What is Red Teaming?

prplbx
PurpleBox Security
Published in
8 min readFeb 3, 2022

This blog post was published on PurpleBox website on Feb 2nd, 2022.

Red Teaming is a simulation of a real attacker’s activity that is based on the most up-to-date knowledge regarding risks that are relevant to a specific company. It assists independent security teams in configuring real-world attacks to determine where the organizational barrier may be breached, allowing the business to address the issue. The military and intelligence communities coined the term “Red Teaming.” Red Teaming’s core idea is to get an adversary’s perspective into an organization’s defense mechanism.

The red team gains initial access usually through the theft of user credentials or Social Engineering techniques. Once within the network, the Red Team boosts its privileges and advances laterally across systems to infiltrate the network as deeply as possible while avoiding detection.

Why is Red Teaming Important?

Red Teaming aids in the protection of your firm and all of its assets. Red Teaming focuses on your company’s technology, people, and physical locations to ensure that you are prepared for whatever comes your way. For businesses of all sizes, red teaming is essential. This is because Red Teams are expected to be more inventive and “thinking outside the box” than a traditional penetration test.

The Red Team Methodology

This picture explains red team methodology.

Initial Reconnaissance: The assailant researches a potential victim. The attacker chooses the targets (both systems and humans) and his/her assault strategy. To exploit, the attacker can hunt for Internet-facing services or individuals.

Initial Compromise: On one or more systems, the attacker successfully executes malicious code. This is most usually accomplished using Social Engineering (most commonly spear phishing), the use of a vulnerability on an Internet-facing system, or any other means available.

Establish Foothold: The attacker ensures that a freshly hacked system remains under his/her control. Typically, the attacker gains a foothold on the victim’s machine by installing a persistent backdoor or downloading other programs or malware.

Privilege Escalation: The attacker gains more control over systems and data. Password hash dumping (followed by password cracking or pass-the-hash attacks), keystroke/credential logging, getting PKI certificates, leveraging privileges held by an application, or attacking a weak piece of software are all common ways for attackers to elevate their privileges.

Internal Reconnaissance: The attacker investigates the victim’s surroundings to obtain a greater grasp of the environment, important individuals’ roles and duties, and the location of sensitive information stored by the company.

Lateral Movement: The attacker utilizes his/her access to move from system to system within the compromised environment.

Maintain Presence: The attacker ensures continued access to the environment.

Complete Mission: The attacker achieves his objective. This frequently entails stealing intellectual property, financial data, knowledge about mergers and acquisitions, or Personally Identifiable Information (PII).

How Does Red Teaming Work?

To obtain access to the network and move undetected across the environment, a successful red team must be devious, adopting the attitude of a skilled opponent. The ideal red team member is both technical and creative, with the ability to exploit system flaws and human nature. The Red Team must also be familiar with threat actor tactics, methods, and procedures (TTPs), as well as the attack tools and frameworks used by today’s adversaries.

A member of the red team should have the following qualifications:

  • A red team member should have a thorough understanding of computer systems and protocols, as well as security methodologies, tools, and protections.
  • Strong software programming abilities are required to create specialized tools that bypass typical security methods and controls.
  • Experience in penetration testing, which would allow you to exploit common flaws while avoiding activities that are frequently observed or easily recognized.
  • Skills in social engineering that enable a team member to persuade others to share information or credentials

Looking at how a typical red team exercise unfolds is the greatest approach to understanding the details of how Red Teaming works. There are various stages in a typical red team process:

  • The purpose of the exercise will be agreed upon by the organization’s Red Team (whether in-house or externally contracted). This purpose could, for example, be the retrieval of sensitive information from a specific server.
  • After that, the Red Team will conduct reconnaissance on the objective. A map of the target systems, including network services, web apps, and employee services, will be created as a result of this.
  • An attempt will be made to gain a session on the system using phishing techniques or any detected vulnerabilities.
  • The Red Team will utilize their access to probe for other vulnerabilities after valid access tokens have been secured.
  • If more vulnerabilities are discovered, the Red Team will try to raise their access level to the required level to get access to the target.
  • The target data or asset is reached once this is accomplished.

