Red Teaming Is More Relevant Than Ever

Uploaded on 2023-09-08 in TECHNOLOGY--Resilience, FREE TO VIEW

Red Teaming, a form of proactive adversarial attack testing, was long been viewed as an extension of penetration testing but that is something of a deservice. Unlike a penetration test which tends to be limited in scope and overt, red teaming employs the tactics, techniques and procedures (TTPs) that a real attacker would use in a simulated attack and is carried out covertly.

It’s this ‘real world’ capability that sets it apart, with the red team seeking to exploit any chinks in the organisation’s defences and to continue to push forward and pivot the attack.  

Conversely, the blue team is composed of defenders who will attempt to detect any offensive activity. Their job is to identify the point of ingress, remove access or mitigate lateral movement in a bid to thwart the ‘attack’. In this respect, red teaming exercise can also be used to test the speed and agility of the blue team also often referred to as Mean Time to Detect (MMTD) and Mean Time to Respond (MTTR). Purple teaming sees both the red and blue teams collaborate, sharing TTPs to work together to identify vulnerabilities and can be useful for testing playbooks, for instance.

As to when to conduct a red team test, the general consensus is that the organisation needs to have a mature cyber security posture with good security hygiene in place by which we mean patching, monitoring and access control measures. There are numerous reasons why businesses embark on a red team test, from significant changes within the business in terms of transformation or a merger or acqusition, to risk assessing the infrastructure and its supply chain, to meet insurance or compliance demands or, of course, after the event when a security incident has already happened to reduce the risk of future compromise. But what is becoming apparent is that the need for red teaming is increasing.

Chinks In The Armour

Scenario-based testing never been more relevant thanks to a number of developments. Firstly, the way in which we work has changed enormously both in terms of the remote workforce and the move to distributed network architectures using the cloud. Securing both is far more challenging, requiring stringent endpoint monitoring and access control mechanisms based on the concept of Zero Trust. 

As of today, very few organisations have been able to successfully implement Zero Trust wholesale and Gartner predicts only 10% of large organisations will have mastered it by 2026. As a result, there are inevitably gaps in the infrastructure that an attacker can exploit. Application Programming Interfaces (APIs), which provide a fast and convenient way to spin up new services, or the Internet of Things (IoT), which again provides enhanced connectivity, have both been rapidly rolled out, for instance, and Gartner warns that its network elements such as these that could act as points of compromise. 

At the same time as technology has advanced, so too has the sophistication of attacks. We’ve seen the emergence of ransomware-as-a-service (RaaS), lowering the bar to entry, and organised assaults by nation state actors. There’s been a decrease in the time between when an attack commences and when it is detected, referred to as the dwell time, which went from a median of 10 days to 8 days for all attacks and from 9 days to 5 for ransomware attacks from 2022 to 2023, according to the Active Adversary Report for Tech Leaders 2023 from Sophos. This is most likely due to both improved detection capabilities but also the fact that attackers are speeding through the attack stages faster. They’re getting in and getting out with what they came for more quickly, indicating they have refined their TTPs.

Future Threats

We are now on the brink of AI-driven attacks that will further up the ante. Generative AI is expected to reduce costs for cybercriminals  by up to 96% according to the New Scientist by automating attacks. It will enable the reverse engineering of code, rapid malware development and the creation of backdoors, as well as the crafting of much more convincing phishing campaigns. The latter is particularly worrying when you consider that the majority of cyber attacks today (41%) use phishing as the vector for infection, according to the IBM Threat Intelligence Index 2023

To fight back against these escalating and emerging threats the organisation must become more proactive in identifying possible attack vectors and prioritising defences. Nothing will illuminate those threats more accurately than a red team test either conducted during a limited time period or until the attack/s are discovered by the blue team. Experienced providers will also often supplement their toolkits with open source and customised solutions to ensure maximum leverage so its worth asking what’s in their arsenal.

The value red testing confers lies in the reporting which will then unveil how far the red team were able to get and a detailed breakdown of each phase of the attack, from reconnaissance through to the development of payloads, exploit of vulnerabilities, escalation of privileges and potential exfiltration of data. By delving into these findings the security team can better understand the security posture, from identifying attack paths, to prioritising vulnerabilities and putting in place controls to mitigate issues. But the benefits can also extend further across the business, such as by informing end user education and training and helping to communicate risk to the board.

It's this ability to make security real and relevant to the business that makes red teaming so valuable. As the stakes increase, with business network architectures and workforces becoming more dispersed and attacks faster and more targeted, it’s this customised form of security testing that will help prioritise and target defence, helping to improve resilience.

Phil Robinson is Principal Consultant at Prism Infosec                                         Image: AndreyPopov

You Might Also Read: 

Why Are Businesses Ignoring Incident Response?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Critical Cyber Security Tips For Home & Family
British Voters Wide Open To Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CCN-CERT

CCN-CERT

CCN-CERT is the Spanish national government computer security incident response centre.

SK-CERT

SK-CERT

SK-CERT National Computer Computer Emergency Response Team of Slovakia.

Secure India

Secure India

Secure India provides Forensic Solutions that help Government and Business in dealing with prevention and resolution of Cyber related threats.

National Cyber League (NCL)

National Cyber League (NCL)

The NCL provides a virtual training ground for participants to develop, practice, and validate their cybersecurity knowledge and skills.

Grimm Cyber

Grimm Cyber

GRIMM makes the world a more secure place by increasing the cyber resiliency of our client’s systems, networks, and products.

Air Informatics

Air Informatics

Air Informatics LLC provides security, information management, analytics and informatics for IT and wirelessly enabled airplanes and operations.

KOS-CERT

KOS-CERT

KOS-CERT is the national Computer Incident Response Team for Kosovo.

Bio-Morphis

Bio-Morphis

Bio-Morphis Reflex solution is a paradigm shift in the approach to information systems security.

Logic Supply

Logic Supply

Logic Supply is a global industrial PC company focused on hardware for the IoT edge. We design highly-configurable computers engineered for reliability.

Anitian

Anitian

The Anitian Compliance Automation platform builds, configures, and monitors cloud environments to accelerate compliance for standards such as FedRAMP, PCI, ISO/GDPR and CJIS.

Tracepoint

Tracepoint

Tracepoint provide full-service cyber incident response, remediation and recovery solutions for the most time-sensitive situation your company may ever face.

Neptune Cyber

Neptune Cyber

Neptune is a cyber security company that works exclusively in the marine sector. Our team combines experts in shipbuilding, maintenance and operations and cyber security testing and design.

Technology Innovation & Startup Centre (TISC)

Technology Innovation & Startup Centre (TISC)

TISC is a startup incubator at the Indian Institute of Technology Jodhpur (IITJ) and we back deep-tech startups.

Wattlecorp Cybersecurity Labs

Wattlecorp Cybersecurity Labs

Wattlecorp Cybersecurity Labs are a group of IT security specialists, ethical hackers, and researchers driven to identify security flaws before cyber threat actors does.

eGyanamTech (EGT)

eGyanamTech (EGT)

eGyanamTech provides robust security solutions tailored for Operational Technology (OT) and Supervisory Control and Data Acquisition (SCADA) systems used in critical infrastructure systems.

Bitdefender Voyager Ventures (BVV)

Bitdefender Voyager Ventures (BVV)

Bitdefender Voyager Ventures is an early-stage investment vehicle focused on cybersecurity, data analytics and automation startups.