Red Teaming Is More Relevant Than Ever

Uploaded on 2023-09-08 in TECHNOLOGY--Resilience, FREE TO VIEW

Red Teaming, a form of proactive adversarial attack testing, was long been viewed as an extension of penetration testing but that is something of a deservice. Unlike a penetration test which tends to be limited in scope and overt, red teaming employs the tactics, techniques and procedures (TTPs) that a real attacker would use in a simulated attack and is carried out covertly.

It’s this ‘real world’ capability that sets it apart, with the red team seeking to exploit any chinks in the organisation’s defences and to continue to push forward and pivot the attack.  

Conversely, the blue team is composed of defenders who will attempt to detect any offensive activity. Their job is to identify the point of ingress, remove access or mitigate lateral movement in a bid to thwart the ‘attack’. In this respect, red teaming exercise can also be used to test the speed and agility of the blue team also often referred to as Mean Time to Detect (MMTD) and Mean Time to Respond (MTTR). Purple teaming sees both the red and blue teams collaborate, sharing TTPs to work together to identify vulnerabilities and can be useful for testing playbooks, for instance.

As to when to conduct a red team test, the general consensus is that the organisation needs to have a mature cyber security posture with good security hygiene in place by which we mean patching, monitoring and access control measures. There are numerous reasons why businesses embark on a red team test, from significant changes within the business in terms of transformation or a merger or acqusition, to risk assessing the infrastructure and its supply chain, to meet insurance or compliance demands or, of course, after the event when a security incident has already happened to reduce the risk of future compromise. But what is becoming apparent is that the need for red teaming is increasing.

Chinks In The Armour

Scenario-based testing never been more relevant thanks to a number of developments. Firstly, the way in which we work has changed enormously both in terms of the remote workforce and the move to distributed network architectures using the cloud. Securing both is far more challenging, requiring stringent endpoint monitoring and access control mechanisms based on the concept of Zero Trust. 

As of today, very few organisations have been able to successfully implement Zero Trust wholesale and Gartner predicts only 10% of large organisations will have mastered it by 2026. As a result, there are inevitably gaps in the infrastructure that an attacker can exploit. Application Programming Interfaces (APIs), which provide a fast and convenient way to spin up new services, or the Internet of Things (IoT), which again provides enhanced connectivity, have both been rapidly rolled out, for instance, and Gartner warns that its network elements such as these that could act as points of compromise. 

At the same time as technology has advanced, so too has the sophistication of attacks. We’ve seen the emergence of ransomware-as-a-service (RaaS), lowering the bar to entry, and organised assaults by nation state actors. There’s been a decrease in the time between when an attack commences and when it is detected, referred to as the dwell time, which went from a median of 10 days to 8 days for all attacks and from 9 days to 5 for ransomware attacks from 2022 to 2023, according to the Active Adversary Report for Tech Leaders 2023 from Sophos. This is most likely due to both improved detection capabilities but also the fact that attackers are speeding through the attack stages faster. They’re getting in and getting out with what they came for more quickly, indicating they have refined their TTPs.

Future Threats

We are now on the brink of AI-driven attacks that will further up the ante. Generative AI is expected to reduce costs for cybercriminals  by up to 96% according to the New Scientist by automating attacks. It will enable the reverse engineering of code, rapid malware development and the creation of backdoors, as well as the crafting of much more convincing phishing campaigns. The latter is particularly worrying when you consider that the majority of cyber attacks today (41%) use phishing as the vector for infection, according to the IBM Threat Intelligence Index 2023

To fight back against these escalating and emerging threats the organisation must become more proactive in identifying possible attack vectors and prioritising defences. Nothing will illuminate those threats more accurately than a red team test either conducted during a limited time period or until the attack/s are discovered by the blue team. Experienced providers will also often supplement their toolkits with open source and customised solutions to ensure maximum leverage so its worth asking what’s in their arsenal.

The value red testing confers lies in the reporting which will then unveil how far the red team were able to get and a detailed breakdown of each phase of the attack, from reconnaissance through to the development of payloads, exploit of vulnerabilities, escalation of privileges and potential exfiltration of data. By delving into these findings the security team can better understand the security posture, from identifying attack paths, to prioritising vulnerabilities and putting in place controls to mitigate issues. But the benefits can also extend further across the business, such as by informing end user education and training and helping to communicate risk to the board.

It's this ability to make security real and relevant to the business that makes red teaming so valuable. As the stakes increase, with business network architectures and workforces becoming more dispersed and attacks faster and more targeted, it’s this customised form of security testing that will help prioritise and target defence, helping to improve resilience.

Phil Robinson is Principal Consultant at Prism Infosec                                         Image: AndreyPopov

You Might Also Read: 

Why Are Businesses Ignoring Incident Response?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Critical Cyber Security Tips For Home & Family
British Voters Wide Open To Attack »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Verisec International

Verisec International

Verisec International AB is a Swedish Tech company focused since inception in enabling Trust in Digital Transactions, through the development of proprietary cutting-edge technologies and services.

Dragos

Dragos

Dragos has built the first industrial cybersecurity ecosystem, the ultimate security defense.

Telecommunications Industry Association (TIA)

Telecommunications Industry Association (TIA)

TIA works to secure trust in networks by advocating public policy positions on the security of ICT equipment and services related to critical infrastructure, supply chain and information sharing.

SGBox

SGBox

SGBox is a highly flexible and scalable solution for IT security. Choose the modules which your company needs and implement it without any modification to your network infrastructure.

Cyberport

Cyberport

Cyberport is focused on facilitating the growth of major technology trends such as FinTech and cybersecurity as well as the emerging technologies of AI, big data and blockchain.

Conference on Applied Machine Learning in Information Security (CAMLIS)

Conference on Applied Machine Learning in Information Security (CAMLIS)

CAMLIS is a venue for discussing applied research on machine learning, deep learning and data science in information security.

Cyber Chasse

Cyber Chasse

Cyber Chasse is an IT consulting and staffing company offering a full range of cybersecurity solutions, contract staffing services and online training courses.

Lupovis

Lupovis

Lupovis is an AI-based deception solution that deploys active decoys turning your network from a flock of sheep to a pack of wolves where the hunter becomes the hunted.

Valimail

Valimail

Valimail delivers the only complete, cloud-native platform for validating and authenticating sender identity to stop phishing, protect and amplify brands, and ensure compliance.

Corsearch

Corsearch

Combining AI-powered technology and decades of industry expertise, Corsearch is revolutionizing how companies establish and protect their brands.

Levio

Levio

Levio is a digital native business and technology consulting firm. As a true partner from start to finish, our goal is a long-lasting transformation that’s right for your business model.

Telarus

Telarus

Telarus is a Technology Services Brokerage that holds contracts with the world's leading cloud voice, contact center, cybersecurity, mobility and IoT providers.

Amplix

Amplix

In the race to create value for your enterprise, Amplix is your best asset for making technology decisions and optimizing your IT infrastructure, cloud usage, and security posture.

CovertSwarm

CovertSwarm

Since 2020 CovertSwarm have been radically redefining how enterprise security risks are discovered. We outpace the cyber threats faced by our clients using a constant cyber attack methodology.

Amtivo Ireland

Amtivo Ireland

Amtivo Ireland (formerly Certification Europe and EQA) offers a range of certifications and related services.

ioSENTRIX

ioSENTRIX

ioSENTRIX offers tailored, risk-focused assessments that reduce true business risk.