In actuality, an experienced Red Team member will apply a wide range of methods to complete each of these phases. However, the main conclusion from the sample attack scheme above is that tiny flaws in individual systems can add up to catastrophic failures when chained together.

Red Team Tactics

Exercising with the Red Team

To exploit flaws in the security architecture, red teams employ a range of approaches and tools. A red team member may, for example, infect the host with malware to disable security protections or use social engineering tactics to gain access credentials while posing as a hacker.

The MITRE ATT&CK Framework, a globally accessible knowledge repository of competing tactics, techniques, and methodologies based on real-world experience and events, is often used in red team events. The framework serves as a platform for building prevention, detection, and response capabilities that can be tailored to the specific needs of each organization as well as emerging new threats. In addition, they shape their attacks by following the Cyber Kill Chain pattern.

The following are some examples of red team activities:

  • Penetration testing is when a member of the red team tries several real-world tactics to gain access to a system.
  • Employees or other network members are manipulated into sharing, disclosing, or inventing network credentials through social engineering techniques.
  • Intercepting communication to map the network or learn more about the surroundings to get beyond standard security measures
  • Cloning an administrator’s access cards to obtain access to locations that aren’t prohibited

What is the MITRE ATT&CK Framework?

In 2013, MITRE published the MITRE ATT&CK Framework to detail attacker tactics and approaches based on real-world observations. This index is constantly updated to reflect changes in the threat landscape, and it has become a well-known information repository for the industry to better understand attacker models, techniques, and countermeasures.

What is the Cyber Kill Chain Method?

The Cyber Kill Chain is essentially a Cybersecurity model created by Lockheed Martin that traces the stages of a cyber-attack, identifies vulnerabilities, and helps security teams to stop the attacks at every stage of the chain.

Cyber Kill Chain Method

Example Red Teaming Scenario

An example scenario is shown using the Cyber Kill Chain method:

Reconnaissance: The IP addresses of the customer, the ports open on these addresses, the services running on the ports, the social media accounts and the e-mail addresses of the employees are determined.

Weaponization: Exploit code or malware was prepared and installed inside the USB device.

Delivery: The place where people are active is detected and the prepared USB device is thrown to the relevant place. By exploiting people’s curiosity requests, it is ensured that the USB device is taken by someone.

Exploitation: Access to the target computer is provided by the person who finds the USB device, plugging it into a computer belonging to the customer.

Installation: The authorization control of the user obtained on the target computer is performed. If this user is a low-authority user, vulnerabilities are detected on the system where we can increase the authority. If our user privileges are high, persistence is ensured by adding a new key to the “HKCU\Software\Microsoft\CurrentVersion\Run” path to ensure persistence. Afterward, access to the password information of the users who are logged on to the computer over the memory is provided.

Command & Control: Communication with the command server is started. Horizontal movement is performed on the network with the Pass the Hash attack by using the user information obtained from the memory. Until the Domain Admin user is obtained, active user information is obtained from the memory of each computer logged in.

Actions On Objectives: By using methods such as DNS Tunneling, SSH Tunneling or ICMP tunneling, critical data transmitted by the customer to us is leaked. Red teaming is completed successfully when critical data is extracted.

Pentest is carried out with the knowledge of the participants. It isn’t stealthy or elusive, and it lacks the Blue Team’s capacity to detect and respond because the Blue Team is aware of the scope and test being undertaken.

Red teaming, on the other hand, concentrates on advanced threat actors who use stealth and carry out real-world attacks. This is done to identify weaknesses in the defensive approach. Understanding how an organization responds to real-world attacks is the true value of this.

Because red teaming is a covert operation, it is carried out without the knowledge of the Blue Team. If the Blue Team discovers malicious activity, it takes action.

https://owasp.org/www-project-web-security-testing-guide/

In this blog post, we shared with you what Red Teaming is, the point of view of the Red Team and what methods it follows, what Cyber Kill Chain is, as well as what MITRE ATT&CK Framework is and where it is used.

Every day, new security dangers emerge around the world. To be honest, Red Teaming is required for enterprises to remain resilient and deliver the greatest possible security. In conclusion, we can conclude that Red Teaming is very important for companies to reach a certain maturity of security level.

Stay safe from cyber-attacks!

If you want to read more on this topic, feel free to check out the PurpleBox Blog Section.

--

--