In my last post, I discussed the importance of “purple team” exercises to your cybersecurity program, in light especially of the increasing sophistication and resources of modern threat actors. Purple team exercises are a hybrid of the more concentrated blue team (which focuses on defensive security) and red team (which focuses on offensive security) exercises.
This hybridization is not a marker of superiority in approach, just difference. In this post, I’m going to drill down on the benefits of red team exercises, which is an area of personal focus and specialization for me.
Let’s start with a set of questions.
- Are your cybersecurity solutions configured to effectively alert you (and your security group) if a sophisticated attacker has gained access to your network?
- Have you validated that the attacker could exploit vulnerabilities and misconfiguration to compromise your environment?
- Perhaps most crucially, are you capable of detecting that an attack is ongoing within your environment?
Answering these questions is what a red team exercise is for.
Seeing red
Red team exercises, with predefined goals, strategically exploit vulnerabilities and misconfigurations to assess your environment's detection and response capabilities. These exercises prioritize threats to key assets, providing context to exploited attack paths based on the value of achieving each goal.
These goals could, for example, consist of:
- Compromising a privileged domain admin account
- Compromising the system that holds the client information and extracting data
- Accessing a specific critical segmented network
- Pivoting through various environments to access another critical division
- Accessing sensitive information
A red team exercise is divided in multiple phases to ensure coverage of both the external and internal perimeters. Each phase mimics not only attacker behavior but also their tactics, techniques and procedures (aka, TTPs). These phases run as follows:
1. Reconnaissance
This phase actually consists of the combination of reconnaissance and enumeration. Reconnaissance is about gathering all relevant information on the target, determining the size of its attack surface, and thus determining the next steps. Enumeration, on the other hand, concerns all the actions that make it possible to identify the ports and services available on the attack surface.
2. Initial foothold
With the goal of compromising the organization's network by obtaining access to an internal system, this phase implements various exploits and phishing techniques. In some cases, physical testing may be used.
3. Persistence
The third phase is dedicated to ensuring that access to the network is maintained.
4. Lateral movement
The fourth phase is critical from a detection perspective. The simulated attacker will attempt to move from the initially compromised system to other systems within the environment. This phase also includes internal reconnaissance to gain a better overall understanding of the targeted network. The phase therefore usually generates a lot of noise, which can be detected if proper controls are in place. During a red team exercise, not all systems are compromised—only those that could allow the simulated attacker to get closer to the predefined goals.
5. Achieving predefined goals
Where the lateral movement phase allowed the simulated attacker to gain access to other key systems that can be used to access valuable data, this phase is all about evidence collection and demonstrating the impact of the attack path tied to the predefined goal.
6. Clean-up
Upon completion of an attack path, the red team operator ensures that any artifacts left by the attack are removed.
Seeking results
Owing to their complex nature, red team exercises are performed over the course of several weeks. Keep in mind that red teamers are mimicking TTPs used by actual threat actors: their goal is to NOT be detected. During the exercise, each phase may trigger different security controls and allow your organization to detect the ongoing attack.
At the start, a stealthy and sophisticated approach is used. As the exercise reaches its end, the level of sophistication is decreased to establish a detection threshold. That threshold is used as a starting point to propose detection improvements. A follow-up report is then prepared to provide clear guidance on the steps you’ll need to take to address the gaps identified during the exercise.
Ultimately, the real-time and hands-on nature of red team exercises will facilitate the identification of gaps in your current detection protocols, as well as any vulnerabilities and misconfiguration that could be used to compromise your environment more easily. Once the exercise is finished, you’ll have a much better understanding of what your detection and response capabilities can and cannot do—and that knowledge will make a world of difference.
Red team exercises aren’t a luxury but a necessity, and an ongoing one. How often does your organization perform them? If you need help, we have the skills and experience to guide you. Learn more here.
