The benefits of Red Teaming

Will
April 7, 2021

Red teaming is not a new concept within the cyber security community. However in Australia, Red Teaming is a relatively new term for most organisations. In this blog post we'll take a dive into:

  • What differentiates a Red Team engagement from a Penetration Test.
  • Why you shouldn't consider a red team engagement (You totally should.)
  • The overall benefits of a red team engagement.

The Differences

There are key differences between a Red Team engagement and a typical penetration test. The first difference to consider is that a Red Team engagement is almost always a 'black box' engagement where very little information outside of clearly defined objectives are supplied by the client. This is also typically the case internally, with very few internal staff members being briefed on both the engagement scope, objectives and timelines.

While a Red Team engagement and a penetration test can have very similar objectives, the target scope and approach will differ dramatically. For example, a typical perimeter penetration test will be restricted to targeting an organisation via the internet utilising agreed attack methods. A Red Team engagement however will identify multiple attack surfaces to properly test an organisations overall resilience to an attack from an advanced threat actor. A Red Team engagement will engage in activities such as:

  • Social Engineering
    • Phishing
    • Vishing
  • Physical Intrusion
    • Lock Picking
    • Tail Gating
    • Physical Implant/Device Placement
    • Physical Badge Cloning
  • Wireless Testing
  • Perimeter Testing
  • Vulnerability Exploitation

Another key difference between a typical penetration test and a Red Team engagement is the approach, team size and duration of the assessment. A typical penetration test engagement will generally consist of:

  • Clearly defined testing process/plan
  • Duration of five to ten business days
  • One resource assigned for the duration of the assessment.

A Red Team engagement differs slightly:

  • A Dynamic testing process with a constantly evolving plan.
  • Duration of ten business days or more.
  • A minimum of two resources assigned for the duration of the assessment.

Due to the nature of a Red Team engagement, the team will need to create a multi-tiered plan to successfully achieve their target objectives. This involves granular enumeration processes prior to attempting any form of planning or exploitation against a target.

Considerations

Before considering a Red Team engagement over a traditional penetration test, we recommend that customers consider their Cyber Security defensive capabilities. For example if your organisation does not have a cyber security team, strategy or critical security controls in place such as the majority of the ACSC Essential Eight then a Red Team engagement is likely not going to provide more value for you than a traditional penetration test.

The Benefits

A Red team assessment will target multiple layers of your organization to test their defensive capability against an attack from an Advanced Persistent Threat (APT). While a typical penetration test is limited to a specific service or environment, a Red Team assessment will target your technology, people and physical security to identify the risk posed by an APT (Advanced Persistent Threat) against agreed objectives or scenarios.

As part of a red team assessment, you will be able to exercise your defensive technology, incident response and user awareness training to identify and contain an active breach. By working closely with relevant teams, a red team is able to identify advanced vulnerabilities across multiple layers of an organisation and assist them in defending against successful attacks to mature their defensive capabilities.

Overall a Red Team engagement is an excellent way for an organisation to test their resilience against an advanced threat actor and to identify vulnerabilities in layers of the organisation they were otherwise not aware of.


Share this article

Recent Post

Detecting and defending against advanced persistent threats utilizing the latest in industry-leading tools and techniques to strengthen and mature the security posture.

Conti Group - Tooling, Leaks and Russian FSB Ties

The Conti group have been featured across many news outlets lately both inside and outside the cyber security community. It is well known that this specific threat actor is mainly operated from within Russia, and with the recent events within Russia and Ukraine we thought it would be a good idea to do a recap […]

Read More

Yes, Local Administrators ARE a Risk

Modern environments are in a constant state of flux; new systems are being commissioned, and old systems decommissioned, to meet new requirements and increase efficiency in all sectors. Managing those changes takes strategy and labour, and every change has an overhead in both of those resources. What do you do when your users want new […]

Read More

OSINT for Penetration Testers

Part of performing an effective and successful penetration test requires gathering as much information about the target as possible. The more information you have on your target, the more likely you are to discover an exploitable service or land a successful phish. For example, through OSINT you may discover that the target is openly advertising […]

Read More

CONTI Group - The not so advanced APT

Recently in the news it was revealed that a member of an “APT” group that utilises the “Conti” ransomware became disgruntled at the state of their relationship with the group and leaked a large majority of the groups “Tools, Techniques and Procedures” documents. Conti was first discovered in 2020 and is used primarily by the […]

Read More

Hidden Cobra - Uncovering the North Korean APT

Advanced persistent threats come in many forms ranging from your crime groups, activists all the way through to your state sponsored groups. While some of these threat actors such as crime groups are seen on a regular (if not daily..) basis, state sponsored attacks are less common and more sophisticated. While most state sponsored groups […]

Read More

Please Sign Here - Why NTLM Relaying Is Still a Risk in 2021

The Windows Name Resolution Flow You may be under the impression that turning host names into IP addresses is simple. You check:  The Hosts file; then  Your system’s DNS (Domain Name System) resolver  That’s it right? If you don’t get a response from your local file or DNS, then the system doesn’t exist. Well, no; the name resolution flow in Windows looks something like this:  Well, that’s a […]

Read More

The benefits of Red Teaming

Red teaming is not a new concept within the cyber security community. However in Australia, Red Teaming is a relatively new term for most organisations. In this blog post we'll take a dive into: What differentiates a Red Team engagement from a Penetration Test. Why you shouldn't consider a red team engagement (You totally should.) […]

Read More

Stealing Password Reset Tokens for Fun and Profit

When adding a “Password Reset” function to your application it is especially important to ensure this has the same security considerations as any other critical function within the application. Due to the nature of resetting a user’s password, along with many security considerations being overlooked, it is not uncommon for attackers to spend extra time […]

Read More

MITRE ATT&CK Framework Primer

The MITRE ATT&CK framework is an incredibly powerful framework that organisations can utilise to improve their cyber security capabilities.

Read More