Mean Time to Detect (MMTD) and Mean Time to Respond (MTTR). Purple teaming sees both the red and blue teams collaborate, sharing TTPs to work together to identify vulnerabilities and can be useful for testing playbooks, for instance.

As to when to conduct a red team test, the general consensus is that the organisation needs to have a mature cyber security posture with good security hygiene in place by which we mean patching, monitoring and access control measures. There are numerous reasons why businesses embark on a red team test, from significant changes within the business in terms of transformation or a merger or acqusition, to risk assessing the infrastructure and its supply chain, to meet insurance or compliance demands or, of course, after the event when a security incident has already happened to reduce the risk of future compromise. But what is becoming apparent is that the need for red teaming is increasing.

Chinks In The Armour

Scenario-based testing never been more relevant thanks to a number of developments. Firstly, the way in which we work has changed enormously both in terms of the remote workforce and the move to distributed network architectures using the cloud. Securing both is far more challenging, requiring stringent endpoint monitoring and access control mechanisms based on the concept of Zero Trust.

As of today, very few organisations have been able to successfully implement Zero Trust wholesale and Gartner predicts only 10% of large organisations will have mastered it by 2026. As a result, there are inevitably gaps in the infrastructure that an attacker can exploit. Application Programming Interfaces (APIs), which provide a fast and convenient way to spin up new services, or the Internet of Things (IoT), which again provides enhanced connectivity, have both been rapidly rolled out, for instance, and Gartner warns that its network elements such as these that could act as points of compromise.

At the same time as technology has advanced, so too has the sophistication of attacks. We’ve seen the emergence of ransomware-as-a-service (RaaS), lowering the bar to entry, and organised assaults by nation state actors. There’s been a decrease in the time between when an attack commences and when it is detected, referred to as the dwell time, which went from a median of 10 days to 8 days for all attacks and from 9 days to 5 for ransomware attacks from 2022 to 2023, according to the Active Adversary Report for Tech Leaders 2023 from Sophos. This is most likely due to both improved detection capabilities but also the fact that attackers are speeding through the attack stages faster. They’re getting in and getting out with what they came for more quickly, indicating they have refined their TTPs.

Future Threats

We are now on the brink of AI-driven attacks that will further up the ante. Generative AI is expected to reduce costs for cybercriminals by up to 96% according to the New Scientist by automating attacks. It will enable the reverse engineering of code, rapid malware development and the creation of backdoors, as well as the crafting of much more convincing phishing campaigns. The latter is particularly worrying when you consider that the majority of cyber attacks today (41%) use phishing as the vector for infection, according to the IBM Threat Intelligence Index 2023.

To fight back against these escalating and emerging threats the organisation must become more proactive in identifying possible attack vectors and prioritising defences. Nothing will illuminate those threats more accurately than a red team test either conducted during a limited time period or until the attack/s are discovered by the blue team. Experienced providers will also often supplement their toolkits with open source and customised solutions to ensure maximum leverage so its worth asking what’s in their arsenal.

The value red testing confers lies in the reporting which will then unveil how far the red team were able to get and a detailed breakdown of each phase of the attack, from reconnaissance through to the development of payloads, exploit of vulnerabilities, escalation of privileges and potential exfiltration of data. By delving into these findings the security team can better understand the security posture, from identifying attack paths, to prioritising vulnerabilities and putting in place controls to mitigate issues. But the benefits can also extend further across the business, such as by informing end user education and training and helping to communicate risk to the board.

It's this ability to make security real and relevant to the business that makes red teaming so valuable. As the stakes increase, with business network architectures and workforces becoming more dispersed and attacks faster and more targeted, it’s this customised form of security testing that will help prioritise and target defence, helping to improve resilience.

Phil Robinson is Principal Consultant at Prism Infosec Image: AndreyPopov

You Might Also Read:

Why Are Businesses Ignoring Incident Response?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.